Share this article on:
Dale Heath from Rubrik outlines the patterns underpinning the ransomware group’s attacks on local organisations.
If any doubts remained about the threat ransomware poses, the attack against Queensland’s CS Energy and the theft of personal information from thousands of South Australian public servants late last year surely puts them to rest.
The Conti ransomware group has now claimed responsibility for both attacks, leading the federal government’s Australian Cyber Security Centre (ACSC) to issue an advisory to local businesses.
These attacks, which occurred within weeks of each other, highlight a number of ransomware trends and provide a window into what we can expect from such groups this year; the prevalence of supply chain attacks, a renewed focus on targeting critical infrastructure, and the rise of Ransomware-as-a-Service (RaaS).
Sophisticated supply chain attacks
In the incident which led to the theft of personal information from up to 80,000 South Australian public servants, it is important to understand the attack wasn’t levelled directly at the government itself. Rather, hackers targeted a software supplier – in this case Frontier Software – which provides payroll services to every South Australian government department except for the Department of Education.
These attacks are known as “supply chain attacks” as they don’t directly target the victim. Instead, hackers focus on an organisation within the victim’s supply chain.
Regardless, the result is still the same for the thousands of South Australians who had their bank account details, tax file numbers and other sensitive information stolen.
Supply chain attacks are becoming increasingly popular because these impact multiple organisations from a single breach. In this case, not only was data stolen from the South Australian government, but the operations of Tasmania’s largest employer – the Federal Group – were also disrupted.
While this is just the latest example, we saw similar attacks last year. In July, IT solutions developer Kaseya was hit with the REvil ransomware. The attackers then developed a malicious software update, successfully breaching more than 1,000 of Kaseya’s customers when they attempted to install the update.
Critical infrastructure in the crosshairs
The threat of locking down critical infrastructure is real, it is happening right now, and it must be taken seriously. November’s attack against Queensland’s CS Energy is just one example.
While the electricity provider was able to avert the attack’s most devastating consequences, and should be applauded for doing so, business leaders across Australia should reflect on how their own organisations would fare in the same situation.
As more of the critical infrastructure that powers our nation is increasingly digitised, the consequences of that data being held hostage increase exponentially.
Ransomware doesn’t just lock up data, it locks up entire operations. Attackers – whether nation states or organised crime groups – are looking to inflict the most disruption possible and this is the calculus driving attackers when deciding who to target.
Perhaps the most well-known example of a critical infrastructure ransomware attack was against Colonial Pipeline in May 2021. The attack, attributed to the Eastern European group DarkSide, was the largest cyber attack on the American energy system and disrupted fuel supplies for almost a week.
Ransomware-as-a-service
The final trend these recent attacks highlight is the rising popularity of RaaS.
Both attacks against Frontier Software and CS Energy were carried out with a strain of ransomware called Conti. This variant was developed by a criminal gang, largely believed to be of Russian origin, and is offered to aspiring hackers on deep and dark web forums.
The ransomware is provided to whoever wants to use it, with the hackers then becoming Conti “affiliates”, who pay a portion of any successful ransom to the malware’s developers.
Not only does this model significantly lower the barrier to entry for would-be cyber criminals, it also makes it much more difficult to hold Conti’s creators to account.
The threat ransomware poses is now so great, the ACSC Annual Threat Report labelled it “the most serious cyber crime threat” due to the financial impact and disruption it causes victims and the wider community. Driving home the point, the federal government released a national Ransomware Action Plan last year in a bid to shore up our defences.
With traditional defences failing, Zero Trust Data Security has emerged as a key strategy to keep data out of the hands of attackers and keep businesses in business.
As supply-chain attacks seek to weaponise the trust an organisation places in its suppliers, a zero-trust approach to data security treats every user, every application, and every device as untrustworthy.
The core idea is to provide the minimum level of access needed to perform an approved task and assumes an attacker has already infiltrated the network. This is particularly beneficial to critical infrastructure providers as it negates an attacker’s ability to spread beyond the system they initially compromised.
In doing so, an attacker’s ability to steal sensitive data, disrupt operations, or hold data to ransom is severely limited. This final point is crucial. Without multimillion dollar ransoms, the entire ransomware business model is thwarted. As long as cyber criminals continue to turn a profit, we can expect to see more of the same headlines in the future.
Dale Heath is the engineering manager, A/NZ at Rubrik.