- SOAR 101
Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for July, 2019 is… the ransomware attack against City Power.
City Power, a publicly owned utility that provides power to the city of Johannesburg in South Africa, was hit by an undisclosed ransomware variant on Wednesday, July 24th. The ransomware encrypted all of City Power’s databases, applications, and networks, resulting in all IT systems shutting down, including their website and public-facing applications used by vendors and customers. The shutdown briefly prevented customers from purchasing pre-paid electricity—a service used by approximately 250,000 people.
City Power immediately brought in external cybersecurity experts to assist with the investigation. Most systems were restored within two days, with some remaining issues affecting City Power’s website, email systems, and a subset of applications. City Power appears to have not paid the attackers any ransom, stating publicly that their technicians were able to restore most of the locked data, systems, and applications from backups.
How Did it Happen?
How the ransomware got on to City Power’s systems is not entirely clear. Their cybersecurity team says they have identified the ransomware variant that was used, but chose not to disclose it publicly.
Ransomware attacks often begin by delivering malware via a phishing campaign, but some sophisticated variants might use other methods, such as SamSam, which exploits vulnerabilities in public-facing systems to gain access to a network (to learn more about the many variants, check out the 2017 Ransomware Report, sponsored by D3 Security).
Ransomware attacks against public entities are hugely popular, exemplified by incidents we’ve previously covered involving Jackson County, Georgia, and the City of Atlanta. These attacks have become so prevalent in recent months that in July, 225 American mayors signed a resolution to never pay ransoms—a move intended to dissuade attackers by taking away the possibility of profit. Small government bodies and public sector organizations make appealing targets for ransomware attacks because of a general lack of cybersecurity resources, outdated systems, and ineffective use of backups.
While it shares some characteristics with other ransomware attacks against public entities, the breach at City Power might have more in common with a less prevalent, but more dangerous, trend that security experts are increasingly concerned about: cyberattacks against utilities that are designed to disrupt power supplies. Earlier this month, researchers at Proofpoint named the Chinese state-sponsored hacking group APT10 as the likely culprits behind a spear-phishing campaign targeting employees of American utilities. The earliest notable successful attack of this type occurred in 2015, when Russian hackers disrupted a Ukrainian power grid, knocking out power for 230,000 people. This type of attack is predicted to be central to any future large-scale cyber warfare.
How to Minimize the Risk of this Type of Breach
The most likely point of entry for this type of attack is phishing, even when the adversary is highly sophisticated. Why this simple method is favored by even the most well-funded hacking groups is that it only takes a single employee slipping up once for the attack to move forward. Security awareness training is critical for this reason, but it will never be enough to prevent 100% of human errors. Therefore, having tools that can identify and disrupt phishing attacks before the adversaries move through the network toward their end-goals is just as important, if not more so.
D3’s ATTACKBOT, which brings the entire MITRE ATT&CK framework seamlessly into our clients’ security operations, has myriad important use-cases, but one of the most valuable is for enhancing phishing investigations. When an organization is hit with a phishing campaign, the security team needs to immediately identify which, if any, computers were compromised. With ATTACKBOT’s kill-chain-based real-time correlations, analysts can rapidly identify compromised computers based on actions the adversary is likely to take next, such as credential dumping. Senior analysts can even use D3 to pull and parse logs from a user’s computer to confirm that it has been compromised.
Check out our recent blog post to learn more about how security teams use D3’s ATTACKBOT to disrupt phishing campaigns that could lead to ransomware attacks.
Thanks for joining us. We’ll see you back here next month for a new Data Breach of the Month.