Ransomware fears escalate as Irish health service, Toshiba unit targeted

Dive Brief:

U.S. government officials and security researchers warned that last week's ransomware attack against Colonial Pipeline might lead to a wave of cyberattacks against critical installations in the U.S. and abroad.
"My sense is that the likelihood is increasing, almost every day," Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, said at a forum hosted by George Washington University on Thursday. "We are seeing more broad based cyber incidents from our adversaries who are growing more aggressive."
Though ransomware attacks are a regular occurrence, news of two high-profile incidents surfaced Friday. A European unit of Toshiba was hit by DarkSide, a Russia-linked actor responsible for launching the Colonial Pipeline attack. Ireland's health service also shut down its major technology systems after it was disrupted by a ransomware attack, which officials are attributing to the Conti ransomware strain, The Wall Street Journal reported.

Dive Insight:

The attacks raise fears about a wave of attacks by DarkSide and other criminal or nation-state actors, particularly against critical infrastructure and manufacturing companies in key industries.

The Ireland attack forced the shutdown of all of its information technology systems and disrupted scheduled COVID-19 systems and outpatient care at numerous hospitals. Toshiba confirmed that some of its data may have been leaked by a criminal gang and said it shut down network connections between various European subsidiaries and to Japan in order to prevent additional data leaks, according to a statement.

Meanwhile, Colonial Pipeline recovery is still ongoing. The company accounts for about 45% of the fuel delivery for the East Coast of the U.S., with a 5,500 mile pipeline that runs from Houston, Texas to Linden, N.J. Colonial Pipeline began to restart operations Wednesday following days of long gas station lines and panic buying leading to a surge in gasoline prices that may take weeks to subside.

What most people have seen or read about the Colonial Pipeline or Toshiba attacks are just the "tip of the iceberg," according to Robert Boudreaux, field CTO at Deep Instinct.

"These attacks are just the latest and one of the more public examples of a newer ransomware as a corporation (RaaC) trend," he said via email. "DarkSide is not new, they have been around since mid-2020, and their modus operandi has not changed in that time frame either, they are using the same tactics and techniques that I have seen deep learning capabilities/solutions prevent for the past 18 months."

The Colonial Pipeline attack showed that major U.S. companies still need to take steps to secure their IT environments to prevent threat actors from crippling internal systems and forcing production shutdowns that pose massive ripple effects in the global supply chain.

"Many organizations are now giving their OT cybersecurity a closer look to try to understand their vulnerability to a cyberattack and to consider measures to quickly increase their cyber protections against these type of incidents," Chris Williams, cyber solution architect at Capgemini North America said via email.

Companies need to take some immediate steps to secure their environments, including the following:

Look at boundaries between OT and IT environments and reduce the frequency of interconnects spanning the networks.
Audit cyber logs that identify signs of intrusion that might have been previously missed.
Restrict access to internet web browsing and email from IT networks, at least as a temporary measure, while employees are further trained on how to identify phishing, malicious email and malicious web links.
Increase perimeter security settings to block malicious email and websites.