We saw two different approaches to crisis management in recent Colonial and Irish Healthcare Service Executive (HSE) hacks. While Ireland refused to pay the ransom and it might cost more to restore and rebuild its IT systems, Colonial reportedly paid $4,4 M to the criminals.
Colonial Pipeline hack caused gas shortages and sent its prices soaring. Ireland’s HSE cyberattack resulted in shut IT systems and cancellations of non-emergency procedures. While it might seem that the latter incident has more at stake, Ireland refused to pay the ransom of $20M. Meanwhile, the Colonial pipeline handed criminals $4,4M.
Why is the crisis management approach to these two recent attacks on critical infrastructure different, and who will win in the long run? CyberNews spoke to cybersecurity experts to find that out.
To pay or not to pay?
Paying a ransom is a disputed question. While cybersecurity experts and authorities do not recommend succumbing to criminals’ demands, some businesses employ a common approach of paying a ransom as quickly and as quietly as possible to minimize disruption.
"We are dealing with this in accordance with the advice we received from cybersecurity experts, and I think we're very clear we will not be paying any ransom," Micheál Martin, the prime minister of Ireland, said during a news briefing.
Ireland’s approach to the recent attack sets a much better example than crisis management of Colonial Pipeline does, Mathieu Gorge, CEO and founder of cybersecurity company VigiTrust, told CyberNews.
“It is sending a strong message that organizations, governments have the ability to say that they messed up, they should not have been vulnerable, and are going to do the best that they can with the data that they can restore, and they will make sure it does not happen again. But they are not paying because if they are paying, then they essentially are advertising that you can do that again to them,” he said.
What is more, there is no guarantee that having paid the ransom, you will get your data back. There are numerous examples when data was either not given back or has been compromised, changed, or given back incomplete.
With the Colonial Pipeline hack, the main issue was crisis management. The decision to pay almost $5M, Gorge reckons, was a risky strategy as the longer-term costs might be higher than actually trying to restore what you have. On the other hand, maybe they didn’t have a proper backup system to get back on track fast enough.
“Every big company has a data breach and an incident response plan. Clearly, in the case of the Colonial Pipeline, there was a delay, and when they realized they had to pay, they made a decision. Whether it was made on impulse or whether they had already decided in advance that if there was ransomware up to a certain limit, they would prefer to pay it, we do not know. They decided it was easier for them to pay,” Gorge said.
Joseph Blount, CEO of Colonial Pipeline Co., told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back.
Colonial Pipeline and Ireland’s HSE cyberattacks are fine examples of how an attack on critical infrastructure is an attack on people’s way of life.
“Not everyone understands that critical infrastructure is how we live. We need to protect it because we protect access to water, the police, fire services, hospitals, banking, and so on,” Gorge said.
Alex Tarter, Chief Cyber Consultant and CTO at Thales UK, believes that many questions need to be addressed before deciding whether to pay a ransom or not. Western governments and authorities do not recommend paying ransom in any case as it only encourages criminals. If everybody stopped paying, it would no longer be profitable. Yet, the question is much more complicated.
“Sometimes, insurance companies will be the ones who will essentially pay the ransom. But we have seen some large insurance companies now basically no longer covering ransomware. It is complicated. Ransomware has moved beyond just encrypting the data,” he said.
Tarter, too, believes that paying a ransom does not guarantee that you will get your data back.
“The Colonial Pipeline instance, more than anything, did a disservice to ransomware because they paid it, but the question is, did the decryption software they get ahold of actually help. A lot of indications are coming out that their decryption program did not work effectively. So they paid the ransom, but they did not get access to their data. That is a really strong argument for not paying a ransom just because you cannot trust that you are going to get access to your information back,” he told CyberNews.
Was the HSE attack that sophisticated?
When the news about Ireland’s HSE hack first broke, the cyberattack was called significant and sophisticated. It is treated as a serious attack, as Ireland is working with international authorities, and Mcafee cybersecurity experts are also being consulted on the matter.
“What was not sophisticated about the attack is that it was essentially focused on addressing vulnerabilities that should not have been there. The same goes for other attacks too,” Gorge said.
Sometimes companies do not perform proper due diligence of the third-party vendors, and they become the weakest security link.
