[BreachExchange] Office 365 compromise likely led to Merseyrail ransomware attack

[Destry Winant]

https://www.computerweekly.com/news/252499929/Office-365-compromise-likely-led-to-Merseyrail-ransomware-attack

A Lockbit ransomware attack on train operating company Merseyrail appears
to have been the result of a successful compromise of a privileged
Microsoft Office 365 account, prompting fresh warnings over the risks of
spear-phishing and the importance of email security.

The Covid-hit transport operator confirmed the attack to Bleeping Computer,
which was among a number of specialist technology news outlets – alongside
national papers – contacted by the Lockbit operators during the attack, via
an email that came from the account of Andy Heath, Merseyrail’s managing
director since 2017.

“We can confirm that Merseyrail was recently subject to a cyber attack,”
the spokesperson said. “A full investigation has been launched and is
continuing. In the meantime, we have notified the relevant authorities.”

According to Bleeping Computer, the ransomware operators included in the
email an image showing personal data on Merseyrail employees that the gang
claimed to have stolen.

Besides news outlets, the email was also sent to internal staff to frighten
them into putting pressure on their employer to pay, and as a means of
publicly shaming the organisation into doing so. This is a known variant of
the popular double extortion technique whereby stolen data is leaked, and
Comparitech’s Brian Higgins said such strategies were becoming more common.

“Criminals have caught on to the fact that if their successful breaches are
made public before their victims can implement any incident response plans,
they have an extra layer of leverage to encourage payment more quickly,”
said Higgins.

“Whether it’s contacting potentially affected customers or staff, or
notifying the media, the added pressure to resolve the issue can often
force victim organisations to bypass security policies and pay up.

“It would appear that in this particular instance, Merseyrail are holding
their nerve and following industry standard protocols instead. It takes
corporate courage to back up your data, inform the relevant authorities and
keep hold of your cash. I hope Merseyrail come out of this successfully and
provide a case study of good practice for future cyber crime victims.”

“Criminals will target emails as part of phishing attacks to install
malware or attempt to take over email accounts so they can masquerade as
employees, or siphon off critical information,” said Malik. “Organisations
should ensure they have robust controls protecting their email, including
email gateways, spam filters, multi-factor authentication, and user
awareness and training.”

Armis European cyber risk officer Andy Norton said the nature of the attack
on a provider of critical national infrastructure would raise further
questions for Merseyrail, and may attract the attention of regulators
empowered to fine it over the breach.

“The Department for Transport has published guidance for rail operators to
implement cyber resilience and reference the International standard IEC
62443,” he said. “In addition, critical infrastructure is subject to the UK
transposition of the NIS regulation, which is best implemented by adoption
of the NCSC CAF 3.0.

“Either way, some pretty uncomfortable questions will be asked: What
measures did you undertake to ensure your risk assessment was adequate? How
do you validate that your defences are appropriate and proportionate? Both
are fundamental requirements for due diligent governance.”

Computer Weekly understands the Information Commissioner’s Office has been
made aware of the attack and is assessing its impact.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210430/edfa2992/attachment.html>