In the face of a crippling double extortion ransomware attack on their organization, it was tough for the person on the other end of the line to hold back tears, says David Masson, director of enterprise security for Darktrace.
It began with a single ransom payment to unlock files that had been encrypted. A single payment became two, but eventually, it didn’t matter that the purse was empty – hackers installed crypto-mining malware on their network and made money that way.
Masson couldn’t elaborate more about the victim, but he says he hears variations of that story from IT teams worldwide. What’s especially troubling is stories like this, and other high-profile attacks, like the 2017 fileless cyberattack against Equifax that led to more than 140 million people’s data being stolen, have laid the groundwork for equally devastating cyberattacks against nations’ critical infrastructure. The world caught a glimpse of the quiet devastation last year in healthcare, he recalls.
In October 2020, a Finnish psychotherapy centre had its systems attacked and patient data stolen. Attackers not only demanded a ransom from the psychotherapy centre, they also contacted patients individually seeking a ransom of 200 Euros in bitcoins. Closer to home, Ontario’s York University fell victim to what appeared to be a ransomware attack last May after announcing a $250,000 COVID-19 research fund. The manufacturing sector is also a popular target as everything from the factory floor to the cars they’re assembling are connected to the internet.
“They’re exploiting these organizations’ strong sense of duty to supply a service and to make sure there’s no break in that service,” Masson told ITWorldCanada.com. “They know if they hit a hospital, that hospital will do whatever it can to get back online or to get whatever service interrupted back working again. You hear it all the time from municipalities: ‘We just had to pay to get back working as fast as possible.’”
It’s a vicious cycle of events that’s leading to more attacks against critical infrastructure, according to BlackBerry’s 2021 Threat Report, and Canada is on the verge of getting blindsided by a big one.
Wake up Canada
BlackBerry researchers didn’t mince words in their threat report: “Canada’s critical infrastructure strategy has not been updated since 2009 and is ill-prepared to deal with today’s cyber-based threats.”
The National Strategy for Critical Infrastructure makes zero mention of cybersecurity, and under Risks to critical infrastructure, the document only cites natural disasters. Masson says the operational technology powering the majority of Canada’s critical infrastructure never had to worry about cyberattacks until piles of ill-conceived IoT devices were tacked on without security in mind.
“[Operational technology] is becoming increasingly interconnected, which means attackers can wander around IT networks and pivot over to OT,” he warned.
Theo Zafirakos, CISO at Terranova Security, acknowledges the challenges that come with merging the IT and OT worlds but says that doesn’t negate the need for training and enablement at all levels of an organization.
“Organizations also face challenges training employees in operational roles, where they access and operate connected technologies, but are more difficult to reach with awareness messages,” Zafirakos wrote in an email. “This is why every security and protection strategy must take into account the people, process and technology triad. Awareness covers the people aspect.”
Still all about budgets
While federal agencies like the Canadian Centre for Cyber Security have done a good job of elevating cybersecurity conversations in enterprise boardrooms and large organizations, there’s little reason to believe that the majority of government departments managing critical infrastructure will deviate from their budget-over-everything attitude, says Eric Milam, the vice-president of research and intelligence at BlackBerry.
“As a pentester, I tested a lot of small governments. And they just don’t have the funding,” Milam told ITWorldCanada.com. “I would ask them ‘what are your goals here?’ And a lot of the time it was ‘get me budget.’ And I was like ‘Okay, no problem.’”
Cybersecurity legislation is slowly catching up to where it needed to be “a decade ago,” says Milam.
Many public sector offices have Windows OS running on their machines. BlackBerry’s threat report included a few of the operating system’s biggest threats, such as the information-stealing malware known as Astaroth, which has received some major updates allowing it to use malicious iframes and stealthily inject jScript staged downloaders.
Masson says there’s a growing number of government offices using Macs to try and sidestep the vulnerabilities on Windows. But even Macs are vulnerable to serious attacks. In fact, a security research firm recently confirmed that nearly 30,000 Macs worldwide have been infected with mysterious malware.
Thankfully, deepfake threats are less frequent
BlackBerry’s report says deepfake threats continued to impact high-profile users but “declined overall as threat groups embraced COVID19-themed attacks.”
Milam agrees that the threat of deepfake attacks don’t carry much weight yet in most boardrooms and IT departments, but the impressive deepfakes circulating on YouTube involving movie stars and athletes beg the question: How long until we see authoritarian governments using the technology to spread disinformation?
The barrier to entry for this tech is relatively low, he adds.
“There are lots of folks are trying to fight deepfakes with other machine learning capabilities. It’s getting more and more real,” he said.