2019 is drawing to an end, with only one month left to go. The cybersecurity landscape has been “quite busy” as organizations have committed a lot of investments towards their cyber defenses. In spite of this, cyber adversaries have managed to outmaneuver some companies, causing severe attacks and data breaches. Some of these are serious enough to be considered disasters. Before entering 2020, it is vital to know about the top cybersecurity disasters in 2019. We explain their impacts and their resolutions.
1. Ransomware attacks
Ransomware attacks have been prevalent this year. The healthcare industry alone has lost over $25 billion to ransomware attacks. Also, a survey drawing cybersecurity professionals from various industries showed that 81% believe that 2019 has had more ransomware attacks than any other year. Ransomware criminals have continued to target organizations in industries such as healthcare, education, and industrial plants.
Hospitals closed in the U.S. and Australia
Ransomware attacks targeting healthcare facilities caused hospitals to shut down major operations. In a press release by DCH Health systems, criminals launched a ransomware attack preventing staff from accessing computer systems. The hospitals, which are located in Alabama, had to resort to using emergency procedures to provide care to patients in dire need. An administrative official was quoted saying that “it is in the best interest of patient safety that DCH Regional Medical Center, Northport Medical Center and Fayette Medical Center are closed to all but the most critical new patients”.
In an isolated incident, California-based medical practice, Wood Ranch Medical, put a notice on September 18 that it will shut all operations on December 17. The health facility stated that a ransomware attack had caused it to lose an extensive amount of patient medical records and information. In the announcement, Wood Ranch Medical said that “the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records”. This is a clear indication of the severity of the ransomware attack, which encrypted all files stored locally and backups as well.
In addition, ransomware attacks in Australia’s south-west Victoria and Gippsland affected the operations of seven major health providers. The affected facilities had to either revert back to manual operations or completely shut down health services. Victoria’s Department of Premier and Cabinet issued an advisory that a ransomware attack incident prevented the hospitals from accessing critical systems which included financial management systems. The hospitals had to isolate the systems and disconnect them in a bid to quarantine the ransomware infection. Some of the affected systems that are critical to daily hospital operations included information management systems, booking, and patient health records.
The LockerGoga menace cripples Norsk Hydro
2019 saw the emergence of a new ransomware variant. Known as LockerGoga, the malware is different from its predecessors, which merely encrypt systems and files until the affected victim pays a ransom. Instead, LockerGoga ransomware variant modifies the local accounts of an infected system by changing the login credentials of the users. The malware then forces a system log-off such that a password must be provided to log back in. Similar to other ransomware attacks, the victims either pay the ransom to regain control or revert to manual operations. The LockerGoga variant also contributed its fair share in the topmost cybercrimes in 2019.
Norsk Hydro, a global aluminum producer, was infected by the LockerGoga malware. The company discovered the March attack after some vital systems began malfunctioning. The company’s CIO stated that the attackers had already gained access 2 weeks before the attack. The malware executed on 20th March and Norsk Hydro had to disconnect its worldwide network.
The company revealed that the attack had impacted most of the essential systems needed for production. These included the digital systems implemented in Hydro’s smelting plants. The infection was devastating to a point where Norsk Hydro had to shut down its metal extrusion plants and switch to manual operations. Although LockerGoga is only used to execute limited attacks, it has a greater impact compared to other ransomware variants like WannaCry and NotPetya. In Hydro’s case, it only infected the company’s central active directory server. This however impacted all of the company’s workstations at the same time.
The attack took Norsk Hydro well over a month to stop using manual operations and restore its digital systems. So, how did the company handle the attack? The first thing Norsk Hydro did was to immediately isolate the infected systems. The company used a single domain for its admin systems and networks. Luckily, it did not use the same domain for its cloud-hosted Microsoft Office servers or the company’s industrial control system. The attackers were able to change admin passwords since there were using the same domain. The infection spread rapidly, which would not have been the case had the company segmented its passwords and used separate domains for admin accounts.
LockerGoga hits and disrupts operations at Altran Technologies
Altran Technologies is a French-based company that provides global engineering consultations and innovations. On 24th January 2019, the cyber adversaries used the LockerGoga ransomware and targeted the company’s networks. The highly acclaimed R&D services provider gave a press release, stating that the attack had encrypted important files and data and had spread throughout its networks. The company also said that it was shutting down all of its applications and IT networks to contain the attack and more importantly, secure its client’s data. The decision affected major operations in different European countries as Altran Technologies is a global organization.
The attack nevertheless did not lead to data losses nor did it propagate to the networks or applications of Altran’s clients. Some of the global organizations that rely on Altran services and were affected by the breach include Iridium, a U.S. satellite operator, Ocado, a British online supermarket, Britain’s Network Rail, and Engie, a French utility organization.
