To all of my readers out there, Happy New Year!!  I hope and pray that this year will bring everybody peace, prosperity, and of course, being free from a victim of a Cyberattack.  It’s hard to believe that 2019 is over, in some ways still, it feels like last year.  But it is even harder to fathom that we are in a brand-new decade as well. 

During the course of the last week, especially in between that of Christmas and New Year’s, I spend a lot of time perusing the news headlines that I think are relevant in Cybersecurity, and I post them on both my Twitter and Linked In news feeds. 

There was not a lot happening, just the usual predictions of what 2020 is going to bring, and how this year will transpire in terms of the threat landscape.

Nothing much happened on New Year’s Day, but right after this, the Cyberattacks started to happen yet once again. In fact, the theme of this blog is going to the first Cyberattack that hit in 2020.  Well, who is to say what the first real one was, but this is the first documented one. 

I didn’t pick this kind of topic for nostalgic reasons only, but the issue on which it touches is very important to me, and I hope to the rest of the Cybersecurity Industry.

So, what exactly happened, you may be asking?  Well, a nasty piece of ransomware, called “Ryuk” impacted a station of the United States Coast Guard (aka USCG) which impacted its Critical Infrastructure, including its Industrial Control Systems (aka ICSs), its Physical Access Entry points, Security cameras, etc.  The USCG did not reveal the name or exact location of the facility that was impacted.

But from what I could tell from the various news stories surrounding this, it could very well be that this location was one which handled supply chain and logistics stuff to serve the needs of the USCG.  So, how did this happen?  It all happened with the good ‘ole Phishing Email. 

Apparently, once the employee clicked on this malicious link, the Cyberattacker was able to gain a pretty big foothold, and gain control of the various systems as previously mentioned.

The malware first hit the ICS components which had a direct association with the cargo and bulk transfer mechanisms, as well as the critical software files which were needed to run these types of processes. 

This then had a cascading effect onto the IT and Network Infrastructure of this USCG “outpost”, and from there, it then severely disrupted the CCTV cameras, and other forms of Physical Access Entry safeguards that were put into place prior to this ransomware attack.

Finally, the last areas to be were impacted were the Process Control Monitoring Systems.  The USCG did reveal that it took about 30 hours or so in order to resume full operations back at this “outpost”. 

Although this may seem like a very long period of time, especially given all of the critical operations that were hit, it actually could have been made a lot worse, according to the USCG. 

The reason for this is that they were all Security Protocols in place to in order to mitigate this kind of Cyberattack from actually happening in the first place.  Some of these controls included the following:

*Up to date Intrusion Devices were deployed which could monitor network traffic on a real time basis and thus alert the IT Security team on any anomalous or suspicious behavior that was occurring;

*All of the Antivirus and Antimalware software packages were being used were also recently updated with the latest patches and upgrades;

*All of the logging and event monitoring occurred in one central location, so it could be easier to monitor all of the alerts that came through;

*The Network Infrastructure was broken up into different segments (also called “subnets”) and were thus isolated from one another, which avoided from any other types of cascading events from occurring;

*All blueprints and related diagrams of the IT and Network Infrastructures were also kept up to date;

*This “outpost” adopted and implemented a schedule of regularly backing up their mission critical databases and datasets.

My Thoughts On This

First, if you would like to get more information on the Ryuk Ransomware, click on the link below:

https://www.us-cert.gov/ncas/current-activity/2019/06/28/ncsc-releases-advisory-ryuk-ransomware

Second, just take a few minutes and think about the impacts of just one click on a malicious link did.  We still have the fallacy that merely clicking on a link will not do much damage, but it is clearly illustrated in this Cyberattack that happened. 

It is important to keep in mind that all is needed is just one entry point for the Cyberattacker to get into, no matter how small it is.  Once even tiniest of holes are opened up, all hell can break lost from there.

So it is imperative, that if you are a business owner or even an IT Manager of varying degrees, that you must train your employees onto the importance of what a Phishing Email looks like, and the horrible impacts that it can bring onto an organization. 

Remember, Phishing Attacks simply just do not harvest for passwords and other sorts PII records, they are also strategically used so that a Cyberattacker can find covertly find their way in.

Third, this Cyberattack also clearly demonstrates that everybody is at risk from becoming a victim, no matter how strong your lines of defenses might be.  You cannot overlook anything.  All one can do is to maintain a proactive mindset, and to take quick action to mitigate it, in order from it from continually spreading.

Fourth, as mentioned previously, 30 hours is actually a rather short period of time for a facility that has been impacted on both the digital and physical fronts to come back to full, normal operations once again. 

I highly applaud the team that kept up to speed on making sure that the latest safeguards were in place, especially from the standpoint of a having a central location where all of the alerts and warning messages could be filtered through.

In a previous blog I have mentioned that there is now a fundamental shift in the thinking of both CIOs and CISOs that deploying too many Security technologies deployed is in of itself a huge vulnerability.  For example, not only does this increase the attack surface, but having reporting tools at too many points makes it impossible for the IT Security team to filter through all of those messages.  As a result, many of them will often go unnoticed or even or even ignored because the team is just too overtaxed and overburdened.

By having a centralized location, not only is this process much easier, but other more advanced tools such as that of Artificial Intelligence (AI) can also be efficiently deployed, especially in the area of task automation.

Fifth, although this incident appears to be an isolated one, it should not be taken lightly.  Attacks to Critical Infrastructure are a real thing, and the day could very well come when multiple cities here in the United States will be hit, disrupting all of our transportation and logistics chains, and mission critical lines that include water, oil and gas, food, etc.

Finally, not getting political here, the recent events in the Middle East last week are only going to exacerbate the risk of large scale Cyberattack on US Critical Infrastructure from happening.  As a result, our political leaders need to be very careful and watchful of the things they do and speak, especially when it involves nation state threat actors like Iran.