“Or you did not train people on phishing, and so you see people opening the wrong emails, or you did not train your management team on CEO and executive attacks that are very well done, at this stage. They appear to be sophisticated. Even the most sophisticated attacks, in the end, the way the attack unfolded is not sophisticated. They attacked a vulnerability that should not have been there,” Gorge added.
Darkside claimed responsibility for the Colonial Pipeline hack attack, while the Conti ransomware gang is believed to be behind the HSE attack. Darkside hackers claimed they are after money, not chaos. Yet, even by choosing its target alone, they caused quite a havoc.
According to Gorge, the line between the state-sponsored hackers and those who are just after the money is blurring. Some hackers are after disruption and fame, while others are going for the money. Nation-state hackers want to disturb the economy and social life in different countries.
“Unfortunately, we are seeing a blur between the last two categories where criminal gangs are going after hospitals and healthcare systems, and that is a mix of both - they are looking for money, but they are disrupting our way of life,” he said.
Yet, these do not seem to be state-sponsored attacks. The latter usually are much more complex and spread in time.
“You infiltrate some government systems or key infrastructure, and you wait, maybe a year, two years, or more, and you have a piece of software that is running and opening a backdoor to the systems, and you are waiting for the right opportunity to use it. It is very hard to detect, and it is dangerous. The ransomware is very quick and dirty,” Gorge told CyberNews.
Meanwhile, Tarter said there is not enough information to confirm whether the HSE cyber attack was sophisticated. However, it is a standard phrase used to say that there was nothing a victim could have done to prevent this. Advanced persistent threat (APT) is another name for a sophisticated attack.
“But you do not want to go all mission impossible and use your best stuff and absolutely use all of your most sophisticated methods if it turns out the door is unlocked, and you can walk in. Typically, an APT will start with phishing, the standard attacks, and if those are not working and you want to persist and go after a given target, you will ramp up your capability to achieve your objective. From what I can see, there is no indication the health service was being specifically targeted as opposed to being a target of opportunity,” Tarter said.
The criminals behind the HSE hack were after the money as ransomware is highly profitable at the moment.
Whether the Conti ransomware gang or DarkSide are state-sponsored is up for debate. Even if a certain adversary is not giving orders to cybercriminals, it does not exactly mean that they are not sponsoring them, Stel Valavanis of Chicago-based onShore Security told CyberNews.
Tarter explained that states sponsor cybercriminal gangs differently, whether supplying them with tools and giving orders or turning a blind eye on their activities.
“There is a demonstrated pattern, and that seems to be the view of the US and UK government that Russia is not actively pursuing the criminal gangs responsible for a lot of the ransomware activity. Then there is North Korea which has a more demonstrable capability for performing ransomware to bring in cash for the regime,” Tarter explained.
Remediation vs resiliency
Even though humans are always claimed to be the weakest security link, cybersecurity training can only get us so far, Tarter reckons.
“If you are relying on humans for the entire defense, you are going to have a bad day. (....) It is like saying you build an entire fortress out of paper, and then you blame the one person who happens to carry a candle around and drop it,” he said.
There are so many ways to breach a business that criminals will most certainly find a way in if they are persistent enough.
“For a start, there are 102 ways into a business. Currently, humans are the weakest and easiest point. Once you beef that up, all you are doing is pushing criminals somewhere else. They will find other ways of getting in. There are plenty of significant big vulnerabilities. The initial compromise would be a human but was it that one person? It was the architecture and connectivity between all systems,” Tarter said.
According to him, companies constantly pursue efficiency, and while it might be great for the business, it is also what makes companies fragile.
“This is where we are starting to think, can we, instead of just focusing on efficiency, focus more on resiliency, and work out if we can operate without certain technologies and access to certain systems. Turn off a system, for example, and email, accounting, and see if your business can survive. You need to run through these types of scenarios so that the impact to one bit of your system has a negligible impact on the business,” he said.
Instead of only lowering the risk of compromise, companies should also be investing much more in resiliency.
“Remediation activities are expensive, whereas if we can reduce the impact from ransomware, it would no longer be a cost of doing business,” he said.
More great CyberNews stories:
Subscribe to our newsletter