Norwegian aluminum giant Norsk Hydro estimates that it may have lost more than $40 million in the first week following the ransomware attack that disrupted its operations.
Norsk Hydro became the latest company to be hit by hackers in a ransomware attack as one of Europe’s leading aluminium producers suffered stoppages at several of its plants.
Resources firm takes 10 per cent stake in Sapien Cyber.
location of choice for cybersecurity businesses
Joondalup companies such as Sapien Cyber are changing the industrial cyber security landscape by bringing together world-leading expertise with state-of-the-art technology. This company is reaping the benefits of locating their cybersecurity business in Joondalup.
A cyber crime syndicate has hacked and scrambled the medical files of about 15,000 patients from a specialist cardiology unit at Cabrini Hospital and demanded a ransom.
Car maker Toyota has been hit by a cyber attack in Australia, with employees locked out of their emails for days.
One of Australia’s senior military figures says the threat of cyber attacks against the nation’s infrastructure and military networks is on the rise.
Major General Marcus Thompson leads the Information Warfare Division, which was set up in mid-2017 with the aim of providing both defensive and offensive cyber capabilities.
In his first media major interview, he told the ABC the job of protecting Australia from serious cyber threats was only becoming more challenging.
In this case study, we look at the operational challenges which Vulnerability Management in an OT environment presents and examine how the Sapien Cyber Vulnerability Management Service (VMS) solves these problems for a major Oil and Gas explorer, provider and supplier.
All passwords reset.
Parliamentarians and their staff have been forced to reset passwords after an apparent malicious attack against the parliamentary computing network overnight.
Multinational food and beverage company, Mondelez, has launched a legal case against its insurance provider, Zurich after it rejected a $100 million (£78.5 million) claim for damage caused by a ransomware attack.
The firm, which owns the Cadbury, Toblerone and Ritz brands, was hit twice by NotPetya ransomware in 2017. Mondelez claimed that the attack had left 1,700 of its servers and 24,000 laptops “permanently dysfunctional”.
It said its property insurance policy with Zurich covered “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of machine code or instruction”.
Cybercriminals are becoming more sophisticated and more creative in architecting attacks.
Today’s integrated technology ecosystems not only allows IT networks to be used to mount attacks on OT networks, but insecure OT devices can now also provide a pathway back into corporate IT systems.
Sapien’s solution accounts for the complex and ever-changing threat landscape, using advanced intrusion detection techniques combined with threat intelligence that is effective in both IT and OT environments.
Threats to critical infrastructure are now so advanced that they require an industrial cybersecurity solution that combines advanced technologies, machine learning and human intelligence to protect networks against the complex range of attack scenarios they are vulnerable to.
Sapien has developed a solution that changes the cybersecurity landscape forever.
A new variant of the Shamoon malware was discovered on the network of Italian oil and gas contractor Saipem, where it destroyed files on about ten percent of the company’s PC fleet.
Cyber attackers mainly look to spy and steal information from the energy and utility sectors, to be used in carefully orchestrated attack campaigns that tend to unfold over many months.
Hackers have infected three energy and transport companies in Ukraine and Poland with sophisticated new malware and may be planning destructive cyber attacks, research from security vendor ESET shows.
New technology now allows operators of industrial infrastructure such as oil and gas platforms, mine sites, manufacturing plants and utilities to have remote visibility and control over their production processes. The disadvantage of this new technology is that it provides avenues for cybercriminals to exploit. Therefore, advanced cyber security techniques are required to ensure the operating environment remains safe and secure from malicious actors who are always innovating to achieve their aims.
This article discusses a new technique that normally would not be associated with cyber-crime called ‘Cryptomining’.
The advent of blockchain technology allowed for the creation of the first decentralised virtual currency, Bitcoin. This was the first of many virtual currencies that could be ‘mined’ by a computer through the process of verifying cryptographic chains.
The use of technology has grown exponentially over the last few years. It allows a miner to compete with other crypto miners to solve complicated mathematical problems with cryptographic hash functions that are associated with a block containing the transaction data. The reward for cracking the code is the authorisation of the transaction and a small amount of cryptocurrency.
Cybercriminals are capitalising on the rise of crypto mining, and the integration of industrial technology with the internet.
These malicious actors are starting to recognise the value in utilising the processing power of these operating systems as a method for mining cryptocurrency.
ICS targeted by crypto miners
The technology has resulted in ‘Cryptojacking attacks’ where the intent is to consume compute cycles within the target control system to perform the crypto mining activity. The goal for this type of attack isn’t to steal or take control of the infrastructure but to consume a small amount of computer power on the system to generate cryptocurrency. This can result in performance degradation of the system. The payload of this type of attack has been found to be delivered in malware that is becoming increasingly widespread.
Some would argue that actors targeting processing power, rather than company bank accounts or confidential data, are a lesser threat to an organisation.
However, the impact on a company’s systems can be both financially and physically disastrous.
