A series of unfortunate events… Or more? What story the recent cybersecurity attacks could be telling
Recently there has been a dizzying number of major breaches disclosed within just months and sometimes weeks of each other. I’ve been paying close attention and doing a bit of research into the most recent data breaches, especially the more notable ones. The most recent heavily covered incident, the JBS hack, is already having an impact on the food industry.
In the last seven months we have seen the following things happen:
In December, there was a massive supply chain attack against SolarWinds. The attackers basically infiltrated SolarWinds, then put a backdoor, or Trojan, in files that make up key parts of their software. The files are regularly updated and pushed down to all SolarWinds customers using that software which is named Orion. Just a reminder, SolarWinds products are what a lot of us use to manage and monitor the health of our networks.
Three months later in March 2021, we saw another massive attack that affected more than 40,000 organizations using Microsoft Exchange. Attackers were using several zero day exploits or exploits not yet known to the general public or vendor who made the software -- in this case, Microsoft. There are reportedly hundreds of thousands of organizations who are victim to this attack. One might say that Microsoft Exchange is integrated into enough enterprise organizations that it is indeed considered a supply chain of its own.
Barely a month later we learned about the Colonial Pipeline ransomware attack. But if we think about what it really affected the most, it was the supply chain for one of our most vital functions -- transportation. As a result of this, I witnessed something in the DC Metro area I’ve never seen before: gas stations without gas. It was not a comfortable feeling.
The threat actors asked for $5 million, which some would say is a bargain. If you consider the fact that Colonial Pipeline’s yearly gross revenue is a little over $500 million, the ransomware operators asked for less than 1 percent of their gross revenue. Seems like business as usual for the "modern" ransomware operator as they are known to commonly do reconnaissance or "homework" on their targets so they will know how much to ask for in the ransom demand.
As we’ve seen in this case with Colonial Pipeline and others, the group responsible used what is currently referred to in the industry as double extortion tactics. Which means they are not just demanding ransom to decrypt files, but also a ransom to keep from leaking data they’ve stolen. We don’t know what data was stolen, and we don’t know if the operators handed that data off to another data harvester or not. There’s also triple extortion, where the attacker may demand ransom for decryption, ransom for keeping data confidential and thirdly, they may demand ransom from business partners, customers and vendors.
To extend the streak, we learned a few short days later about the JBS attack. This was an attack against one of the largest meat distributors in the world. This was yet another ransomware attack that affected a critical supply chain and downstream customers as opposed to just affecting the target organization. They paid an $11 million ransom.
This was followed by, yet again, another devastating attack against the New York Transit Authority.
In May of 2021, hackers released the private information of 22 Washington DC police officers as if to prove they had compromised the Washington DC’s Metropolitan Police Department network, which later turned out to be the case. This is right here in DC, in our nation’s capital.
To be clear, these attacks disrupted supply chains for our food, our cybersecurity and our ability to defend ourselves, our electronic messaging, as well as both our public and personal transportation systems.
Let’s imagine for a moment we are writing a script for a thriller. The antagonist decides it wants to test or practice debilitating the United States. What we’ve seen in recent months could be a prelude to how they may test our cyber infrastructure, which has left many individuals and U.S. companies at the edge of their seats.
Or maybe what we’re seeing is evidence our security is improving. An action-packed hero story, where we can overcome the odds with the right tools. The prompt detection and response from the recent McDonald’s cyberattack shows how investing in cybersecurity can render faster detection and response times and mitigate the risk.
In many of my public speeches and media events, I would always joke, or at least half joke, that there are two kinds of organizations; Those who are breached and know it, and those who are breached and don’t know it. It is highly possible that more and more organizations are now finding out when they are breached as security and infrastructure has improved. Due to advances in cloud technologies, machine learning, more accessible access to training and other innovations, more organizations can now take advantage of cutting-edge cybersecurity tech at lower price points.
I believe we have a responsibility to make sure we stay ready and prepare for any possibility. I also believe we can afford to say we are improving in some areas if there is evidence of that. FireEye’s rapid release of information in the SolarWinds breach, Microsoft's jumping in to assist. The FBI being able to get money back after a ransom has been paid in the Colonial breach is notable, and significant accomplishments. These things all show some forward progress.
Respectfully, we still have some work to do -- and I’m excited and honored to get to be a part of it.
Keatron Evans, CISSP, CEH, CSSP, LTP, is a cybersecurity and workforce development expert with over 17 years of experience in penetration testing, incident response and information security management for federal agencies and Fortune 500 organizations. He is Principal Security Researcher at Infosec Institute, where he empowers the human side of cybersecurity with cyber knowledge and skills to outsmart cybercrime. Keatron is an established researcher, instructor and speaker, as well as the lead author of the best selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish. He regularly speaks at industry events like Black Hat, OWASP, ISACA and RSA, and serves as a cybersecurity subject matter expert for major media outlets like CNN, Fox News, Information Security Magazine and more.