When Colonial Pipeline Company, an American energy system that provides nearly half of the East Coast’s fuel supply, reported early this month one of the largest disruptions of critical infrastructure by hackers in history, our CTO Thomas Whang was sorry to say he wasn’t that surprised.
“It’s easy to see why the United States is such a large target,” Thomas responded to me on Slack. “Key sectors are vulnerable, there’s more and more money in ransomware, and more people are capable of high-level attacks.”
I prepared some questions and asked Thomas to join me on a Zoom call to delve deeper into the nexus between industry vulnerability and ransomware sophistication and what companies need to be doing to ward off ransomware attacks and minimize risk.
First, why weren’t you surprised that a major pipeline was successfully attacked for ransom?
I wasn’t surprised because critical infrastructure has been known to be very vulnerable. In a traditional enterprise IT environment, technology is anywhere from one to five or 10 years old at most. In a critical infrastructure or OT environment, those technologies tend to be 10 to 20 years old and therefore more vulnerable right off the bat. Because of their age, the operating systems that run these environments often are no longer supported — they’re not getting security updates or the vendor no longer exists so there are no patches available and no way to upgrade, so you have fewer options to secure those environments.
I wasn’t surprised because critical infrastructure has been known to be very vulnerable.
And because of operational down time required, they’re a lot more expensive to overhaul than a traditional IT solution. So the can ends up getting kicked down the road, and as that can continues to get kicked, the price tag keeps going up. There’s a fine line between providing services and maintaining the efficacy and security of the environment.
Industries like energy and healthcare are reported to be particular targets of ransomware attacks because of the exigent need to resume operations. Do you agree, and should we expect to see more of this?
This gets to a concept I’ve talked about — the collision between the physical world and cyber world. When you have that collision, there’s going to be urgency in some way, shape or form. In the case of the pipeline, its immediate impact was on people’s ability to get where they need to go because of fuel supply. In the healthcare space, people’s lives and livelihoods are at stake.
We’re absolutely going to see more of this — we already are.
And we’re absolutely going to see more of this — we already are. Just this week, the world’s largest meat supplier was the victim of a massive cyber attack that shut down some of its operations in the U.S. and Australia. A week after Colonial Pipeline, we saw the health care system in Ireland get attacked. The FBI just put out a warning about Conti ransomware attacks targeting U.S. healthcare and first-responder networks. And CNA Financial Corp. paid $40 million in March to unlock its networks — so add insurance to this list.
The goldmine is to attack a company with ransomware so effectively that they’re going to pay a high ransom — and that’s just to restore systems and data. And if the data has been exfiltrated, it can be sold or used to target other companies. So these threat actors get $40 million from the top guy, plus all the windfall below, which is exactly why insurance companies will be targeted.
Some industry observers contend that to mitigate vulnerabilities in critical infrastructure, these companies should be completely closed off from the internet. Are they right?
Obviously, the most ideal situation is an OT environment that’s “air gapped” — meaning it’s isolated. But in the world we live in now, nothing can be fully isolated. So you have to find that middle ground that allows you to have as close to an air gap as possible but be able to maintain the security of the environment without exposing it.
Reports are that the Colonial Pipeline attack appears to have been conducted by a criminal group based in Eastern Europe called DarkSide. Could a less sophisticated actor have been as successful?
Yes, and here’s why. DarkSide is not the actual attacker. CrowdStrike labels DarkSide a ransomware service created by a highly skilled criminal group called Carbon Spider to target “big game” industries like energy and healthcare. They vet the victims to see how likely they’ll pay and how much they’ll pay. It’s ransomware used as a service. Depending on how much ransomware that’s used, DarkSide gets a 20 to 40 percent cut — a Mafia model translated to cyber. It’s lucrative because the barrier to entry is so low that any individual can run ransomware attacks as large as this. There’s no product to develop and no need to negotiate — it’s all done as a service.
It’s lucrative because the barrier to entry is so low that any individual can run ransomware attacks as large as this. There’s no product to develop and no need to negotiate — it’s all done as a service.
What is the fix? Industry experts suggest it’s a combination of public (regulations) and private intervention. What are your thoughts, and what might this look like?
There is no one silver bullet that will fix this problem. We’ve got regulatory. We’ve got law enforcement. And we’ve got the private sector, which all need to be working together. There have to be cross-border relationships among law enforcement that help hold threat actors accountable. As long as there’s no accountability, this will continue to happen. The Institute for Security and Technology’s Ransomware Task Force just recently presented a report to the Biden administration that’s designed to serve as a framework for addressing ransomware.
What can companies do in the near term to reduce their risk?
It’s all about doing the basic things first — and by the basics, I mean:
- Security awareness training
- Proper email security technologies to ward off phishing
- Next-generation antivirus technologies that are geared toward understanding the tactics and techniques that threat actors use so that they can prevent these as much as possible
- Next-generation EDR technology: Organizations must have a solid detection and response system in place for anything that can’t be prevented — not just from a technology perspective, but also people and processes. Neither alone can solve this issue.
At the end of the day, what threat actors are doing is not anything terribly sophisticated — in most cases, using tactics and techniques that target companies’ weaknesses, which are by and large similar. No matter how much we do to create a community to share intelligence back and forth, the onus still falls on individual organizations to secure their environments by putting best practices in place to minimize vulnerability.