Friday, November 22, 2024

Email Attacks a Problem for National Infrastructure Companies

Must read

Cyber attackers are repeatedly using malicious emails to infiltrate critical national infrastructure. Up to 80% of CNI companies experienced an email-related security breach in the last year, according to a new report from security solution provider OPSWAT.

Compromising CNI, like utilities, transport, telecommunications, and now data centres, can lead to widespread disruption, making it a prime target for cyber attacks. A recent report from Malwarebytes found that the services industry is the worst affected by ransomware, accounting for almost a quarter of global attacks.

The OPSWAT report, which surveyed 250 IT and security leaders from global CNI organisations, revealed that email-based attacks are proving worthwhile for attackers. For every 1,000 employees, CNI organisations experienced:

  • 5.7 successful phishing incidents per year.
  • 5.6 account compromises.
  • 4.4 incidents of data leakage.

But, despite the significant number of email-based attacks targeting their sector, 50.4% and 52.8% of respondents continue to assume email messages and attachments, respectively, are benign by default.

Why Threat Actors Target Email

Email provides an easy way for attackers to deploy phishing attempts, malicious links, and harmful attachments that provide access to a target system. Over 80% of CNI organisations expect threat levels of all email attack types to rise or remain the same over the next 12 months, with phishing, data exfiltration, and zero-day malware attacks the most likely.

The report’s authors said that since operational technology and IT systems are becoming “increasingly linked,” it is paramount that email security is prioritised.

They wrote, “Significantly fewer OT networks are still airgapped, and the digital transformation activities of the past decade has resulted in OT networks being connected to the Internet. What this means is that a successful cyberattack by email can spread to the organization’s OT network to cause damage and initiate new attacks from inside the OT network.

“With the level of threat posed by email attacks expected to increase over the next 12 months, critical infrastructure organizations intent on strengthening their email security posture must take a dramatic approach that emphasizes prevention and preclusion of email-borne threats.”

The UK deems data centres CNI to help bolster their security

Last week, the U.K. government announced that data centres will be deemed CNI from now on, the first new designation since 2015. This was made to help boost the country’s security as they become increasingly important to the smooth operation of essential services, as demonstrated by July’s CrowdStrike outage.

SEE: How hackers infiltrate critical infrastructure

Data centres in the U.K. will now receive greater government support in recovering from and anticipating critical incidents. A dedicated team of senior government officials will coordinate access to security agencies like the National Cyber Security Centre and the emergency services when needed. The designation could also work to deter cyber criminals.

Conversely, CNI organisations in the U.K. encounter heightened regulatory scrutiny. For example, the Network and Information Systems Regulations apply to operators of essential services within the CNI sectors, and the Telecommunications Security Act must be adhered to by telecoms providers.

Data centres will likely be more closely monitored for compliance with existing and upcoming legislation, which may include requirements for physical security measures, audits, contingency plans, risk reporting, and security software.

Unfortunately, CNI companies are not excelling in compliance, which plays a part in the high frequency of email-based cyber attacks. The OPSWAT report showed that 65% of CNI leaders say their organisation does not comply with regulatory standards. This percentage drops to 28% when considering only EMEA respondents.

CNI organisations are increasingly targeted by cyber attackers

The latest Threat Pulse from NCC Group found that 34% of ransomware attacks in July targeted CNI, marking a 2% increase over June. Bad actors becoming less wary of repercussions from law enforcement could be a contributing factor.

According to experts at WithSecure, following the action taken against the DarkSide group after it disrupted operations at the Colonial Pipeline company, there was “a concerted effort by ransomware collectives to avoid sanction.”

“Ransomware collectives would try to fall below a perceived line that they believed would incur action by a competent authority, with many groups publicly stating they would not attack hospitals,” researchers wrote in the Ransomware Landscape report.

However, the host of attacks on CNI since 2023 suggest that they now “have no reservations about targeting any western organisation” as the resulting law enforcement action “may be perceived by criminals as inevitable,” regardless of the chosen target.

SEE: U.K., U.S. and Canadian Cyber Authorities Warn of Pro-Russia Hacktivist Attacks on Operational Technology Systems

Legacy technology is providing easy access

In its 2023 Annual Review, the NCSC stated that it is “highly likely” the cyber threat to the U.K.’s CNI rose in 2023, in part due to its reliance on legacy technology.

Organisations that handle critical infrastructure are well-known for harbouring legacy devices, as it is difficult and expensive to replace technology while maintaining normal operations. Evidence from Thales submitted for a U.K. government report on the threat of ransomware to national security stated, “It is not uncommon within the CNI sector to find [ageing] systems with long operational life that are not routinely updated, monitored or assessed.”

Other evidence from NCC Group found that “OT systems are much more likely to include components that are 20 to 30 years old and/or use older software that is less secure and no longer supported.”

A Microsoft report from May corroborates this, describing their security measures as “often-lacking,” making “OT attacks not only attractive for attackers but also relatively easy to execute.” Redmond’s security researchers also highlight that the number of attacks on water and other key critical infrastructure systems have been rising since late 2023.

Latest article