RIO DE JANEIRO, BRAZIL – The attack suffered by the Colonial Pipeline systems, one of the largest fuel distribution companies in the United States, has set off a red alert around the world.
The debates and alerts about scams against essential infrastructures such as gasoline, energy, and water are constant, but few were the cases in which the consequences were as real as those seen by Americans, who found themselves with empty pumps, high prices, and long lines at gas stations in mid-May, with the situation returning to normal only last week.
A direct parallel can even be drawn with Brazil. Abroad, the cybercriminal group Darkside assumed the authorship of the attack and almost apologized, stating that their purpose was exclusively financial, with no intention of generating such negative impacts on citizens’ lives.
The group was also behind two incidents briefly mentioned in national news, when in February, the systems of state-owned companies Eletrobras and Copel were attacked by ransomware of the same authorship, but without the severe impact and interruptions seen in the U.S.A.
Market figures point to an alert that should be increasing. According to data published in April by Sophos, a company that specializes in digital security, the number of attacks suffered by Brazilian companies has dropped, with 38% of them being victims in the first quarter of 2021 (67% in 2020). However, at the same time, the sophistication of scams and also their efficacy has increased, thus rendering the environment, as a whole, much more dangerous.
“A change in the behavior of attackers is occurring, with a progression in approaches,” explains André Carneiro, director of Sophos in Brazil. “Automated, generalized, large-scale attacks have been replaced by targeted [scams], seeking the interruption of critical services and the consequent success in extorting these customers, who also have more payment power.”
That could very well be a description of the incident suffered by Colonial Pipeline, which, faced with the outages, found itself paying a ransom worth US$4.4 million in the hope of having its systems returned by the criminals. The information was confirmed by CEO Josh Blount in an interview with the Wall Street Journal, and was the reason for the speedy restoration of fuel distribution on the U.S. East Coast, celebrated by president Joe Biden last weekend. Here, too, we are looking at a dangerous precedent.
Costly invoice
So far, corporate security experts recommend that ransoms demanded by cybercriminals should not be paid – according to data from Sophos, only 65% of companies making this kind of settlement actually had their structures returned by criminals. Still, in many cases, millions of dollars in cryptocurrency can be a small price to pay for a quick recovery, particularly when it comes to infrastructure companies.
“Paying the ransom may prove to be a reasonable decision from a business standpoint,” points out Marty Edwards, vice president of security in operational technology at Tenable. On the other hand, he points out, it creates a vicious circle in which more and more attack groups will see profit from this type of attack, producing new malware that will target more companies. “This is a trend that is here to stay, but we need to find a way to interrupt this sequence and curtail the success of cybercriminals.”
A survey by Tenable proves this point and places the industry sector as the second hardest hit by targeted attacks worldwide, second only to financial services. And in this respect, infrastructure sectors such as oil and gas, power, and water supply are the main targets.
In the case of Colonial Pipeline, the apolitical tone adopted by those responsible also attracted attention, suggesting that Darkside does not work on behalf of any government and is only looking for financial gain. Citing his 15 years of experience in the industrial technology security market, Edwards agrees with the notion that, in the end, for these agents, it is all about money. “Rival nations may have different motivations, but for criminals, what really matters is maximizing profits as quickly and simply as possible.”
This fact brings us directly to the Brazilian situation. After all, the country has no clear rivalry with other nations from a cyberwarfare standpoint, but at the same time, the absence of political goals can make it a target. According to Edwards, Brazil’s natural wealth goes hand in hand with its dependence on basic infrastructure, such as state-owned or leased internet, water, and power networks. “It’s natural for criminal organizations to look at Brazil as a target,” he adds.
Proof of this is that after the attacks on Eletrobras and Copel, Darkside has already confirmed it has Brazil in its sights once again. As part of a transparency effort that serves to show that its ends are effectively apolitical, the criminals have stated that they are working on at least 3 new ransomware attacks, one of which is against a retailer of renewable energy products. Some 400 GB of data has reportedly been extracted from this company, whose incident had not been made public at the time this article was published.
Between the increasingly targeted focus of cybercriminals and the search for quick financial gains, conducting attacks on companies seems to be a matter of “when it will happen” rather than “if it will happen”. In this respect, Brazil is advanced in some points and highly deficient in others, although, overall, the scenario is not one of the most negative.
Brazil between evolution and delay
Carneiro cites two major risk areas of great concern in Brazil, which can lead to an escalation of attacks against national infrastructures. One of them is the use of legacy systems, which run old and discontinued software and operating systems. He points out, for example, the existence of computers with Windows XP and databases running Windows Server 2003 in many national companies, all outdated and vulnerable to attacks.
“The use of traditional protection solutions is no longer sufficient, and it is not enough for companies to simply renew such software,” adds the director. According to him, companies need to work with threat intelligence systems, analysis, and add more security layers, so that malware entry vectors are controlled and interrupted.
For Arthur Capella, Tenable’s country manager for Brazil, all the security work in the industrial sector must involve greater synergy between the operational and IT sectors. In his opinion, it is not enough for only one side of this coin to be protected, since most of the attacks that stop infrastructures involve the lateral movement of malware through networks, from an entry vector.
“We have different levels of maturity in various companies, but I see an overall evolution in Brazil in this integration towards cybersecurity,” explains the executive. According to him, there is progress, as five years ago this was not even an issue, while the protection of networks was limited to systems in employees’ computers. “To talk about security was to talk about physical access control and elements such as turnstiles or locked doors. I see [that] changing, especially in the most targeted industries, but there’s still a long way to go.”
According to data from Tenable, 75% of threats exploited in ransomware attacks start from already known vulnerabilities, while 60% of them moved laterally through companies’ networks, increasing the attack vector, before moving in. The elements for this increased protection seem to involve contrasting elements, with the need for greater integration going hand in hand with greater system partitioning. However, it is not that simple in practice.
“Companies with better segmentation have greater visibility into what is happening on the networks, and are able to isolate contaminated environments without major damage to the entire network,” Edwards explains. In addition, a closer dialogue between the operational and IT sectors helps understanding which systems are more critical and deserve more attention, as well as how to set up the separation so that all processes do not need to be shut down in the event of an attack, Capella points out.
All experts agree on one thing: it is impossible to fully guarantee that a company is free from attacks, but it is possible to make it more difficult for criminals to enter and, if they do, to reduce their reach within the infrastructure. A completely secure system is utopian, but in their view, it is possible to get very close to it.
“The only way to completely protect against attacks is to turn off all technology,” Capella points out. He makes a historical reference to explain the current situation, pointing out that just as in the case of cloud computing technology, remote systems, and almost any innovation, there are countless benefits for businesses that come with some risks. “Good practices work anywhere in the world, and it is necessary to develop products, projects, and training so that the environments have a level of protection that discourages attacks,” he adds.
Carneiro points out transparency and synergy with the market when faced with vulnerabilities as important ways to evolve the market as a whole. “It is crucial that companies are aware that there is no shame in accepting that they have suffered an attack. This is a sign of the search for growth and maturity in security, with this admission helping to better prepare for a future in which [scams] will be increasingly modern and efficient.”