There is little doubt that continued effort at all levels across infrastructure and government is required to ensure the resilience required is in place
By Ben Lane, Events Manager, Torch Marketing
In 2021, cybersecurity authorities in the United States, Australia and the United Kingdom observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors.
Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.
Chuck Brooks, President, Brooks Consulting, comments: “2021 was a very trying year for cybersecurity in so many areas. There were high profile breaches such as Solar Winds, Colonial Pipeline and dozens of others that had major economic and security related impact. Ransomware came on with a vengeance targeting many small and medium businesses. Perhaps most worrisome was how critical infrastructure and supply chains security weaknesses were targeted and exploited by adversaries at higher rates than in the past.”
John Donlon QPM FSyI, Chairman of the International Association of Critical Infrastructure Protection Professionals (IACIPP) and Chair at Critical Infrastructure Protection & Resilience North America, being hosted in New Orleans on April 6-8, said, “Cybersecurity, especially in critical infrastructure and state government, is a huge issue right now. We can see this reflected in the media every day. Ransomware attacks are on the rise and it is hard to keep up with those who would seek to cause harm and disruption. There is little doubt that continued effort at all levels across infrastructure and government is required to ensure the resilience required is in place.”
Colonial Pipeline
The primary target of the attack was the billing infrastructure of the company. The actual oil pumping systems was still able to work. According to CNN sources in the company, the inability to bill the customers was the reason for halting the pipeline operation. Colonial Pipeline reported that it shut down the pipeline as a precaution due to a concern that the hackers might have obtained information allowing them to carry out further attacks on vulnerable parts of the pipeline.
The day after the attack, Colonial could not confirm at that time when the pipeline would resume normal functions. The attackers also stole nearly 100 gigabytes of data and threatened to release it on the internet if the ransom was not paid. It was reported that within hours after the attack the company paid a ransom of nearly 75 Bitcoins ($5 million) to the hackers in exchange for a decryption tool, which proved so slow that the company’s business continuity planning tools were more effective in bringing back operational capacity.
In response to fuel shortages at Charlotte Douglas International Airport caused by the pipeline shutdown, American Airlines changed flight schedules temporarily. At least two flights (to Honolulu and London) had fuel stops or plane changes added to their schedules for a four-day period. The shortage also required Hartsfield–Jackson Atlanta International Airport to use other fuel suppliers, and there are at least five other airports directly serviced by the pipeline.
U.S. President Joe Biden declared a state of emergency on 9th May 2021. During regular times there were limits on the amount of petroleum products that could be transported by road, rail, etc, domestically within the U.S mainland. However, with the declaration in place, these were temporarily suspended.
Biden signed Executive Order 14028 on May 12th, increasing software security standards for sales to the government, tighten detection and security on existing systems, improve information sharing and training, establish a Cyber Safety Review Board, and improve incident response. The United States Department of Justice also convened a cybersecurity task force to increase prosecutions.
SolarWinds
SolarWinds, a major US information technology firm, was the subject of a cyberattack that spread to its clients and went undetected for months, Reuters first reported in December 2020. Foreign hackers, who some top US officials believe were from Russia, were able to use the hack to spy on private companies such as the elite cybersecurity firm FireEye and the upper echelons of the US Government, including the Department of Homeland Security and Treasury Department.
In early 2020, hackers secretly broke into Texas-based SolarWinds’ systems and added malicious code into the company’s software system. The system, called “Orion,” is widely used by companies to manage IT resources. SolarWinds has 33,000 customers that use Orion, according to SEC documents.
Most software providers regularly send out updates to their systems, whether it’s fixing a bug or adding new features. SolarWinds is no exception. Beginning as early as March of 2020, SolarWinds unwittingly sent out software updates to its customers that included the hacked code.
The code created a backdoor to customer’s information technology systems, which hackers then used to install even more malware that helped them spy on companies and organizations.
