Accenture’s recent 2020 Cyber Threatscape report touched on some vitally important trends in the energy, mining and utilities sectors in the UK and Ireland. This includes malicious actors’ taking advantage of COVID-19 to facilitate attacks, but notably their pivot to the business of ransomware. There are a number of examples of ransomware attacks in the energy sectors, including a US water utility.
Fortunately, there is a clear path to protection, which I outline below. But first, let’s look into the characteristics of this new trend in cyber attacks.
<<< Start >>>
<<< End >>>
From banking trojans to ransomware
Some groups such as WIZARD SPIDER and INDRIK SPIDER seem to be adding advanced ransomware to their existing arsenal of banking trojans. The criminals behind WIZARD SPIDER appear to have developed their own ransomware, Ryuk, and are using their banking trojans TrickBot or Emotet to drop/deploy it. Similarly, according to the CrowdStrike 2020 Global Threat Report, a new group split off from INDRIK SPIDER to form DOPPEL SPIDER, which uses a banking trojan called DoppelDridex as a dropper.
As noted in our 2020 Threatscape report, the ransoms paid so far in 2020 have risen by about 60 percent, up to an average of $178,254. In addition, top ransomware demands have grown steadily, with the highest demands, as reported by CrowdStrike, rising to $12.5 million (in a case involving Ryuk ransomware). As with any type of breach, keep in mind there is significant reporting bias in such numbers.
A new trend emerging is that some malicious actors are now delaying disruptions, giving them time to determine how much ransom an organisation can pay. Others incorporate destructive capabilities in their arsenal, including LockerGoga and MegaCortex, as reported in the 2020 IBM X-Force Threat Intelligence report. Thus the trend is clear: Not only are energy sector clients under threat from the usual bad actors, there is a significant shift—organised crime looking for payouts across new industries beyond their usual target industries through their own ransomware, or by renting it out on a profit-sharing basis.
Ominous implications for Critical National Infrastructure
Operators of critical national infrastructure in the energy sector should take into account the very real risk of large-scale disruption. When NotPetya hit Maersk in 2017, CEO Søren Skou said the impact of the breach was in the neighbourhood of $300M. This illustrates several lessons:
- A number of controls can help mitigate ransomware attacks, both in terms of prevention but also in reducing contagion across an organisation. The sooner they are deployed the better.
- Although it was labelled ransomware, in this case at least, NotPetya’s main focus was disruption.
- Maersk’s disruption was actually collateral damage, in that NotPetya was a focused nation-state attack. To Maersk, this didn’t matter: The ‘crossover’ cost it dearly.
- There’s no guarantee that paying a ransom will avoid disruption even when it is a pure ransomware attack. For TNT, Maersk and WPP, paying wouldn’t have made a difference.
To add to the challenges, organisations operating in the critical national infrastructure space are increasingly subject to cyber security regulations, including the NIS Directive (which mandates breach notification), privacy regulations such as General Data Protection and more.
Outfox cyber criminals with defence-in-depth
As operators of critical national infrastructure, our clients in the energy and utilities sectors should approach cyber security with a mindset that any one control can and probably will be compromised. Even with strong perimeter controls through firewalls, intrusion prevention and similar measures, bad actors will likely leverage other methods, including social engineering via phishing, spearfishing or guessing/harvesting user credentials.
How to be prepared, protected and ready to respond
Focus on a robust approach to security, and therefore resilience. This means:
- Understanding your business assets and their importance.
- Knowing the threats, and importantly how to mitigate their risks, using a framework such as MITRE ATT&CK®.
- Building preventative controls. This includes managing identity, access and privileged access, using two-factor authentication, securing endpoints, staying up to date on patching, hardening servers/applications and building-in security via DevSecOps and cloud security.
- Employing a comprehensive approach such as ISO IEC 27001/ISO 27002 or NIST Cybersecurity Framework. Here’s a comprehensive overview.
- Building strong detection capabilities via a security incident and event monitoring (SIEM) service.
- Preparing the right responses via crisis management, business continuity management and disaster recovery plans, backed by exercises. Many companies are investigating incident response retainers to be ready if the worst happens.
- Creating backups, including disconnected backups of critical services; remember to test those backups and scan for malicious code before attempting a restore.
- Vetting response capabilities to ensure you can isolate a threat to limit damage.
- Integrating public and private threat intelligence into security operations. Examples from Accenture include iDefense®.
- Focusing on security awareness with, for example, simulated phishing campaigns.
Don’t forget OT environments
As our Cyber Threatscape Report also notes, OT environments are increasingly in the crosshairs of criminals. With organised threat actors moving into destructive capabilities, this takes an even higher priority. These attacks can bring significant implications for human life and welfare. Keep this in mind and check the NCSC’s ransomware guidance.
One more thing
Do all this before you’re breached.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Copyright © 2020 Accenture. All rights reserved. Accenture, and its logo are trademarks of Accenture.
This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative. Given the inherent nature of this document, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this article. This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.