As holiday season begins, US braces for looming risk of cyberattacks

Just ahead of the holiday season, U.S. companies and critical infrastructure providers are once again bracing for the potential risk of cyberattack, as threat groups look to exploit distracted IT security teams for maximum leverage.

The vast majority of organizations — nearly 9 in 10 — hit by ransomware over the past 12 months were targeted at night or over a weekend period, when IT security staffing was low, a November report from Semperis shows.

Nearly two-thirds of organizations said they were targeted by ransomware after a major corporate event when employees could be distracted, such as a restructuring or major layoff announcement, an initial public offering or a corporate merger.

The report, conducted in partnership with Censuswide, is based on a survey of more than 900 IT security professionals in the U.S., U.K., France and Germany.

Security operations teams are already highly stressed, with CISOs under tremendous pressure to manage compliance demands from federal and state governments. Companies are also cutting back on hiring to the threat of recession and inflation concerns.

Security teams have complained of alert fatigue and burnout, whether chasing down critical software vulnerabilities or managing an overload of false alarms from incompatible security tools.

Companies have worked hard in recent years to create a work-life balance for security teams, according to Jeff Wichman, director of incident response at Semperis. But experienced threat groups also understand how security teams monitor and react to threats.

“If you flip it to the criminal side, they’re going to target you when you are the most vulnerable,” Wichman said. “And they know balancing work-life is important.”

So long, perimeter

As companies have changed their work environments to hybrid models, the traditional network perimeter is gone. Now, workers log onto corporate emails or access data while traveling or using remote devices. Many receive updates overnight and on long weekends.

An additional risk for security operations is a company that has failed to prepare by practicing incident response, will be unprepared when a real attack takes place.

A look back at major ransomware and state-linked attacks bears out the threat posed during holiday periods.

The MOVEit attack spree from Clop ransomware took place during the Memorial Day holiday in 2023. The 2021 ransomware attacks against Kaseya occurred over the July 4 weekend, while the ransomware attack against meat supplier JBS took place during the Memorial Day holiday in that same year.

Last year, Staples was targeted in a ransomware attack during the critical Cyber Week period when U.S. retailers are promoting holiday sales.

Officials at the Retail and Hospitality Information Sharing and Analysis Center said the holiday season poses unique challenges for the retail industry, particularly during the Thanksgiving and Black Friday weekend.

“Holiday season preparation for retail cybersecurity teams typically begins in late summer and includes robust planning, advanced threat detection tools and cross-functional collaboration,” Pam Lindemoen, CSO and VP of strategy at RH-ISAC, said via email. “Retailers usually have provisions in place to ensure coverage via incentives and on-call staff availability.”

U.S. retailers are considered a uniquely lucrative target for hackers and many companies have become a target of criminal ransomware groups.

The U.S. reported more than 250 ransomware incidents in the first three quarters of 2024, up 24% year over year , according to a report from CyberInt, a subsidiary of Check Point Software.

Though U.S. retailers make up just 28% of the global retail market share, they accounted for almost half of ransomware attacks worldwide during the past three quarters, CyberInt found.

The Thanksgiving and Black Friday weekend presents a compelling opportunity for cybercriminals, as a successful attack against a retail company provides a major threat to the reputation and and the financial wellbeing of that company.

“Cybercriminals often exploit this time to launch DDoS attacks or ransomware campaigns, aiming to disrupt operations and extort money from retailers,” Yehonatan Wiesel, senior cyber threat intelligence analyst at Cyberint, told Cybersecurity Dive via email. “While the theft of customer data is always a concern, the immediate impact of operational disruptions during such a critical sales period can be even more devastating."

Microsoft researchers have previously warned about the heightened risk of DDoS attacks during the holiday season. DDoS attacks involve flooding websites with a high volume of malicious traffic to overwhelm the site and take it down.

The Cybersecurity and Infrastructure Security Agency reminds organizations to harden their networks and take four basic precautions to protect against malicious activity: