A recent report from the CBC covering a new intelligence assessment from the Communications Security Establishment (CSE) has highlighted the very real threat against Canada’s critical infrastructure, such as the electricity supply. The CSE has intimated that state-sponsored actors are sharpening their cyber capabilities to enable an attack that will be used to intimidate or prepare for future online assaults. While the report focused primarily on Canada’s Critical Infrastructure, we believe same applies to all our customers, worldwide.
The report has provided some extremely interesting findings. Here are some that we would like to directly highlight:
“State-sponsored actors are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure, such as the supply of electricity, to further their goals. We judge that it is very unlikely, however, that cyber threat actors will intentionally seek to disrupt Canadian critical infrastructure and cause major damage or loss of life in the absence of international hostilities. Nevertheless, cyber threat actors may target critical Canadian organizations to collect information, pre-position for future activities, or as a form of intimidation.”
First Finding – The probing that is occurring is focused on ‘collecting’ information. Next,
“In 2019, Russia-associated actors probed the networks of electricity utilities in the US and Canada. Iranian hacking groups have targeted ICS infrastructure in rival nations, including the US, Israel, and Saudi Arabia. North Korean malware has been found in the IT networks of Indian power plants, and US utility employees have been targeted by Chinese state-sponsored cyber threat actors.”
Second Finding – The probing that is occurring is not just focused on the infrastructure but also on the ‘employees’. As we’ve seen in the past, employees can often be a weak link in the security chain. The report goes further, stating,
“We assess that cybercriminals will very likely increase their targeting of ICS in the next two years in an attempt to place increased pressure on critical infrastructure and heavy industry victims to promptly accede to ransom demands.”
Third Finding – There is a critical connection between Industrial Control System (ICS) threats and ransomware. In one case, state actors are using threats to ICS in order to force the victim to pay the ransom or face monetary loss through operation shutdowns due to safety concerns. Here is the statement,
“We assess that cybercriminals will very likely increase their targeting of ICS in the next two years in an attempt to place increased pressure on critical infrastructure and heavy industry victims to promptly accede to ransom demands.”
“Since January 2019, at least seven ransomware variants have contained instructions to terminate ICS processes. The impact of these attacks on ICS varies according to the specific circumstances of the industrial process and the reaction of the site staff. In June 2020, a car manufacturer halted production at most of its North American plants, including one in Canada, “to ensure safety” after very likely being hit by one of these ransomware variants.
Fourth Finding – Ransomware campaigns, in order to increase their success, are becoming more focused on Big Game Hunting (BGH). Threatening ICS is hence becoming part of these BGH campaigns. BGH campaigns are generating exceedingly higher bounties. One such case was brought up by the report:
“As BGH ransomware campaigns have become more common, the value of ransom demands has increased. Ransomware researchers estimate that the average ransom demand increased by 33% since Q4 2019 to approximately $148,700 CAD in Q1 2020 due to the impact of targeted ransomware operations At the more extreme end of the spectrum are multi-million dollar ransom events, which have become increasingly common. In October 2019, a Canadian insurance company paid $1.3 million CAD to recover 20 servers and 1,000 workstations.”
Fifth Finding – There is a blurring of lines between ransomware campaigns and state sponsored campaigns (including ICS targets) because of the mutually beneficial outcomes.
“In addition, we assess that it is likely that state-sponsored cyber threat actors will use ransomware to obfuscate the origins or intentions of their cyber operations. It is almost certain that the intelligence services of multiple countries maintain associations with cybercriminals that engage in ransomware schemes. In these mutually beneficial relationships, cybercriminals share stolen data with intelligence services while the intelligence service allows the cybercriminals to operate free from law enforcement.”
Sixth Finding – These targeted ransomware campaigns against large enterprises and critical infrastructure providers are going to increase over the next two years – and those who refuse to pay are risking the severe consequences.
“We expect that ransomware directed against Canada in the next two years will almost certainly continue to target large enterprises and critical infrastructure providers. Furthermore, many Canadian victims will likely continue to give in to ransom demands due to the severe economic and potentially destructive consequences of refusing payment. Since late 2019, multiple Canadian businesses and provincial governments have had their data publicly leaked by ransomware operators for refusing payment, including a construction company and a consortium of Canadian agricultural companies.”
