What Can Companies Learn from Major Cyberattacks?
What Can Companies Learn from Major Cyberattacks?
Cybercrime is front-page news. Whether it’s a meat processing company or a gas supplier, companies are having their cybersecurity tested. With cyberattacks being attempted every 14 seconds, the question is no longer if a business will become a target. Instead, the question is –will a company’s security defenses keep it from becoming front-page news?
One way to protect against a cyber compromise is to learn from other’s mistakes. In fact, President Biden’s Cybersecurity Executive Order has improved the ability of federal agencies to communicate with each other and share data with the private sector. By pooling information, organizations gain critical knowledge that can help prevent a cyberattack.
As an example, let’s look at what can be learned from recent cyberattacks:
- Colonial Pipeline
- JBS Meat Processor
Each incident provides insights into how hackers can penetrate defenses, primarily for financial gain.
SolarWinds is a Texas-based company that offers network management tools to government agencies and the private sector. Their clients connect to a server to receive updates to the software in much the same way as individuals receive updates to Microsoft products. As with Microsoft updates, companies can choose to have the updates applied automatically.
The hackers were able to compromise SolarWinds’ Orion platform and insert malicious code into the updates. When updates were downloaded, so was the malware. The malware was not detected until FireEye, one of SolarWinds’ clients, discovered it running on their clients’ systems. By the time the hack was discovered in late 2020, the malware had reached the third level of a supply chain. The long-term impact of the attack is still under investigation.
Companies view software updates as a standard part of doing business, and many do not check or test for viruses prior to installation. Even when the update is from a trusted supplier, as in the SolarWinds’ case, software should be scanned and tested before placing it into production. At the same time, updates should be applied as promptly as possible. Many contain security patches that help eliminate vulnerabilities.
The cyberattack on Colonial Pipeline saw real-world consequences of cybercrime. When the company discovered ransomware on its administrative servers, it shut down operations to limit the potential spread of the virus. As one of the largest pipeline operators, Colonial provides about 45% of the fuel used on the East Coast, including gas, heating oil, and jet fuel. When it shut down operations, the impact was felt from Texas to New York.
Dark Side is credited with the attack, which not only blocked access to the company’s system but also extracted data for publication on the Dark Web if the ransom was not paid. Eventually, the company paid 75 bitcoins or $4.4 million to regain control, although the FBI recommends not paying ransoms as it only encourages more attacks.
How the ransomware was installed on the system has not been determined. However, the most likely causes are:
- Unpatched vulnerabilities
- Phishing emails with corrupted links
- Stolen credentials
Anyone of these threat vectors can be countered with proper security protocols.
Software updates and patches should be installed as promptly as possible. At the end of 2020, the number of known vulnerabilities in production software was 18,335 — 4,380 were considered high severity. Systems should also undergo vulnerability assessments to help identify possible vulnerabilities.
Educating employees on phishing attempts can help eliminate the unintended click on a suspicious link. Hackers have become experts at mimicking real companies, so people need to check all emails carefully to avoid a potential breach. The same applies to user credentials. Many organizations are moving to multi-factor authentication to make it more difficult for cybercriminals to use stolen credentials.
US Agency for International Development (USAID)
Microsoft reported that USAID suffered a supply chain attack in May 2021 that was similar to the SolarWinds’ attack in 2020. In fact, Microsoft believes the USAID hackers were part of the same group that attacked SolarWinds. In the USAID attack, the hackers compromised Constant Contact, a marketing firm that provides email services to multiple organizations.
Using Constant Contact’s platform, the cybercriminals sent emails that appeared to come from USAID. These emails contained compromised links that downloaded different forms of malware to the recipient’s system. The corrupted systems enabled hackers to plant malicious code, steal information, or initiate a ransomware attack. According to cyber specialists, these attackers were able to customize their software to match the target’s system capabilities.
It is unclear if the hackers intended to install ransomware on the recipient’s system or to use their systems to target another company’s infrastructure. The investigation into how the compromise occurred is in its initial stages. However, it does point out how vulnerable supply chains have become. Companies need to ensure that their security protocols extend up and down the supply chain.
As the largest meat processing company in the world, JBS was the target of a ransomware attack in May 2021. The attack temporarily disrupted operations at some of their processing plants; however, it is unknown whether the company paid a ransom. The investigators believe REvil, a Russian-speaking group, is responsible for the attack, although they have not taken credit for the incident.
JBS has released few details regarding the attack. Without more details, it is impossible to know precisely what happened. What the attack does demonstrate is the frequency of these cyber attempts. In May alone, three major attacks were launched — Colonial, USAID, and JBS. Two attacks disrupted some aspects of the food and gas supply chains. The other compromises gave hackers access to an unidentified number of digital assets.
Finding the right partner to help protect your digital assets is fundamental to establishing a strong security defense. HRCT has served the Virginia Beach – Norfolk area for over 30 years. We have helped organizations working in the public and private sectors with their technology needs. In addition, our cybersecurity professionals help companies of all sizes strengthen their security protocols. Contact us to discuss how we can keep your company from being the next security breach to make front-page news.