For years, far too many organizations have considered cyber-attacks and the related consequences associated with them part of doing business. From critical infrastructure to banks and financial institutions, and all the other companies in between just too big to fail; neglect has replaced sound computer network hygiene and security. The reasons are varied. Some companies have found it difficult to staff up across their enterprise, while others have balked at the costs of implementing proper security safeguards. Some have even blatantly decided to play musical chairs with hackers betting they could outmaneuver the bad actors before the music stopped.
Unfortunately, last year more organizations than ever before had the proverbial chair pulled out from under their CISOs with a reported 65,000 ransomware attacks, according to the Recorded Future, a Boston-based cybersecurity firm. Stoked by the enormity of the COVID-19 crisis and the earth-shattering shift in business operations, the majority of organizations across the country were ill-prepared to address the impact this dynamic would have on their cybersecurity. This uncertainly led to five of the most aggressive and damaging cyber incursions into the American homeland in our history.The ransomware assault began in February of this year when hackers accessed a water-treatment plant in Oldsmar, Florida, briefly raising the lye in drinking water to dangerous levels. A month later in March, CNA Financial Corp, one of the largest insurance companies in the U.S., was locked out of their network for almost two weeks following a breach. Even the sports world was not immune as hackers breached the business database of the NBA’s Houston Rockets snagging more than 500 gigabytes of confidential information, including contracts and non-disclosure agreements.
However, these were only a prelude to even bigger fireworks that occurred late this spring. In May, a ransomware attack on Georgia-based Colonial Pipeline, the main artery and supplier of gasoline to the Eastern Seaboard and most of the South, forced the company to shut down operations for more than two weeks, creating critical gas shortages in those regions. That same month, an attack shut down the databases of a hospital system in San Diego for two weeks. Then just this month, JBS S.A., a multi-national meat manufacturer, had its systems attacked and the firm shut down its computer systems to limit the scale of the breach. This closed off a quarter of American beef operations for two days.
In the case of Colonial and JBS, the ransoms were both quite hefty. JBS USA said it paid the equivalent of $11 million to hackers to resolve a ransomware attack that forced the company to shut down its beef plants. The company said in a statement afterward that it decided to “mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.” Colonial was tapped for approximately $4.4 million, but its executive team decided immediately after the initial ransom request to bring in the FBI, who were able to track the money trail of the Russian hackers. To date, Colonial has been able to recover almost half of the payout.
Motivation and Access
Plain and simple. The overriding majority of ransomware attacks are simple attempts at extortion. While money is the motivator for the bagmen, the residual value of these attacks benefits the bad actors. In many cases, safe havens for hackers are acquiescent, if not downright complicit, in fostering their activities that can have overarching economic and political impacts.
“The motives of the threat actors can vary significantly depending on who they are. In theory, ransomware attacks are all about the money, and if the threat actor is a criminal group, then money may well be the only motivation. But we have seen such attacks by groups out of China and especially Russia and it is hard to believe that their respective governments are not giving tacit agreement to such attacks,” warns Tim Shaw, a cybersecurity consultant on nuclear power plants and other critical infrastructure for the Westreich Group. He provides technical cybersecurity consulting support to nuclear power plant licensees, along with advising on NIDS, firewall and SIEM implementations at various nuclear plants, as well as examining their portable media and mobile device cybersecurity implementations.
“A cyber-attack that creates an impact that draws public attention helps to create fear in the public and a concern that our government organizations are not 'strong' and that they can't protect us. There is a political value to those actors, depending on which party they want to see in power.”
Shaw, who says that one of his favorite quotes that come from Lenin: "the purpose of terrorism is to terrorize", sums up his point because such an attack can be a means of testing our defenses while being able to blame criminals and not the nation-states sponsoring them.
“I can't help but notice that highly public attacks, with a direct impact on the voters (in the last two presidential elections), did not seem to occur under the prior administration but seem to be happening regularly now. Just a thought about possible motivations other than money." chides Shaw.
For Christopher Painter, President of The Global Forum on Cyber Expertise Foundation, and a former Senior Director for Cybersecurity in the Obama White House where he served on the National Security Staff (2009-2011), there are mixed messages in these latest incidents.
“Generally, when it's a criminal group, it is about money. Whether they're trying to interrupt and encrypt the services so that they're essentially extorting them, or whether they're extorting them because they threaten to release their information, the end goal is money. That's what drives criminal groups,” Painter says. “There’s a spectrum or sort when it comes to state responsibility, where everything from countries not being able to do something about it (attacks), to countries turning a blind eye, to coddling groups, to even directing groups. If these groups, acting on behalf of the nation-state, which you have seen in incidents involving North Korea or sometimes Iran, then they might have a dual motive where they're doing it for money, but they're also doing it, as kind of outsourcing to some country.”
For now, Painter is willing to go along with the federal government’s assessment of the two most recent attacks against Colonial and JBS. But only to a point.