SolarWinds told the US Securities and Exchange Commission (SEC) that up to 18,000 of its customers installed updates that left them vulnerable to hackers. Since SolarWinds has many high-profile clients, including Fortune 500 companies and multiple agencies in the US government, the breach could be massive. Microsoft president Brad Smith said in a congressional hearing that more than 80% of the victims targeted were nongovernment organizations.
US agencies — including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury — were attacked. So were private companies, such as Microsoft, Cisco, Intel, and Deloitte, and other organizations such as the California Department of State Hospitals, and Kent State University.
And since the hack was done so stealthily, and went undetected for months, security experts say that some victims may never know if they were hacked or not, the Wall Street Journal reported.
At the Treasury Department, hackers broke into dozens of email accounts and networks in the Departmental Offices of the Treasury, “home to the department’s highest-ranking officials,” Sen. Ron Wyden said. The IRS hasn’t found any evidence of being compromised, he added. Treasury Secretary Steven Mnuchin said on CNBC that the hackers have only accessed unclassified information, but the department is still investigating the extent of the breach.
Tom Bossert, President Trump’s former homeland security officer, said that it could be years before the networks are secure again. With access to government networks, hackers could, “destroy or alter data, and impersonate legitimate people,” Bossert wrote in the New York Times.
Not only is the breach one of the largest in recent memory, but it also comes as a wake-up call for federal cybersecurity efforts. The US Cyber Command, which receives billions of dollars in funding and is tasked with protecting American networks, was “blindsided” by the attack, the New York Times reported.
The attack may lead to a strengthened relationship between the US government and the cybersecurity industry, with the private sector helping federal officials fight off nation-state attacks and foreign bad actors in the future, as Insider reported.
New Orleans ransomware attack
In the early hours of a Friday in December 2019, the team monitoring the computer network handling governmental operations for New Orleans noticed something suspicious.
“At first, it didn’t seem like anything too worrying,” Kim Walker LaGrue, chief information officer for the City of New Orleans, told VOA. “It looked like a user with the wrong credentials was trying to access our data center, but that could have been one of our administrators doing some early morning work. We didn’t think it was anything malicious.”
That was at 5 a.m. Within a few hours, similar activity was affecting multiple users, and the service desk was called to investigate. From there, it didn’t take long for LaGrue’s team to figure out what was going on.
“We identified a ransomware attack was being launched against the city,” she said.
Ransomware is malicious software that is planted in a computer network to seek out sensitive data. Once that information is located, hackers threaten to either publish the data or prevent it from being used until a ransom is paid.
And this type of attack was not unfamiliar to New Orleans’ City Hall. A month earlier, Louisiana — the state in which New Orleans is located — had been the target of another ransomware attack.
In fact, in 2019, 106 city and county governments were targets of ransomware attacks. And the problem seems to only be getting worse. Last year, the United States suffered more than 65,000 similar attacks. Recent high-profile ransomware hacks have targeted a U.S. oil pipeline and a major meat processing outfit.
“Am I surprised? Not at all,” explained Vince Gremillion, owner and founder of Restech Information Services, a cybersecurity firm based in the New Orleans area.
“Ransomware attacks can be extremely profitable for the attackers, and the victims are often ill-equipped to stop them. If I’m surprised by anything, it’s that this doesn’t happen even more often.”
John Donlon QPM FSyI, concluded, “As we appear to be entering an unstable period, with multiple threats looking to destabilise our economies, the strategic response to enhancing the protection and resilience of our infrastructure must involve more intense collaboration across the public and private sectors. The threat of cyberattacks is just too big an issue for either government or business to deal with on their own and this will be part of the discussion at the forthcoming Critical Infrastructure Protection & Resilience North America.”
About the Author
Ben Lane was Torch Marketing Event Manager for two International Expos: Critical Infrastructure Protection and Resilience North America https://www.cipre-expo.com/ and Critical Infrastructure Protection & Resilience Europe https://www.cipre-expo.com/