Final Finding – There are multiple statements about Canadian enterprises being targeted if they have foreign operations. These foreign operations will often also be weak security links offering entry into the networks of the main operations in Canada.
“Many organizations rely on a complex and often globally distributed supply chain for many aspects of their operations, including precursor manufacturing, IT infrastructure and support, and financial services. Cyber threat actors target the networks of trusted vendors and then leverage the vendors to access the networks of their true targets.”
In Summary, as the report alludes, the unfortunate reality is that the threats will continue to grow as more and more critical infrastructure networks and operational technology networks improve their technology use and go online. In the past, Operational Technology (OT) that has been used to control a variety of critical infrastructure and systems was fairly immune to cyber attacks as they utilized older IT and were air-gapped from the internet. However, with newer technology being introduced that lowers operation costs and makes things more efficient and easy to use, the number of attack vectors are increasing dramatically. Now, with upgraded technology that utilizes the internet to access and control systems, they become increasingly more favoured targets by these state-sponsored hackers.
And critical infrastructure will not be the only targets going forward. As more and more IoT devices connect to the internet (such as those used in the growing number of “smart cities” as well as in other areas such as healthcare, with personal medical devices), the risks will continue to grow. We’ve written about potential healthcare vulnerabilities in the past that could result in life or death situations. These are all interconnected and inter-related to the explosion in the number of IoT devices being used and the growing threat that they bring to the systems that use them.
What should you do?
First, your organization should review its current solutions in place to see whether they are able to detect and block any and all malware in real-time. By ensuring that malware is unable to breach the network is the first step in avoiding prolonged and focused attacks by hackers.
Next, your organization should look at information sessions for employees to make them aware of various types of attacks and what they may look like. Unfortunately, the human element is one of the weakest links in the security wall and a simple phishing email to an unsuspecting employee can sometimes be the hole that hackers need to get into the network.
Review how well fortified your ICS devices are and what protections they are afforded by your current solution. If there are holes here, they need to be closed by a solution that is aware of the vulnerabilities and that can scan for them and block them.
Have a look at the game plan that your organization has concerning how it deals with Ransomware attacks. Although the best way handle these is to prevent them from occurring in the first place with a real-time threat prevention solution, look at whether you have adequate back-up systems in place as well as see how quickly your IT security team can get your systems up and running again from these back-ups.
Finally, if you have subsidiaries overseas, do an assessment on how they communicate back to your HQ network and servers and see how well this communication channel is secured. As we’ve seen during the current pandemic, VPN connections are not as secure as people think they are. These channels need to be fully secured by a solution that can scan the VPN communications for any malware that may have found their way onto the endpoint devices.
This brings us to how some of these critical vulnerabilities can be fixed. From our perspective, many of these attack vectors can quickly and easily be closed with the right solution. Wedge has been at the forefront of the Real-time Threat Prevention revolution, developing an orchestrated network security platform that combines Deep Content Inspection visibility with AI / Machine learning, along with patented high performance data processing technologies that enables the real-time detection and blocking of all malware (known, unknown and targeted). By incorporating AI and automated and continuous machine learning in the fight against bad actors, many of whom have already started using AI to create new malware, Wedge is looking to turn the tide against these attacks.
Wedge has also recently started offering WedgeARP for enterprises that have a portion of its employees working from home with Wedge Secure Home Office and has also started providing Wedge Secure Remote Office, a uCPE and vCPE based WedgeARP offering for those organizations with offices overseas. The key here is being able to detect malware in real-time and block it before it has a chance to gain access to these critical infrastructure networks. This goes a long way to helping prevent targeted and co-ordinated attacks; hopefully also preventing hackers from collecting information they need to put themselves in advantageous and intimidating positions in the future.
While the CSE’s briefing was not meant to scare people into taking an extreme approach by “going off the grid by building a cabin in the woods”, it is a good reminder that it is time for many of these critical industries to take a more pro-active approach to how they are defending themselves against highly motivated state-sponsored hackers.
Coming back to the CSE’s warnings, we feel that the time is now for many of these vulnerable organizations to take a closer look at their cyber defences and see how Wedge Absolute Real-time Protection can help stave off these future attacks. To find our more about WedgeARP and Real-time Threat Prevention, contact our team at: info@wedgenetworks.com. The solutions are available. They just need to be put in place.
