The Colonial Pipeline cyberattack in May 2021 ranks as one of the top critical infrastructure attacks to date. At the time, Semperis Director of Services Sean Deuby predicted that the ransomware-as-a-service (RaaS) attack was an “implication of what is to come … open season on infrastructure providers.” One year later, we talk with Sean about the current state of infrastructure cybersecurity: what lessons were learned, what new threats have emerged—and what actions infrastructure providers can take now to prevent themselves from being the next big target.
Last year, you predicted that the Colonial Pipeline attack was the beginning of a trend targeting critical infrastructure providers. Are we seeing that now?
Sean Deuby: Based on FBI and CISA warnings alone, I’d say the answer is a resounding “Yes.” From BlackCat to REvil to RagnarLocker, the number and frequency of threats and threat actors remains high. And critical infrastructure seems to be an increasingly attractive target.
The thing to keep in mind is that “critical infrastructure” is a pretty broad playing field. The first things that come to mind when we hear that term, at least in the United States, are probably Colonial Pipeline cyberattack and the water treatment plant attack in Florida just a few months before that. But utilities, including oil and gas infrastructure, are just the tip of the iceberg when we’re talking about critical systems. I’d say healthcare is critical. Fire prevention, community services are critical. Food supplies are critical. The past two years have demonstrated how vulnerable the just-in-time supply chain is to any kind of disruption, including the type of ransomware attack that REvil leveraged against JBS. And all these industries are prime targets for ransomware groups.
“According to Gartner, ransomware attacks have increased by 400% since the Colonial Pipeline attack in May 2021, and include clients that have suffered attacks and gone through recovery.”
Is there a reason that infrastructure providers are particularly vulnerable?
Well, right off the bat: SCADA systems. IoT devices. Embedded operating systems with few or no security updates. Outdated and difficult-to-update technology. Healthcare, utility systems … these industries are rife with these types of devices, which are just so difficult to secure.
The pandemic has also complicated the landscape by increasing the need for remote access. That, of course, increases the attack surface. During the height of lockdowns, many entities were forced to throw those methods together. As a result, they weren’t built with the care and consideration and security that they really need to have.
Depending on the industry, funding is always an issue. So many organizations can’t or won’t justify additional spending on layered defense or fault tolerance. Of course, if you get hit by ransomware, the cost is going to be much greater.
Are you seeing an increase in the use of RaaS to deliver ransomware?
It’s definitely a popular option for malicious actors now. The goal of most ransomware groups is to make money, as quickly and easily as possible. That’s the end goal—making money, potentially to fund really nasty activities, from organized crime to terrorism. Whatever methods will accomplish that goal are fair game. Why not lower the friction of getting into the business? Why not make things easier for affiliates, and get a cut in the process?
What developments during the year since the Colonial Pipeline cyberattack have surprised you?
Maybe I’m most surprised that we haven’t seen more truly effective cyberstrikes than we have. I think most IAM experts are sort of always on the edge of our seats, holding our breath waiting for the next NotPetya to rear its ugly head. Especially given some of the global events in the year since the Colonial Pipeline cyberattack, I’m pleasantly surprised that we haven’t seen worse than we have. I hope that’s an indicator that organizations are taking more effective action to protect their networks and identity systems like Active Directory, which is most often the ultimate target for ransomware.
Another development, though not a surprising one, is the re-emergence of some of the DarkSide players in the BlackCat group. I’d say it’s interesting rather than surprising. One thing to note about many of these groups that target critical infrastructure: After DarkSide was targeted by the US government after the Colonial Pipeline attack, non-state threat actors have tried to keep attacks small enough to avoid serious government intervention. That’s a real threat to their profit potential. So, seeing groups disband and reform in other iterations is not unexpected. And from a cybersecurity perspective, it might indicate the type of tactics we’ll see from new groups, based on their membership’s previous affiliations.
So, given all this, what steps can critical infrastructure entities take right now to help protect themselves?
At Semperis, we always advise organizations to “think like an attacker.” You really have to look at your security the way someone with no or an extremely twisted moral compass would do. Where does the highest profit lie? Is it your intellectual property? Your customer data? For critical infrastructure, when we’re talking about ransomware, it’s often simply the amount of money threat actors can make by locking down your systems generally after they’ve exfiltrated valuable organizational data. A hospital using a lot of IoT equipment to deliver life-sustaining services—medication, ventilation, and the like—is a lot more likely to ante up fast than an organization that can hold off on service delivery for days.
Aside from the obvious advice—patches, strong password policies, and the like—network segmentation and implementing strong controls around remote access are important steps. Remote access, as I mentioned earlier, broadens the attack surface. So, the more protection you can provide there, the better. For organizations like utilities, isolating your IT and authentication systems from your process control systems—and ensuring that duplicate credentials aren’t used across both—can at least buy you time during an attack.
Any other thoughts to take with us into the rest of 2022?
The thing to keep in mind about ransomware is that attackers who manage to invade a system immediately start seeking out privileged access. They move laterally, step by step, using Active Directory. Once they hit that administrator jackpot, they can wreak all kinds of havoc. That’s why it’s so important to have an AD-specific defense solution. You might have to defend thousands of endpoints and user accounts. The likelihood that someone or something is going to slip through the cracks is high. Implementing strong security around Active Directory—the ability to automate alerts against known security indicators of exposure and compromise, rollback of changes to Active Directory until your security team can review and approve them, and in the worst-case scenario, recover from a recent backup without reintroducing malware—that’s your best bet when it comes to keeping the lights on.
Semperis’ most recent Purple Knight Report showed that critical infrastructure, government, healthcare, and transportation industries can make a lot of improvements in account security and Group Policy security, in particular. I’d encourage organizations to use the free Purple Knight assessment tool to just get a quick snapshot of where their Active Directory security stands.