2. A wave of supply chain attacks
Supply chain attacks have increased tremendously in 2019. These are attacks that start deep in the supply chain of a software development process. The attacks target organizations that have deployed less-secure components in their supply network. Also, the aim of supply chain cybercriminals is to target software suppliers and developers. The goal is to gain access to build processes, update mechanisms, or source codes to deploy malicious codes. This infects a malicious application with undetectable malware, thus distributing it to millions of users. There have been such cases in 2019 which have affected many individuals.
Barium group waging supply chain attacks using backdoors
Barium is a cybersecurity threat group that has used the supply chain attack techniques to distribute malware to unsuspecting victims. During this year, the group has been exploiting trusted applications and software updates. The tactics have been successful since the group infected over 1 million software users in different parts of the world. According to Kaspersky Security Lab, one of the tools the group used during its 2019 campaigns is the ASUS Live Update Utility. The group stole the software’s legitimate digital certificates and used them to develop malware. Since it used the exact digital certificates, the created Trojans were similar to the ASUS Live Update Utility, which comes preinstalled in ASUS computers.
With its hands on the software’s digital certificates, the group was able to conduct advanced persistent threats (APTs). The attackers used the unique identifiers in the network adapters to hardcode tables in the backdoors they had created in the stolen utility. As a result, anyone who installed the update utility would immediately start a process of checking if the user was among those targeted in the attack. The attackers accomplished this by using the backdoor to check the created tables. Computers that matched the tables indicated network activity, which permitted Barium to gain access for long periods without being detected. The attack was a wake-up call to the cybersecurity community as it was a clear indication of how easy it is for a supply chain attack to cause harm.
3. First American data leak
A cybersecurity disaster does not only consist of attacks or data breaches. Sometimes, organizations store highly sensitive data without applying sufficient security controls. Poorly secured databases have time and again been accessed by unauthorized parties compromising the personal information of millions of data owners. First American is an example of such an organization. The company is one of the largest real estate and title insurance companies on the planet. In May 2019, a security researcher, Brian Krebs, discovered First American’s database on a publicly accessible platform. The database had been exposed to the public without any measures for preventing unauthorized access.
As a result, anyone could have accessed over 885 million records containing highly sensitive client financial data. Some of the information dated back to 2003. The company is yet to confirm whether the data was accessed illegally, but the incident could have been catastrophic if malicious actors obtained the information. Some of the exposed information included customer bank account details, tax and mortgage documents, transaction recipes of all the company’s clients, driver’s license details, social security number, among others. Since the company provides real estate agents, and it is also an insurance provider, cybercriminals would have used the data to commit a wide range of identity theft crimes. The company and customers alike would have suffered huge financial losses, privacy violations, property theft, and so on.
4. Yet another largescale breach on Facebook
Facebook is indisputably the largest social media platform in the world, boasting over 2.3 billion users. The company has been rocked by numerous instances of breaches and privacy violations, forcing the CEO, Mark Zuckerberg, to appear before the U.S. Congress to shed more light on the increased attacks. Despite the company implementing more stringent measures for protecting user privacy, it still suffered a fatal data breach in 2019.
The company suffered a data breach that compromised the accounts of more than 419 million users. The breach impacted databases housing phone numbers of the affected individuals. The databases, which were linked to the account IDs of the users, were not protected by encryptions or passwords. As such, anyone could have found and accessed them. The exposed databases contained information of users located in different geographies. While revealing the breach, Zack Whittaker stated that the exposed databases were for users spread across different regions. 50 million records were for users located in Vietnam, 18 million records were for U.K. based users, and 133 million of the exposed records were for users in the United States.
It is also important to note that each of the exposed records consisted of the users’ unique Facebook IDs and phone numbers listed as connected to the corresponding accounts. Imagine what a hacker could have done with the information. The phone numbers, for instance, could be used to reset the password for each account thus providing unlimited access. The breach comes after Facebook put out an announcement in 2018 that it will enforce more measures focused on restricting access to user data. The massive and embarrassing breach confirmed that Facebook is yet to realize sufficient privacy protection measures. Further investigations showed that other types of personal data exposed in the breach included user location by country, gender, and usernames.
While addressing the breach, a spokesman from Facebook said that although the database contained information regarding Facebook users, the server hosting them did not belong to Facebook. The spokesman also added that the exposed datasets seemed old and appeared to be containing information acquired before the company made changes in its widely popular platform. Among the implemented changes included removing the ability to find Facebook users by searching their phone numbers. The datasets were taken down to contain the breach and the company was quick to point out that the breach did not compromise any accounts.
5. Cyberattacks take down thousands of websites and a TV station in Georgia
The BBC reported a massive cyber-attack that took down over 2000 websites and a national television station in Georgia. The attacks also affected court websites that have vital personal information and case materials. In most instances of the attacks, the hackers replaced the site home pages with the picture of the country’s former president, President Mikheil Saakashvili. The images were captioned “I’ll be back”, most likely meaning that the attack was politically instigated or it was state-sponsored. At the time of reporting, the origin of the destructive attack was yet to be known. Security experts and pundits, however, believe that Russia could have been behind the attack.