“In these cases, at least, the White House has been saying these are criminal groups and this is not state-controlled. And I take their word for it. I've been dealing with cybercrime for many years when I was a prosecutor and chair in the G8 Group, and I'd say when there was a G8, that we've always had a problem with Russian cybercrime. It's always been hard to catch them. Sometimes, it was due to the fact that maybe they're acting under some sort of state control. Other times, there's corruption involved. As long as these groups aren't going after Russian targets, often the Russian government doesn't care that much. They might even be consistent with what they're trying to do in terms of destabilizing the West,” adds Painter, who has been involved at various senior levels with DOJ fighting computer crime and had senior roles in the FBI’s Cyber Division. “I don't think that the groups that did these two acts were acting at the behest of the Russian government. But they clearly are operating with impunity within Russia and no one's doing anything about them so far.”
Joel Burleson-Davis, who is the Chief Technology Officer at SecureLink, a leading third-party risk management firm based in Austin, Texas, says that threat actors are motivated by all of the same psychological reasonings that any other person is motivated by. However, he adds that the most common types of motivation exhibited by hackers are an incentive, cause, affiliation, achievement, or a mixture of these. His four criteria include:
- Incentive: Money. Yes, cybercriminals are most often motivated by money. The mere existence of ransomware is definitive proof of that!
- Cause: This is commonly referred to as "hacktivism." These attacks happen when a person, or a group, campaigns to achieve some sort of political, social, or religious justice.
- Affiliation: Many threat actors act under the will of their employers, governments, or threat groups. Recently, a threat group has been in the news a lot over the SolarWinds breach. It may be tempting to label them as "bad actors" or "cybercriminals", but to them, they may have simply been cyber soldiers carrying out their government's orders.
- Achievement: Some actors are out to simply boost their "street credibility." They want the world to know what they are capable of.
Does Defining the Motives Help in Strategic Planning?
Just because the oncologists are able to diagnose cancer doesn’t correlate to a cure for the disease. The same can be said for cybersecurity professionals and how their respective organizations combat the growing threats of crippling ransomware attacks. Protecting critical infrastructure and SCADA systems has been an imperfect science at best. While the figure is now being debated among some in the government sector, it is widely reported that 85% of the nation’s critical infrastructure is owned by the private sector, which might explain some of the wide disparities in security protocols and standards.
Career cybersecurity experts like Painter now insist it is time to stop the foot-dragging and coordinate efforts between the public and private sectors, saying it must be a top-down effort beginning with the current administration.
“We've been focusing on this idea of potentially devastating attacks that will take down critical infrastructure literally for 20 years. What's clear about what we've seen recently is that we need to do a much better job securing that infrastructure. That's largely in the hands of the private sector, and we've relied on market forces and incentives to do that. But maybe we have to have a more collaborative approach, especially when we're talking again about critical infrastructure. Maybe we have to be a little more coercive and set standards that folks need to meet,” stresses Painter.
“I think the government should lead and we haven't done a great job of that either. But the new executive order that came out talked about federal procurement and other things, it helps set a good standard. I think the high-tech industry and the financial industry, kind of get it. But for a lot of these other industries, including, power, water, pipeline and others, it's hit or miss. Some really understand the importance of cybersecurity, some don't. We need to really work with these entities, certainly the public-private partnership aspect of this, to make sure that they have the information they need. But at the same time, the U.S. government also has to respond and do things against the bad guys to try to deter them. There are several different parts of this.”
What irks Shaw, who when President and CEO at Hathaway/Tate Integrated Systems, brought to market an advanced DCS/SCADA system solution, is that this is a crisis of our own making. He laments the most cyber-attacks are preventable and that hackers often can access systems simply due to poor user training and a lack of situational awareness by staff and employees when it comes to web browsing, email and cell phone practices.
“Social engineering ploys, such as spear phishing, have a mind-boggling success rate and are a common attack method. In this particular case, I believe the attackers were able to access a VPN gateway used by personnel to get remote access, but which was only protected against compromise by a week, single-factor authentication measure,” Shaw says. “In the nuclear and electric power industry, there are some mandated cybersecurity requirements. In most others, there are just general cybersecurity recommendations that companies can ignore with no legal or regulatory consequences. I would like to see mandated cybersecurity for the critical infrastructure segments enumerated by DHS. If I were the emperor, I would cut all the internet connections to Russia and not allow them to have access, but I am not the emperor and doubt that action can realistically happen, unfortunately.”
From the perspective of Burleson-Davis, the roadmap to creating a national infrastructure protection plan consists of three main streets: education, trust and security philosophy.
“First, we need to get back to basics. The most effective means for security starts with surface-level knowledge. IT and security leaders need to take basic, high-level security education more seriously. Ninety-two percent of malware is delivered by email. Let that sink in,” Burleson-Davis says. “The largest, and usually easiest, attack surface that any infrastructure has, by far, are the humans that have access to it. Surface-level knowledge about phishing tactics, how to handle email attachments and credential security is as crucial as standard HR training.
“Second, ‘trust no one' is a phrase most often spoken by someone in real need of emotional therapy, but you may heed this advice in the context of computer systems. The Zero Trust (ZT) security model is something that all businesses, governments, and anyone with a network of systems should be paying attention to,” he continues. “Finally, exceptional security has a lot in common with an onion: It is layered. It’s not enough to place a big and expensive firewall in front of a network. Security needs to happen from the inside out and from small to big. Security tools are great, but they are still fallible.”