On the eve of Memorial Day weekend, threat researchers and incident response teams are quietly preparing for the risk of malicious activity when staffing is minimal and millions of workers will be on the road.
Critical industries have faced a series of threats from criminal ransomware gangs or nation-state actors for much of 2024, and the unofficial summer kickoff weekend is a prime opportunity for malicious attacks.
“We see attacks and attempted intrusions every day,” Scott Algeier, executive director of the IT-ISAC, said via email.
While there is no specific threat information pointing to a Memorial Day event, “attackers are also aware of the calendar and know that security teams tend to operate with reduced staffing on weekends and holidays,” Algeier said.
The healthcare industry was hit by two major ransomware incidents in recent months, including the attack against Change and the ongoing attack against Ascension hospitals.
“We’re trying to remind our members and our cybersecurity leadership in the health sector that we’ve got another long weekend coming and especially we’ve seen threat actors take advantage of the timing,” said Errol Weiss, chief security officer of the Health-ISAC.
A 2023 report from Sophos indicates about 90% of ransomware attacks occur outside of normal work hours. The report was based on incident response cases during the first half of 2023.
Major ransomware attacks in recent years have taken place around holiday periods when organizations were either closed or operating with reduced staff. The FBI and Cybersecurity and Infrastructure Security Agency issued guidance in 2022 about criminal ransomware groups targeting companies during nights and weekends.
Holiday attacks of late include:
- In 2021, JBS USA, a global supplier of meat, was hit by a ransomware attack over the Memorial Day holiday. The firm, which processed about 20% of the meat supply in the U.S., paid $11 million to criminal hackers after its facilities were shut down for multiple days.
- Clop ransomware engaged in mass exploitation of a zero-day vulnerability Progress Software’s MOVEit file-transfer software during the Memorial Day holiday in 2023.
- Kaseya, an IT monitoring firm, was hit by a supply-chain attack in 2021 during the Independence Day weekend that disrupted operations and led to downstream compromises of its customers.
- In September 2023, the Los Angeles Unified School District was hit by a ransomware attack over the Labor Day weekend.
The security landscape remains heavily focused on nation-state threats to critical infrastructure. FBI Director Chris Wray in January warned about ongoing threat activity linked to Volt Typhoon, a hacking group linked to the People’s Republic of China.
The group has planted webshells in various critical infrastructure targets in order to launch a diversionary attack against the U.S. in the event of a military conflict in the Asia-Pacific region.
National Cyber Director Harry Coker Jr. reiterated concerns about Volt Typhoon during a speech earlier this month at the CyberUK conference. He also warned about state-linked hackers connected to Russia.
Researchers at GreyNoise Labs said the only significant trend they are seeing is the ongoing targeting of home office routers by various threat groups.
There are also a number of recently disclosed router flaws on the Zero Day Initiative site that could be used for exploitation activity, according to GreyNoise Labs.
“The GreyNoise Lab team is bracing for any vendor or researcher vulnerability drops on Friday, as that has happened during prior long weekend holiday events, especially in the U.S.,” a company spokesperson said via email.
Private sector companies and critical infrastructure providers struggled in recent years to find enough qualified staff for security operations during regular work days. A 2023 workforce study from ISC2 showed 67% of respondents faced a security staff shortage.
“Malicious actors know how to take advantage of people stepping away from their computers, and when the industry is faced with a staffing shortage of the ones who are keeping watch . . . things can look grim,” Jon France, CISO of ISC2 said via email.
Holiday weekends and summer vacations create new obstacles for hunting down threats and mitigating malicious activity.
“Every organization should be preparing and monitoring for increased abnormalities leading up to and during holiday weekends,” Jeff Wichman, director of incident response at Semperis, said via email.
Organizations need to create offline backups and shut down critical systems that do not need to operate over the holiday weekend, according to Wichman. Incident response teams should have alerts set up and be prepared to return to the office in case of an attack.
The U.S. government is also pushing forward with additional measures to protect against malicious attacks. The state-linked compromise of Microsoft Exchange Online, which led to the theft of 60,000 State Department emails took place during May and June 2023 and led to an investigation by the Cyber Safety Review Board.
The National Security Agency on Wednesday released guidance on how organizations can advance efforts to achieve zero trust maturity, which is designed to prevent unauthorized access to sensitive data and maintain visibility into various systems.
While the guidance is targeted at the U.S. national security and defense industry, NSA said these same recommendations can be applied by other organizations looking to reach zero trust goals.
A CISA spokesperson said the agency has “not identified or received reports regarding unusual threat activity.”
However, CISA urged organizations to monitor its Shield’s Up resources, its nation-state cyberthreat web pages and its latest cybersecurity advisories to make sure they have the most recent information.
The FBI did not confirm the monitoring of any specific threats, but said it “remains vigilant as it works to protect the American people.”