Nevertheless, many cybersecurity professionals attribute the success of the attack on the poor website security measures implemented in Georgian government websites. The poor protection caused the websites to be vulnerable to attacks. Consequently, at least 15,000 web pages were hacked into. Among the affected sites included those belonging to private companies, the presidential website, and non-governmental organizations. The attack was so severe that it took down the national TV station Imedi. The attack paralyzed the TV station’s operations for more than one hour. Another network, Maestro, was also a victim of the attack. The nationwide attack reportedly destroyed or damaged the network’s computers and vital equipment.
Following the attack, a cybersecurity professional based at Surrey University, Prof Alan Woodward, claimed that the magnitude of the attack was like anything the country has never seen before. The attack was destructive and affected the entire country, prompting the professor to argue that “it’s difficult not to conclude that this was a state-sponsored attack”. Despite the attack being significant, it did not affect any of the nation’s critical infrastructure.
6. Cyberwarfare between U.S. and Iran
Many cybersecurity experts believe that cyberwarfare will most likely be the preferred attack method between nations in the future. This already seems to be the case as demonstrated by the recent cyber warfare between the U.S. and Iran. The U.S. had earlier this year accused Iran of being responsible for attacking oil tankers in Saudi Arabia and shooting down an unmanned U.S. drone. Although Iran furiously denied the former accusation, it was quick to point out that the drone it shot down had violated Iranian airspace. U.S. President Donald Trump ordered a military strike which was canceled at the last minute. Instead, the country opted to execute a series of cyber-attacks aimed at Iran’s weapons systems that control rocket and missile launchers.
Sources privy to the attack revealed that the country had planned it many weeks in advance. The attacks targeted weapons systems under the control of the Islamic Revolutionary Guard Corps. According to AP news agency, the U.S. succeeded in taking the weapon systems offline, although for a small period. The attack, however, nudged Iran to execute retaliatory cyber-attacks. The U.S. Department of Homeland Security had warned against the attacks and it did not take long for Iran to start executing them.
The director of Cybersecurity and Infrastructure Security Agency, Christopher Krebs, warned of malicious cyberactivity that was targeting U.S. government agencies and industries. Iran’s cyber actors and several of their proxies were held responsible for the attacks. Krebs said that the actors were using destructive attacking approaches by using techniques such as credential stuffing, password spraying, and spear-phishing methods. The Iranian attackers were also trying to hack into the U.S. naval ship systems. Thankfully, none of the attacks were successful since the scope of destruction would have been unfathomable. Cyberwarfare is capable of completely destroying critical national infrastructure, not to mention that malicious actors in control of U.S. naval ships could attack the same people the ships should be protecting.
The cybersecurity disasters of 2019 show that it is indeed pertinent for all organizations to better protect themselves. In fact, nations need to step up their cyberspace security to prevent cyber warfare attacks like those between Iran and the United States. The only way to ensure maximum security in the private and public (government) sectors is for both to form a partnership. The private sector has the resources and expertise whereas government agencies like the U.S. Cybercommand have the unique capabilities. The private sector uses innovative strategies to formulate successful cybersecurity strategies. As such, private cybersecurity professionals draw a lot of expertise from creating a huge percentage of a country’s critical infrastructure. Supplementing this with the government’s capabilities would enable a country to realize a fully secured cyberspace.
Furthermore, public-private partnerships in cybersecurity would allow both sectors to share vital information. Information sharing has been the norm in sectors pertaining security. Timely dissemination of information would enable private organizations and the government to implement the best cyber defenses to counter any form of aggression.
More importantly, joint cybersecurity partnerships between private and public sectors can facilitate a coordinated approach in enhancing risk assessments and management. Technologies and new threats emerge every other day and it would be impossible for one sector only to achieve the desired levels of security. Collaborative risk management processes allow both sectors to support each other in managing all emerging threats.
Additional cybersecurity measures for both public and private organizations are:
Encrypt and password-protect databases and servers
Some of the top cybersecurity disasters could have been prevented had the affected organizations taken measures to secure their databases with encryption. All companies should learn from the mistakes of First American and Facebook and ensure they secure all databases containing personal information. Password security should be reinforced by multi-factor authentication to ensure only individuals with correct permissions have access.
Implement website security practices
Georgia suffered a massive attack since most of the websites used by the government and private organizations had poor security. Hacked websites can result in huge financial and business losses for the affected entity. To prevent this, some of the best website security controls include implementing firewalls to protect the sites and the web servers, frequent assessments to detect vulnerabilities requiring mitigation, and ensuring compliance with available regulations.