The healthcare industry is a soft target for attackers, and their vector of choice is ransomware. But ransomware isn’t just for healthcare, as illustrated by the Colonial Pipeline attack.
Ransomware is a form of malware where threat actors gain access to a system, then encrypt the data and lock critical systems before demanding payment to restore everything. The most common way ransomware attacks occur is via socially engineered phishing schemes. An internal employee, whether it’s the front desk clerk or the CEO, clicked on a bad link in an email and inadvertently let in a hacker. The attacker then uses that access to gain access to other systems on the network, which is when they lock employees out of systems and demand payment. This is a very common occurrence in the healthcare industry because they have literal life and death implications, so the victimized business is more likely to just pay up. Hackers have found a new target, though, and this one isn’t going to make people happy.
The Colonial Pipeline, which pushes fuel from Houston to New Jersey, was the victim of a ransomware attack, causing it to shut down the entire pipeline on Friday. The company, which is responsible for almost half of the East Coast’s fuel supply, said that service could be “substantially” restored by the end of the week. A portion of the statement on their website reads:
“While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach. This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week. The Company will provide updates as restoration efforts progress.”
Not all, but the vast majority of ransomware attacks occur as a result of a socially engineered phishing scheme. Yep, someone clicked a bad link and let in a threat actor who unleashed malware that encrypts data and makes systems unusable to those who need them. This could have been anyone, regardless of pay grade or seniority within the company. The problem here is that this isn’t just any business, this company is responsible for an incredibly large portion of the East Coast fuel supply. A prolonged shutdown has real ramifications, but this also illustrates how easily our economy could be crippled.
“Cybersecurity vulnerabilities have become a systemic issue,” said Algirde Pipikaite, cyber strategy lead at the World Economic Forum’s Centre for Cybersecurity. “Unless cybersecurity measures are embedded in a technology’s development phase, we are likely to see more frequent attacks on industrial systems like oil and gas pipelines or water treatment plants.”
Currently, Colonial is taking the appropriate steps to ensure security and systems are back up and running. It was a slow process and had be done in stages. The culprit of this attack appears to be a Russian cyberattack group known as DarkSide, although investigations are being conducted by cybersecurity firms as well as the U.S. government.
Aside from the standard challenges posed by this situation, Colonial Pipeline also uses a combination of off-the-shelf and custom technologies. Navigating all of those systems, plus their employees, plus the thousands of outside contractors used every year, and they have their work cut out for them.
Ransomware isn’t just for healthcare, it is used in a number of industries. While these threat actors have indicated that their motive is purely financial and has nothing to do with politics or anything else, other threat actors out there will have different motives. Their goal will be to disrupt our economy, and they will be successful unless we make serious changes. Ben Sasse, a senator from Nebraska who is a member of the Senate Select Committee on Intelligence, said, “This is a play that will be run again, and we’re not adequately prepared.” He noted that this should be a wakeup call and added that Congress should provide legislation that hardens sectors against these attacks.
Ransomware is nothing to scoff at, it’s become a serious problem worldwide. It’s not going to slow down as long as it continues to work. Our fuel supply remains stable, for now. What happens when a threat actor hits our water supply? Our shipping infrastructure? Any other foundational part of our infrastructure or economy? There are a variety of ways threat actors will now seek to disrupt our lives. If you have a business, you are at risk. Don’t wait until it’s too late, review your security protocols, ramp up employee training and bring in an expert to solidify holes your internal team missed because they stare at it all day. The success of your business is dependent on its security, and with the rise in attacks, now is not the time to put it off or shy away. Protect yourself, your employees and your customers. Get security right!