It’s less common for Cyberattacks to make headlines in mainstream news outlets, but last weeks’ ransomware attack on the Colonial Pipeline did, and for good reason. The attack crippled a crucial link for the energy sector, lasted five days, and affected fuel supplies up and down the eastern seaboard of the United States, which impacted consumers, airlines, and numerous other areas of the transportation sector. In the past several years, Corero has published many blogs about the importance of protecting critical infrastructure, and this latest incident is a painful reminder of how vulnerable it can be.
Who did it, and why?
Incidents like this prompt questions such as who were the threat actors, did they receive a ransom payment, and what major infrastructure target could be next on the hit list? The US FBI confirmed that the DarkSide ransomware gang was responsible. According to Security Boulevard, the gang wrote on their own blog that the motives were strictly financial, and they weren’t doing it on behalf of any outside organization, or a foreign nation-state. To end the hostage situation, Colonial Pipeline reportedly paid $5 million in ransom fees, a steep price by any measure. In general, law enforcement agencies discourage ransom payments, because caving in to the criminals’ demands only encourages them (or others like them) to do it again and, perhaps, to other targets.
Security Boulevard reports that the DarkSide gang launched its ‘business’ in August 2020, and “In mid-April the ransomware program announced a new capability for affiliates to launch distributed denial of service (DDoS) attacks against targets whenever added pressure is needed during ransom negotiations.” This is not at all surprising, because cybercriminals commonly combine ransomware attacks with DDoS attacks. As we continue below, for example…
Ireland Health Agencies Suffer DDoS
As this blog post was being written, on May 13th the Irish Times reported that Ireland’s Health Service Executive agency’s IT systems suffered what one official said was “possibly the most significant cybercrime attack on the Irish State,” which seriously disrupted clinical practices and administrative activities at many hospitals around the country, including COVID-19 testing referral sites. Cybercriminals launched a ransomware attack on May 14th, which was preceded the day before by a series of DDoS attacks on various national health agencies.
Anne O’Connor, HSE chief operations officer, said “There were “two or three” distributed denial of service (DDoS) attacks on parts of the HSE system on Thursday, which were regarded as routine at the time. However, there is now speculation that they were forerunners for the bigger attack, and that those behind this were “knocking on the door.” The attack was a “zero-day threat” which meant there was no previous experience of how to respond. This example reinforces how important it is to have a cyber defense system that is able to detect and mitigate zero-day attacks; i.e., those that haven’t been seen before in the wild. Many DDoS solutions just rely on static filters based on historical attacks or attempts to profile ‘good’ traffic. An advanced automated DDoS mitigation solution can automatically defend against zero-day attacks with intelligent mechanisms that look for DDoS indicators, as well as exact matches, in order to block attacks that haven’t been seen previously.
To deliver its industry leading protection, Corero created a patented, proprietary, heuristic-based detection and mitigation mechanism called a Smart-Rule. Multiple rules based on this technology continuously inspect every packet, looking for those which exhibit specific traits, or indicators, which identify them as potentially being part of a DDoS attack. When repeated packets are seen with the same characteristics, this enables them to be accurately convicted as part of an attack and automatically blocked, even if that specific packet type has never been seen before.
Cybercriminals learn just like everyone else, from their successes and mistakes. These recent attacks were successes for the cybercriminals, which is likely to embolden them and inspire copycats. Organizations around the world — especially if they are part of critical infrastructure such as health services or energy — must learn from these unfortunate incidents and take proactive steps to become immune to victimization by such ruthless and greedy cybercriminals.