Ransomware attacks on Western infrastructure might have been a wargaming exercise - interview
Critical infrastructure is a juicy target for state-sponsored hackers. The way such attacks are prepared might signal last years' ransomware rush was no accident.
Several American government agencies recently warned of a novel malware targeting critical infrastructure operators in the country. Security researchers believe that state-sponsored actors, likely from Russia, might aim at NATO members and Ukraine.
Last year, several major financially motivated cyberattacks against critical infrastructure assets in the West rocked the cybersecurity community. Since Russia-linked ransomware gangs attack US critical infrastructure most often, it begs the question of whether ransomware attacks were meant to advance Moscow's goals.
Mathieu Gorge, a cybersecurity veteran and the CEO of SaaS solutions provider VigiTrust, thinks that while it's impossible to know for sure, it makes sense to test your adversaries' and their allies' critical infrastructure before starting a military campaign.
"I think that if you are going to launch a physical attack, it makes complete sense to do some test hacks on the infrastructure of your targets and their allies."-Mathieu Gorge, CEO of VigiTrust
"You could say there's a strong suspicion, at least in the intelligence community and the threat community, that this is not a coincidence. However, we can't really prove it," Gorge told Cybernews.
We also had the opportunity to discuss how countries prepare to hack critical infrastructure assets and have the all-out cyberwar already started and which nations might be the first targets. Gorge thinks we should keep a close eye on private managers of critical infrastructure.
Major ransomware attacks of past years, the SolarWinds attack, attack on Colonial Pipeline, and meatpacker JBS, have a connection to Russia. Do you think these were carried with war in Ukraine in mind?
Attribution is very hard for those attacks. You can say they allegedly come from Russia. You can also get a Russian group claiming that it's from them, but it's difficult to be one hundred percent sure. There is a lot of evidence suggesting that those attacks did come from Russia and were used to weaken the Ukrainian infrastructure before the physical attack.
It's hard to know if the attacks on Solar Winds, JBS, and the health service in Ireland, were an attempt to see how secure the infrastructure was. We saw a huge rise in attacks on infrastructure in 2021. I think that if you are going to launch a physical attack, it makes complete sense to do some test hacks on the infrastructure of your targets and their allies.
You could say there's a strong suspicion, at least in the intelligence community and the threat community, that this is not a coincidence. However, we can't really prove it.
Russia has carried out cyberattacks on Ukrainian cyberinfrastructure, its financial system, and government operations. How were these coordinated with on-the-ground military actions?
The evidence suggests that cyber and ground operations were coordinated. However, the Russians have made absolutely no comments on that. They've made comments about the physical attack, but not the cyberattacks. It's not officially linked, as far as I'm aware. But the timeline of both attack types is no coincidence.
I think we will see more attacks on infrastructure that is still working in Ukraine. There will also be more attacks on allies of Ukraine, specifically the United States, France, Germany, and the UK. We'll also see attacks on Russia coming from other countries.
Before attacking other nations' critical infrastructure, you would generally spend a couple of years researching. You would start looking at the infrastructure, mapping it out, and looking for vulnerabilities. You'd generally look into the health services, banking, military, police, transportation, access to water, energy, and food.
An attacker might do a few mock trials within that infrastructure. And then you start launching the attacks a few weeks before the physical attack, and then really go for it at the same time as the physical attack. This is not a super exciting strategy, it's just a strategy that works, and I think Russia knows that.
But so does Ukraine. They have an IT army, a group that essentially shows they'll not take this. Ukraine has excellent security and technical people, and they're protecting nations' infrastructure and trying to go after the Russian infrastructure.
"There will also be more attacks on allies of Ukraine, specifically the United States, France, Germany, and the UK. We'll also see attacks on Russia coming from other countries."-Mathieu Gorge, CEO of VigiTrust
There's a back-and-forth discussion on whether we've seen the full-scale 'cyber war' between Ukraine and Russia. Some say we did, some – that we didn't. Which side of the fence do you sit on in this debate?
There's definitely activity going on. It's not necessarily reported. But if you were expecting a cyber 9/11 or a digital Pearl Harbor, that hasn't really occurred. Can it still happen? Yes. But the reality is that right now, it's best for Ukraine to protect the infrastructure it still has access to. If we do see a major attack, it will probably not target Ukraine. It will be meant for the countries that are supplying weapons to Ukraine. Primarily the US, France, UK, and Germany.
Satellites are a somewhat novel installment in the critical infrastructure family. Do you see any cyber threats to orbital infrastructure?
Within critical infrastructure assets, telecommunication ranks as the highest priority. Once a satellite is seen as a critical asset, it becomes a target. An interesting thing with satellites and any other type of critical infrastructure is that the private sector owns some of it.
A lot of infrastructure is managed by private firms, which means that a third-party organization provides maintenance. That leads to some of the systems being connected to the web. New satellites are often launched by private organizations built by a mix of public and private funds.
And you can see how that creates additional risk surface and problems with governance. The state might require adhering to one set of standards, but the private company might be using different ones, and they might not be 100% aligned. When that alignment is missing, the risk surface expands.
And that's what the hackers are going to get at. Hackers only need to get it right once, but critical infrastructure operators need to get it right all the time. And the likelihood of getting it right 100 percent of the time is, well, medium. It's not low, and it's not high.
Pivoting a little bit further – it's no secret that virtually every system within the critical infrastructure domain is connected to some network to a certain degree. What dangers do you see here?
Let's take DAM operators, for example. All the companies that operate DAMs have this private, secure network so that they can all communicate. On the other hand, if one of them is also connected to the internet, they get hacked. And from there, threat actors can get into the private network.
We've seen some funny examples of critical infrastructure manipulated in Australia and the US, where some disgruntled employees from water treatment facilities opened up the sewage into the rivers to create a bad smell. It wasn't life-threatening, the country's not going to go down because of that.
But there have also been such incidents with a control tower of a secondary airport in the US that hackers brought down due to the unsecured way in which they were connected to the internet.
For example, the payment card industry has requirements for their firewalls that says you need to have a business justification for every exception in the firewall. The logic is rather simple: you shouldn't have that rule if you don't have a business justification. Anytime you have a rule in the firewall, it's to open a port for some traffic.
It is beyond me why there is no requirement to have a business justification for any connection from critical infrastructure to the internet. There are guidelines around that, but they're not very prescriptive.
In the case of critical infrastructure in Ukraine, you have less critical infrastructure assets that are physical because a lot of them have been destroyed. But you still have ones that need to be secured, although part of the overall infrastructure is down.
Some of the Russian infrastructure is absolutely exposed because of how the country is fragmented. And so there's absolutely no chance that it's a hundred percent bulletproof. The Anonymous hackers, the Ukrainian IT army, know that, and they're going to go after it.
More from Cybernews:
Subscribe to our newsletter