Recent ransomware attacks by identified Russian organized cybercrime groups like Vice Society and Ryuk have shed light on the critical need for companies to revamp security protocols, particularly within critical infrastructures such as healthcare, energy, and public services. The group’s most recent attacks on San Francisco’s BART systems and LAUSD are perfect examples of the dangers facing the public sector, especially during a time when tech is making these industries more connected than ever.
Ransomware gangs are not a new presence in the world of cybersecurity. They’ve long been used as proxies for government organizations, executing cyber warfare on their behalf with tacit compliance from leaders, all while enabling those leaders and their regimes to escape direct blame.
Vice Society has struck on a surprisingly wide scale across the United States, Australia and various countries throughout the EU. It doesn’t seem entirely coincidental that they’ve focused efforts in regions that have openly supported Ukraine since the war broke out. In nearly all cases, this group exploits vulnerabilities in computer systems to exfiltrate data or act as initial access brokers to sell off important information to the highest bidder. Historically, they’ve gone after healthcare organizations, which are particularly motivated to pay ransoms to get operations back online and preserve the confidentiality of their patients. Recently, they’ve pivoted to target industries like education and transportation – public sector organizations that lack deep pockets but cause major inconveniences when hit – in an effort to throw U.S. political entities off course.
Washington officials usually advise companies to not pay these sorts of ransoms, simply urging them to report breaches to authorities and react in real-time. But Vice Society also uses encryption to make it difficult for law enforcement and security professionals to analyze the stolen data. These particularly vulnerable public sector targets have less sophisticated cyber defenses and deployment tools than more attack-ready businesses like banks or big tech companies. This is a very intentional redirection; these moves signal the group is willing to forego larger paydays to attack the public sector, perhaps to achieve geopolitical goals.
Managing a global conflict at the personal digital level
Initially, after Russia invaded Ukraine in February 2022, cyber experts were waiting for the proverbial other “digital shoe” to drop. A massive, nation-state-sized cyberattack on anyone that sided with Ukraine seemed inevitable, but it didn’t happen exactly that way.
One of the key ways in which Vice Society operates is through the use of proxies. These are third-party entities that are used to conduct cyberattacks on behalf of the group, often with the intention of hiding the identity of the attackers to prevent attribution. As a result, it’s possible to assume that any Russian-speaking ransomware gang is conducting business with the tacit compliance, and potentially even the encouragement, of the Russian government.
The group’s willingness to forego bigger paydays and intentionally redirect its attacks to critical infrastructure targets indicates implicit involvement from the Russian regime. This is because these actions could be seen as a form of asymmetric warfare, in which a state-sponsored group is using organized crime as a tool to carry out attacks on critical infrastructure. These attacks are small enough to fly under the radar (i.e., not attract enough attention to warrant direct retaliation on the group like what happened after Colonial Pipeline), but widespread enough to send a message and disrupt the day to day of many citizens. This serves to strengthen the current Russian regime and demonstrate its ability to inconvenience government entities in the U.S.
The use of independently operated proxies allows the Russian government to maintain plausible deniability on their responsibility for the cyberattacks. This also allows the Russian government to carry out relatively smaller attacks without the risk of triggering an international response, as it would if the attacks were directly carried out by the Kremlin itself.
Because of this asymmetric cyber warfare, Federal, state, local, and indigenous tribal government organizations and public-sector companies need to be on high alert for these kinds of backdoor cyber-attacks. The Russian regime will not announce that it is coming for its targets, as demonstrated by the attacks on the Cherokee Nation last year.
What companies can do now
When possible, bad actors will take the path of least resistance. This is why it’s important for businesses to make sure the “cyber basics” are covered. This means reducing your security attack surface through effective security hygiene, using multi-factor authentication, conducting regular security audits and performing thorough employee training.
Insecure or outdated ports and protocols are often exploited in these types of attacks. These can be a result of unknown assets, misconfigurations, or even a lack of change management and patching. Like your classic phishing scam, insecure protocols are considered a ‘basic’ of cybersecurity – they’re essentially the doors and hallways attackers use to explore networks and cause damage. Particularly within education and government, which underwent a rapid “digital transformation” as a result of the pandemic, it’s critical to maintain proper patching and configurations. Throughout my cybersecurity career, I’ve run into countless examples of this. For example, my teams once found one university was accepting inbound secure shell (SSH) traffic from Russia; SSH is widely used to manage systems remotely, enabling network admins to log into another computer over a network and execute commands. In a nutshell, this could have given Russian hackers direct access to the school’s network, intellectual property, and sensitive student information. Another organization, a regional hospital system, was found running SMBv1 and exposing it to the public internet – an incredibly dangerous combination that was exploited in major attacks like WannaCry and NotPetya, leading to more than billions in damages worldwide.
In looking beyond the basics of asset, configuration, patch and vulnerability management, it’s important to consider the trends and behaviors most often used by nation-state backed ransomware gangs. For example, in 2023, we’re increasingly seeing that intelligence gathering and regime posturing is prioritized over a big payday, particularly as it pertains to nation-state backed hackers. Dwell time during breaches is up, often because public sector and critical infrastructure organizations lack the proper tools to monitor networks and endpoints that should set off alarm bells if a cyber intruder were present. There’s no one-size-fits-all approach. For example, as electric vehicles and connected cars rise in popularity in public sectors, like law enforcement, and public transit systems implement more advanced connected technology like tap-to-pay, the transportation sector could become a sitting duck without the right defenses in place.
You can’t put an endpoint agent on all the parts of a smart vehicle or every user’s phone that uses tap-to-pay to ride the subway, but you can keep a close eye on the networks the vehicles and trains are connected to. In the majority of cases, however, a combination of solutions is needed and companies in the public sector should prioritize the safeguarding of their networks. A company’s network is the richest and most empirical data source that hackers want to exploit, prompting a need for security teams to gain holistic views of what is actually in their environment. This pervasive network visibility enables active defenders to unlock the hidden operational value of network telemetry, and then proactively identify opportunities to defend against attackers before it’s too late.
The world is rapidly evolving in terms of technology and digital connectivity and companies across the globe are facing a slew of cyber threats at an alarming pace. As long as there is geopolitical conflict, asymmetric cyberwarfare will continue to be a part of it. While we wait on world peace, governments and businesses alike need to actively defend themselves by closing the paths of least resistance to potential attackers. Through active defense and operational visibility, they can hope to avoid becoming the next cautionary tale.
