The current geopolitical climate and the escalating crisis in Ukraine amplifies concerns about the heightened cyber threat to global supply chains already strained by the COVID-19 pandemic. This is perhaps the first time in history that the threat of cyber warfare is potentially as devastating as the physical battle unfolding on the ground. Government officials are warning organizations to prepare for an increase in cyberattacks on businesses and critical infrastructure.
Last year, cyberthreats to global supply chains were in the spotlight following unprecedented cyberattacks on Colonial Pipeline, JBS and SolarWinds, attacks that had far-reaching consequences for downstream businesses, customers and individual consumers.
In May 2021, Colonial Pipeline fell victim to a ransomware attack that forced the company to abruptly shut down the pipeline and suspend all operations for the first time in its history. This led to an immediate disruption of the country’s fuel supply along the east coast, causing shortages and gas price spikes. Later that month, a ransomware attack targeted JBS, one of the world’s largest meat producers, and forced the company to temporarily shut down its US facilities, which supply 23% of the country’s beef.
According to various sources, both attacks were carried out by cybercriminals (REvil and DarkSide) with ties to Russia, although White House officials refrained from stating that these attacks were state-sponsored. In the case of JBS, law enforcement managed to arrest the bad actors and recoup $2.3 million of the $4.3 million ransom paid by JBS.
In April 2021, the New York Department of Financial Services (NY DFS) released a report on the SolarWinds cyberattack..1 According to NY DFS, the SolarWinds attack was attributed to a sophisticated cyber espionage campaign by Russian foreign intelligence actors. SolarWinds saw signs of hackers about eight months earlier than the disclosed timeline and nearly two years before anyone found out about the breach.
SolarWinds is a software company with more than 320,000 customers, including government, financial services and telecommunications companies. Hackers gained access to a SolarWinds software product, known as Orion, designed to monitor an organization’s network. Hackers inserted malicious code into Orion which was then installed on SolarWinds customer systems. This allowed hackers to gain access to customers’ internal networks and information stored on those systems. NY DFS called the SolarWinds incident a “red flag” for all organizations — not just the financial services industry — that highlights the “existential threat” and “vulnerability to supply chain attacks.” “.
On January 11, 2022, the United States Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued a joint cybersecurity advisory warning organizations of the increased risk presented by cyber threats.2 In particular, the advisory provides an overview of commonly observed tactics and techniques used by Russian state-sponsored cyber operations and advice on how to mitigate cyber risks posed by these and other threats. According to the advisory, Russian-backed Advanced Persistent Threat (APT) actors have demonstrated increasingly sophisticated capabilities designed to compromise infrastructure and third-party software, in addition to developing and deploying custom malware that can access computing environments without detection. for long periods.
The Ukrainian Factor
Since the escalation of the conflict in Ukraine, Ukrainian officials have hailed the efforts of the “Ukrainian Computer Army” of 400,000 volunteers who target the Russian government, taking down its banking websites, attacking its military systems and providing intelligence. This may be the first time in history that a government has publicly acknowledged and recruited an “army” of cyber espionage to aid in its defensive military operations. Meanwhile, a gang of cybercriminals known as “Conti” has publicly supported Russia in cyber warfare. In a recent report from the US Department of Health and Human Services (HHS), the agency noted that Conti has consistently targeted US healthcare organizations with ransomware attacks that encrypt systems and steal information.3
US legislative effort awaits House approval
Recognizing the growing risk of cyberattacks against critical infrastructure, supply chains, and American businesses, the Senate recently passed a bill known as the Strengthening American Cybersecurity Act. The law, which has yet to pass the House, includes provisions that would require critical infrastructure organizations4 to report “substantial” cyberattacks to CISA within 72 hours. Additionally, organizations that pay ransoms to cybercriminals would be required to report this fact to CISA within as little as 24 hours. The law is designed to encourage (and mandate) communication and cooperation between the public and private sectors regarding cyber threats that could have devastating consequences for the country.
All of these recent developments underscore the need for all organizations across all industry sectors to recognize that cyber threats pose significant risks and costs, including supply chain disruptions, economic costs, reputation and security issues. As NY DFS noted in its SolarWinds report, organizations need to adopt a “Zero Trust” approach and prepare for supply chain failures.
Prepare for the worst
All organizations must take steps to mitigate cyber risk in part by focusing on critical vendors and third-party service providers. In fact, a number of existing and soon-to-be-enacted cybersecurity laws and regulations legally require organizations to assess, manage, and mitigate third-party cyber risks.
For example, the NY DFS Cybersecurity Regulations, 23 NYCRR 500.11, require licensed organizations to implement written policies and procedures designed to ensure the security of information systems and nonpublic information accessed or held by vendors. third-party services. Organization policies and procedures should address:
Identifying and assessing the risks of third-party service providers
The minimum cybersecurity practices that these providers must meet
Due diligence processes used by an organization to assess the adequacy of a vendor’s cybersecurity practices
Periodic assessments of suppliers based on the risk they pose to the organization.
In the event of a cyberattack, on January 11, 2022, the CISA, FBI, and NSA Joint Cybersecurity Advisory recommends that organizations take the following actions:
Containment. Isolate affected systems immediately.
Secure backups. Make sure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to make sure it’s free of malware.
Investigate. Collect and examine relevant logs, data, and artifacts to analyze the nature and extent of threat actor activity in the environment.
Remediation. Consider enlisting the assistance of a company specializing in cybersecurity to ensure that any malicious actors are eradicated from the network and avoid residual problems that could lead to subsequent exploit attempts.
Report incidents to applicable regulators and law enforcement agencies.
1 To see NY DFS Report on SolarWinds Cyber Espionage Attack and Institutional Response (April 2021) Found here.
2 To see Alert (AA22-011A), “Understanding and Mitigating Russian State-sponsored Cyber Threats to U.S. Critical Infrastructure” here.
3 To see HHS Report 202203011700, “The Russian-Ukrainian Cyber Conflict and Potential Threats to the U.S. Healthcare Sector” (March 1, 2022) found here.
4 Critical infrastructure industries include chemicals, communications, essential manufacturing, dams, defense industrial bases, emergency services, energy, financial services, food and agriculture, government, healthcare, information technology, nuclear reactors and transportation, among others.