Ransomware attacks in Europe: The ‘wake-up calls’ of the week
Ransomware attacks that cause only financial damage seem almost like the good old days. Because it’s no longer just money, intellectual property, or privacy that’s at stake. The threats are physical, affecting health and safety.
In recent years attackers have increasingly focused on organizations devoted to critical infrastructure (CI) — energy, food, utilities, health, transportation, etc. The reason is obvious. If they can stop a CI provider from operating — and potentially put millions of people at risk — they figure they’re much more likely to score a quick payday that run from tens of thousands into the millions,
So you might think that organizations, especially in the 16 CI sectors, would be focused on hardening their security to meet that increasing threat.
Based on the statistics, you would be wrong. The list of victims is long and getting ever longer — the FBI’s “Internet Crime Report 2021” documented 649 complaints of ransomware attacks against U.S. critical infrastructure operators, with the most aimed at healthcare, financial services, information technology, and critical manufacturing.
Of course, it isn’t just U.S. critical infrastructure that is a target. It’s a global problem.
In mid-August, the Clop ransomware group (also known as Cl0p) announced on its leak website that it had breached South Staffordshire Water in the UK, a private company that provides water to about 1.6 million customers.
As Vedere Labs reported a few days later, the attackers didn’t encrypt data. “They chose to use extortion techniques that are gaining popularity with cybercriminals: leak some of the exfiltrated data, publicly shame the victim and threaten further consequences if the ransom is not paid.”
Clop not only leaked a spreadsheet with staff email addresses, usernames, and passwords to show they were inside South Staffordshire Water, but it also posted a couple of screenshots indicating that they could manipulate the levels of chemicals in the water.
In this case there was likely no major harm done — Vedere noted that the company may have had compensating controls that wouldn’t accept tampered chemical values. But it said the leaked materials showed that “the attackers had access to both the IT [information technology] and parts of the OT [operational technology] network of South Staffordshire Water, which indicates the company may have had weak segmentation policies between the two. This is typical in ransomware incidents targeting critical infrastructure.”
Then there’s healthcare. The Center Hospitalier Sud Francilien (CHSF), about 17 miles outside Paris, announced that on August 21 it had been hit by a ransomware attack that disrupted services and forced it to refer patients to other providers. The attack “makes the hospital’s business software, the storage systems (in particular medical imaging), and the information system relating to patient admissions inaccessible for the time being,” according to the translated announcement.
The attackers, allegedly an affiliate of the ransomware group LockBit 3.0, demanded a $10 million ransom. As of late last week, there was no report from CHSF about whether it had paid the ransom.
But Stephan Chenette, cofounder and CTO of AttackIQ, told the CyberWire that the attack “serves as the latest reminder that organizations simply don’t exercise their defenses enough, and healthcare organizations in particular should be evaluating their existing security controls to uncover gaps before an attacker finds them. We continue to see basic security protection failures resulting in data loss for companies both large and small.”
Indeed, what if the attackers had hit multiple targets and there were no “other providers” to which CHSF could refer its patients?
Hitting the snooze button?
Both Chenette and Vedere Labs said the attacks should serve as “wake-up calls” for operators of critical infrastructure to improve their security.
If only. These are just a couple of the latest of dozens of catastrophic cyberattacks — ransomware and others — in recent years that have been labeled wake-up calls. They include
- Stuxnet, which destroyed a significant portion of Iran’s nuclear facilities in 2010
- Industroyer, which brought down a portion of the energy grid in Ukraine in 2016
- The attack on the Office of Personnel Management, discovered in 2014, that compromised the personal and financial information of more than 22 million current and former federal employees
- The 2021 ransomware attack on Colonial Pipeline that led to the shutdown of nearly half the fuel supply — gasoline, diesel, jet fuel and heating oil — to the East Coast for almost a week
- The 2017 data breach of Equifax, one of the “big three” credit reporting agencies, that compromised crucial personal data of more than 147 million people
- The 2021 ransomware attack on JBS Foods, which disrupted the meat supply and sent prices soaring.
Yet after all those and more, as Chenette noted, too many CI operators are still guilty of “basic security protection failures.” It’s the digital equivalent of leaving the door, the files, and the safe unlocked.
Boris Cipot, senior security engineer with the Synopsys Software Integrity Group, said one reason for those failures is that people are in denial about their own vulnerabilities from insecure software. “Usually people do not learn from others,” he said. “So the wake-up call comes when the bad things happen to them. But then it’s already too late.”
His colleague, Michael Fabian, principal security consultant, agrees that “we are continually rehashing the same discussions and ‘wake-up calls’ over and over.”
The irony is that it doesn’t have to be this bad. There is plenty of good security advice available. The FBI’s report recommends several measures, including
- Update your operating system and software
- Implement user training and phishing exercises to raise awareness about the risks of suspicious links and attachments
- If you use Remote Desktop Protocol, secure and monitor it
- Make an offline backup of your data
And Vedere Labs recommends
- Identify all devices connected to the network: IT, OT and IoT will all be targeted by attackers
- Enforce security compliance for all connected devices in your network
- Segment IT and OT systems to mitigate risk
- Monitor network communications so when anomalous traffic flows are detected, response actions or more stringent controls can be enforced
Not everything on that list is always simple — especially keeping systems up-to-date. Patching or updating industrial control systems, which run much of critical infrastructure, is vastly more complicated than tapping an icon on your smartphone to install the latest update of an application.
Donald Davidson, director of cyber supply chain risks management programs at Synopsys, said after a CI attack several months ago that patching CI systems is “not as simple as patching software,” since addressing operational technology security means updating hardware. “We all keep legacy hardware too long,” he said, “so even though we find more vulnerabilities all the time, we’re slow to correct or mitigate them.”
Obviously that needs to change. And both Fabian and Cipot said it will likely take a heavier government hand than recommendations from federal agencies. It’s going to take mandates, and enforcement of those mandates.
“Official standards and requirements take a long time to get passed, though there are tons of references out there,” Fabian said. “I’m not sure what the tipping point will be for governments to really crack down on security with fines or other legal penalties.”
Cipot agrees. He said most CI operators already separate their IT and OT systems, “but still malware manages to enter.”
“Recommendations are a nice gesture that can help those who want to prevent bad things,” he said. However, mandates would help the ones who don’t even know that bad things can and will happen to them.