“This type of organized cyberattack is
usually conducted before a military action.”
Those are the alarming words of Sensato
CEO and cybersecurity expert John Gomez, who was talking about the ongoing Russian attack on
U.S. critical infrastructure. Gomez had recently been briefed by the
U.S. Department of Homeland Security (DHS) about the attack.
His words echoed those of Director of
National Intelligence Dan Coats, who told the Hudson Institute in Washington,
D.C., “The digital infrastructure that serves this country is literally under
conducted its own investigation, ultimately
verifying the disturbing state of affairs.
What makes this attack especially hair-raising
is the fact that it’s so simple, and yet it has been incredibly effective at
breaching hundreds of organizations in the electric, nuclear, aviation,
manufacturing, government, and other critical infrastructure sectors.
And it was achieved by using social
engineering and open source intelligence to compromise partner and supplier
systems. Once the attackers were inside those networks, they simply generated
phishing emails from those trusted businesses, bypassing traditional security
controls and systems.
Familiar Tactic; An Unknown Goal
Despite the fact that this attack has
been underway for at least 18 months, no information has been exfiltrated; no
systems have been damaged or destroyed; no ransom has been demanded.
Sound familiar? It should. Orangeworm
similarly infiltrated hundreds of healthcare organizations via vulnerabilities
in medical devices.
have an average of 6.2 vulnerabilities each.
Learn more about how to protect your patients and
patient information with MD-COP
And, like Orangeworm, this attack
hasn’t yet revealed its ultimate goal. For over a year, attackers have had
access to turn off firewalls, grant administrative privileges, manipulate ports
and networks, enable concurrent systems, add terminal server configurations,
map networks, locate jump machines that create bridges to segregated networks,
archive data, catalogue IP addresses, and create blueprints of entire systems.
“Usually you see this type of
reconnaissance as a precursor to a military attack or another type of warfare,
perhaps economic,” says Gomez. “They’ve been inside our critical infrastructure
systems long enough to know how to shut them down and create a serious crisis.”
Ukraine the Blueprint?
For example, as Russia has waged a
relentless invasion on Ukraine, military assault has been coordinated with
cyber assaults aimed at destabilizing the country. Before Russia forcibly
annexed Crimea in 2014, Russia tampered with the Central Election Commission.
After the annexation, Russian cyber attackers hobbled three Ukraine utilities
in the middle of winter. In 2016, they took out another utility in Kiev. The cyber
assault on Ukraine has been relentless, systematically undermining energy,
transportation, military, finance, media, and political sectors.
about the known
and potential threats to healthcare information and medical device security
The DHS didn’t go so far as to speculate about what the
Russian attack on U.S. infrastructure means, but the alarm bells are loud
enough to have not only the DHS issuing warnings, but also the FBI and other
One of the cybersecurity best practices Sensato always
recommends is a risk
assessment and security certification of all suppliers and partners,
and this Russian infiltration perfectly illustrates why this is so important.
However, Sensato’s experts know that this is one area
where most organizations fall short; understandably, as most hospitals, for
example, will have from 700 to 1,500 vendors, on average.
That’s why Sensato also recommends architecting networks
for defense. That means limiting application executables, blocking access to
noncritical websites, disabling local admin access, limiting single sign-on,
instituting dual and multi-factor authentications, rethinking fault tolerance,
locking down jump machines, segmenting sensitive data and systems, installing a
honeypot, and educating every person who has access to your network.
“One of the most helpful ways we’ve found to keep users
from clicking on links in phishing emails is just showing them how they can become
firewalls for your company,” says Gomez. “Just a lunch-and-learn
with a phishing simulation is all it takes to get people thinking more
critically when they’re responding to their email.”
Another gold standard is the honeypot, because your best
chance for stopping an attack is during the intel-gathering stage. As Gomez
notes, the Russian attackers started to inventory systems once they were inside
– which means they started to ping and Nmap (network map) the environment. A honeypot solution like
would have detected that activity.
repeat themselves, so we know that they’ll continue using these same tactics
that have been so successful,” says Gerry Blass, CEO of compliance
management solutions provider ComplyAssistant and chair of
the New Jersey Healthcare Information and Management Systems Society Privacy,
Security, and Compliance Committee. “Turn their tactics against them with a
honeypot, which allows you to not only detect the breach but also to gather
information about the attack so you can fine-tune your response to it.”
MD-COP will secure your data, devices, and
network from targeted and “side effect” attacks. Act quickly.