All computing devices, from an employee’s laptop to an interface controlling air flow into a mine, are capable of a certain amount of processing based on their hardware specifications. In operational technology, these capabilities are only enough for the device to function correctly and allow for it to deal with minor failures. If the device does not have the adequate processing power, it will cease to function as expected, instructions given to the system will be ignored, and a manual reboot or complete replacement will be necessary. Cryptomining does exactly this. Cryptomining technology accesses processing power of a device and utilises that power to perform its mining function.
Hopefully, the targeted device is a regularly used machine and the slow down or failure of its function will be recognised by an operator, and processing will be stopped to fix it. This ‘best case scenario’ results in costs associated with stopping all systems associated with, and replacing or fixing, the compromised device. However, the infected machine could be part of a safety or redundancy system that is only used in an emergency. Only when it is needed will the system fail, resulting in potentially catastrophic physical damage or loss of life.
A secondary consequence is the bandwidth usage of cryptocurrency mining operations. Cryptomining software will regularly be in contact with its Command and Control (C2) server, creating high levels of data traffic that adds greater stress to operational technology communications infrastructure.
Traditional cyber security practices, such as the use of anti-virus software and firewalls, are a good start for the protection of an industrial network’s perimeter. However, the innovation of recent cyber attacks expresses the importance of a solution that is resilient and adaptable.
Cryptomining software and data traffic can often go undetected by common malware signature databases and firewall rulesets.
ICS specific detection solutions provide visibility of what and how devices in a network are communicating. These solutions often raise alerts based on the anomalous behaviour of devices. Sudden higher traffic levels from a device will lead to an immediate investigation. If a safety redundancy device is consistently operating, network visibility allows for actionable intelligence to immediately address the issue.
Passive network monitoring solutions provide insights and visibility against malicious crypto mining activities, with minimal impact on network bandwidth.
There is a growing importance placed on detection technologies in both threat research and damage mitigation. In every war, intelligence is of the utmost importance for deployment of resources and exploitation of an adversary. The cyber battlefield is no different, as discovery and understanding of the enemies’ avenue for attack is the best method for preventing damage to an organisation.
The adversary is also changing, from opportunistic broad-spectrum attacks to more targeted, developed threats.
In the cybersecurity arena, forensic analysis is the process of deconstructing an attack’s exploitation, transmission vector and payload to determine exactly how and, if possible, why a system was compromised. It is important for evaluating a networks’ vulnerability, creating defences against attacks, as well as predicting how potential attacks may operate.
What is a honeypot?
A ‘honeypot’ in cybersecurity describes an apparently vulnerable network device with the capacity to covertly monitor and record attacks against it. The honeypot is set up to appear enticing and legitimate to an attacker, without actually compromising important data if attacked.
What is its purpose?
A honeypot can capture the attack methodology, attack signature, information on targeted systems, network vulnerabilities and, potentially, information on the attacker. This intelligence allows the cybersecurity industry to be more adept at detection of current attacks and prevention of future attacks. Attack signatures can be added to intrusion databases, a methodology can be dissected and understood in order to develop defence strategies, and vulnerabilities can be exposed and patched before they can be exploited. A greater understanding of a cyber adversary is also integral to the ability of the cybersecurity industry to evolve and adapt.
Awareness of the motives of attackers creates a great advantage for security professionals to predict how the cyber threat landscape is developing, and allow for pre-emptive countermeasures to be deployed.
Malicious actors are aware of the existence and purpose of honeypots and are constantly wary of being trapped. Therefore, effective honeypot deployment involves making the device look as real as possible. This includes protecting the device with proper security technology and having the device retain data and traffic that appears legitimate. However, in order to protect legitimate data, these honeypots are often located outside of the company’s secure network, in a fake network or ‘Demilitarised Zone’ (DMZ).
Honeypots in Active Defence
Honeypots are increasingly being adopted by operators who are seeking to strengthen their cybersecurity regime using countermeasure technology. The devices provide the opportunity to observe the actions of an attacker and build an understanding of the tactics, techniques and procedure being used against systems or facilities. A well-implemented honeypot deployment can provide the following:
- Highlight risks and assess the seriousness of a threat.
- Provide impact assessments based on the observations of the activities of the threat.
- Direct further investigative activities and allow for incident response planning.
- Deliver specific Threat Intelligence to the organisation.
- Act as a decoy to bolster defence systems.
Future Use of Honeypots
ICS systems will continue to be attacked, with potentially greater success, as new tools and easily accessible information becomes more widely available.
This will allow the technical knowledge, sophistication and new methodologies for attacks to develop over time. Honeypots are a useful tool that can indicate malicious intent and methodologies to provide operators with the intelligence required to build a or strengthen the security posture of an organisation.
The head of the Onslow Water and Sewer Authority said in a news release Monday that its internal computer system, including servers and personal computers, were subjected to what was characterized as “a sophisticated ransomware attack.”