“The first thing that comes to my mind is: Thank God this wasn’t water,” Merrill said. “Unfortunately, it doesn’t surprise me that this happened.”
Other aging, critical utilities potentially at risk include electrical systems and nuclear power plants, Merrill said. And it’s not just physical infrastructure: the hack of tools such as point-of-sale software commonly used by small businesses could wreak havoc on the economy.
But experts say companies should be doing more to avoid becoming the next target. Around 85% of critical US infrastructure and resources is owned by the private sector, according to the Department of Homeland Security.
Here’s what corporate America needs to know about these kinds of attacks and how to prevent them.
Who was behind the Colonial attack?
For years, it was generally believed that only a state-supported bad actor would be able to hack into and paralyze critical US infrastructure — and that such a thing was unlikely because doing so could be tantamount to declaring war.
What is DarkSide? Experts believe the criminal group is likely operating from Russia because its online communications are in Russian, and it preys on non-Russian speaking countries. Russian law enforcement typically leaves cybercriminal groups operating within the country alone, if their targets are elsewhere, Div said.
Cybersecurity experts say the group emerged in August 2020.
DarkSide runs what is effectively a “ransomware-as-a-service” business. It develops tools that help other criminal “affiliates” carry out ransomware attacks, wherein an organization’s data is stolen and its computers locked, so victims must pay to regain access to their network and prevent the release of sensitive information. When affiliates carry out an attack, DarkSide gets a cut of the profit. (In the Colonial case, it’s not clear whether the attack was from DarkSide or an affiliate.)
After the Colonial shutdown, DarkSide said on its website that it is a “profit motivated” entity and not a political organization. And several experts said they don’t think DarkSide intended to cause such a debacle.
“Their business is to stay quiet and get paid and move onto the next target,” Div said, adding that sometimes hackers often don’t know who they’re attacking until they’re inside a network. “The last thing that they want is to see a briefing of the president of the United States talking about them.”
When happens when you are hit with ransomware?
Once a company has been hit by ransomware, its first course of action is usually to take much or all of its system offline to isolate the hackers’ access and make sure they can’t move into other parts of the network.
Experts generally encourage ransomware victims not to pay any ransom: “You’re basically funding those (criminal) groups,” Div said.
But a company’s ability to get back online without paying hackers may depend on whether it has protected backups of its data. In some cases, hackers can delete their target’s backups before locking its files, leaving the victim organization with no recourse.
Similar ransomware incidents could range from anywhere in the hundreds of thousands of dollars to around $10 million, experts said.
What can be done to prevent it?
When it comes to ransomware, the best-case scenario is if organizations can catch hackers while they’re inside the network gathering data but before they’ve fully executed an attack and files are locked. Bad actors typically penetrate a network up to three weeks before a company gets a ransom notice, according to Analyst1’s DiMaggio.
He added that artificial intelligence tools could be helpful to companies in tracking users on the network and identifying suspicious behavior.
That’s how tools like Cybereason work — when the technology identifies a pattern of behavior consistent with a bad actor inside the network, it immediately removes that user’s access.
“Basically what we’re doing is proactive threat hunting,” Div, of Cybereason, said. “(You have to have) the mindset that you’re going to get breached and somebody will try to hit you with ransomware, so it’s helpful to have a research group that’s going after those (bad actors), understanding what they’re doing … and can be a step ahead of them constantly.”
Going forward, the US government could also play a greater role in helping to reduce the threat of ransomware attacks. For example, US officials could use diplomatic channels to encourage Russia and other countries to prosecute cybercriminal gangs, Merrill, of Berkeley, said.
Government could play a larger role in coordinating an overall cybersecurity plan for businesses rather than letting each company go it alone, GuidePoint’s Schmitt said.
“Ultimately, cybersecurity should be addressed as one of the main concerns when we’re talking about critical infrastructure,” he said.