When we think about the industries that have the most to lose from a serious cyber attack, our minds probably immediately veer towards the finance, healthcare and energy sectors. That’s with good reason. As our own research here at Carbon Black highlights, 78% of investor relations-focused professionals say they observe attacks on the financial industry most often, with healthcare right behind it.
When we begin to discuss energy and critical infrastructure, there’s a strong argument to be made that World War 3 will be waged on that front, with literally tens of millions of lives hanging in the balance if an advanced and widespread attack were to occur.
Here, though, let’s shift the focus to the aviation industry which includes transportation, defence, logistics and more. It’s an industry that’s responsible for roughly 10,000 aircraft and 1,000,000 passengers that populate our skies across the globe at any given moment. Moreover, it’s an industry that adorned the UK’s mainstream news headlines of late when British Airways became the victim of a very sophisticated and malicious cyber attack resulting in the personal and financial information of 380,000 customers being stolen by cyber criminals.
What’s particularly interesting about this attack episode is that it’s believed the certificate the hackers used was actually issued on 15 August (which indicates they likely had access to the British Airways site before the reported start date of the attack, and possibly long before).
The breach illustrates how cyber attacks are becoming more frequent and more sophisticated as Nation State actors and crime syndicates alike continue to leverage elegant tactics like island hopping, fileless attacks, lateral movement and counter-incident response in a determined effort to remain undetected.
It’s Not Me, It’s You
Among the bigger problems the aviation industry faces today are not necessarily weaknesses in its own defences, but with island hoppers targeting organisations with less mature security postures along their global supply chain in order to gain access to connected systems.
According to the Carbon Black Quarterly Incident Response Threat Report, over a third of today’s attackers are using their victims for precisely this reason. As large enterprises become increasingly secure, we’ll surely see the use of this attack strategy expand.
We’ve been facing a cyber insurgency from foreign threat actors since 2014. In March of this year, the United States CERT issued an alert around ‘Russian Government cyber activity targeting energy and other critical infrastructure sectors’ which includes the aviation sector. In the alert, they describe the tactics, first observed in 2016, being used by the Russian Government as follows: ‘This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organisations such as trusted third party suppliers with less secure networks (referred to as ‘staging targets’ throughout this alert).’
It’s absolutely imperative that we remain aware of the fact that the route to exploitation often doesn’t begin with us. These tactics are not exclusive to the Russians. Threat actors from China, Iran and North Korea, etc are all using this increasingly common strategy in order to infiltrate the target, performing reconnaissance, lateral movement and counter-incident response along the way.
Case of TNT Express/FedEx
In 2015, FedEx began the acquisition of TNT Express, a UK-based shipping company. By 2016, the purchase was complete and systems integration was planned to occur over the coming year. What wasn’t planned was the devastating Shadowbrokers leak that hit the world in the early portion of last year, providing attackers everywhere with the EternalBlue exploit.
By June 2017, the Ukrainian arm of TNT Express was left crippled by a NotPetya attack that entered its networks via a bogus update from a piece of financial software called MeDoc. This wasn’t just any old cyber attack. A widespread effort by a Nation State group (think: who was occupying parts of the Ukraine at this time?) was underway, targeting the Ukraine and companies that do business there by leveraging the weaker defences and vulnerabilities that existed along the supply chain.
The damage done? Reported losses of $400 million in the first half of 2018. Around $1.10 of value was lost per share of FedEx stock. System integration costs also increased to the tune of an additional $600 million.
This attack crippled legacy systems which made up the backbone of the organisation’s infrastructure. Aircraft were grounded, truck routes ceased and brand degradation occurred as the organisation’s name consumed the news cycle for months in the wake of this devastating attack.
What can be done in defence?
We all need to take a page out of the pilot’s notebook. Through this approach, we can start adopting more comprehensive cyber security checklists that will reduce risk surfaces.
Much of your risk surface is considered low hanging fruit for attackers. For instance, focusing on vulnerability management, the controlled use of administrative credentials and instituting strict configuration management policies is a start, but we need to go further.
The ‘threatscape’ is now the most fluid it has ever been and teams must be equipped with solutions that:
*turn lights on in places that were not illuminated beforehand (think anti-collision lights and warning systems on the entire aircraft)
*provide an extensible platform that allows for proactive behaviours in defences (how much control over your systems do you have and can it be audited?)
*enable threat hunters (how rich is your data set, where does the data reside and what threat intelligence are you using?)
*give teams the ability to automate vital pieces of their workflow, in turn allowing for more cycles to focus on what matters (remember that solutions working in silos help no-one)
Furthermore, always ask questions. What standards are being used when vetting vendors that will handle your data, have a presence within your network or any other link to your systems that can be used or provide a beacon?
Don’t let a compliance stamp of approval allow you to sleep easy at night while the imminent threat still persists.
Jason Madey is Security Strategist at Carbon Black