Criminals attack targets where they think there is a strong chance of achieving a financial result and where the risk is low - in the words of bank robber Willie Sutton, they go “where the money is.” Today, ransomware gangs think of Critical National Infrastructure (CNI) providers as where the money is, based on how serious the impact is from any attack and how likely they are to pay out, writes Steve Knibbs, Director of Vodafone Business Security Enhanced. With CNI operators increasingly being targeted by attackers with ransomware for payouts, how can we reduce those risks and prevent problems?
According to Thales’ 2024 Data Threat Report for Critical Infrastructure, nearly a quarter (24%) of CNI organisations experienced a ransomware attack since the last report on critical infrastructure in 2022. In the same report, only 15% of CNI organisations reported they would follow a formal ransomware response plan in the event of an attack. Our Threat Intelligence analysts saw the number of ransomware attacks in general continue to rise, from nearly 1280 in Q1 2024 to just over 1500 victims in Q2 2024, based on the names of victims posted to ransomware gang leak sites over that period. The actual number may be higher as there would be companies that paid the ransom and did not enter the public domain.
The ransomware risks for CNI
So why are CNI organisations getting targeted by ransomware gangs? And what are the main routes that these gangs are trying to take advantage of?
The biggest risk to CNI organisations is due to critical vulnerabilities that gangs attempt to exploit at scale. Software vulnerabilities in edge devices and security products are being relentlessly targeted by Advanced Persistent Threat groups and ransomware gangs alike. When exploited, these holes are used to gain initial access, followed by attackers moving laterally to get to valuable files or instances where they can deploy ransomware payloads.
As an example, the Qilin group, a Russian-speaking cybercriminal organisation, attacked a healthcare support services company in the UK this year, targeting that company’s backup software and security products, then used flaws in their IT infrastructure to spread. Ultimately, this led to a halt in surgeries and operations at hospitals across London and the South East of England, causing real world impact for those affected through more than 6,000 cancelled appointments, delaying operations and treatment.
See also: Single ransomware attack has $2.45 billion impact – with "direct response" costs hitting $776 million
That pain is what gangs are counting on. When many citizens are affected, the impact of a compromise is significant, and may lead to a payout to prevent that pain spreading, from low level inconvenience through to direct risk to life and limb. Where there is so much potential risk, attackers think they can secure a payoff.
At the same time, CNI providers also have to look out for hacktivists and nation-state groups that are using the same techniques, tactics and procedures. Nation-state actors carry out attacks to destabilise organisations in other countries, and use ransomware for both monetary gains and to cause problems. While their primary goal will be to have as much impact as possible on opposing CNI organisations, hacktivists will take the cash that is available where that is possible too.
Issues in security products and edge devices are particularly problematic for CNI organisations. When any issue is discovered in edge devices, the guidance is to patch as fast as possible to prevent attacks. When nation-state actors are involved, these issues can be based on zero-day vulnerabilities. Ransomware groups are also no longer only using malware in their attacks - instead, they can use tools that are already on the network to perform malicious activity, which is harder to detect or block. Remote access tools that are handy for support can have extensive permissions to access networks or devices for work purposes, which ransomware groups then exploit to deploy their payloads.
The route forward for CNI
CNI organisations need complete visibility of their networks so they can detect and block attackers, and insight into what activity typically looks like to spot out of the ordinary behaviour. Where issues exist, CNI security teams should be able to update rapidly and prevent attacks where possible. Where zero-day issues lead to initial footholds being gained, defence-in-depth measures should prevent those attacks from progressing any further into their systems.
A significant challenge for CNI organisations is simply how big the networks they have to support are, and how complex they have become. CNI organisations have more platforms and more connections between them to take care of. It’s the scale and complexity across IT and operational technology networks, and between traditional IT and more modern cloud-native infrastructure, that attackers can exploit. This scale can make it hard to deliver proactive security to defend against risks before they turn into real threats.
See also: Utilities splash cash on OT security as "e-CAF" regime shakes up sector
Even when security teams have full visibility of their domains there are often systems that can’t be patched or updated due to how significant they are or how long they have been in place, leading to long-term challenges and problems. CNI providers have to think in terms of decades for their security and operations due to the age and critical status of many of the key elements that they have in place, rather than the months or years that IT teams typically work in.
It is a challenge to keep this critical infrastructure secure against both ransomware and more insidious attacks. When attackers can move faster than security teams, they can try to take advantage of potential issues. But this situation should not be seen as all doom and gloom. By applying the right processes and taking a defence-in-depth approach, we can be more proactive in security to prevent attacks from being successful, keeping CNI protected against threats and defeating those that would exploit those vulnerabilities.
CNI is essential in supporting, securing and serving the public as a whole. CNI organisations have some of the strictest regulations and compliance requirements to follow, and the addition of NIS2 brings more digital service providers under that same umbrella of strict security. This network of organisations can proactively share improvements around people, process, technology and skills through threat intelligence and peer-to-peer relationships that help us all where it is needed in response to a new threat. This collaborative approach can stop CNI organisations from being seen as easy targets, reduce the likelihood of any attack being successful, and prevent the need for payouts to ransomware gangs.
Steve Knibbs is head of Vodafone Business Security Enhanced (VBSE) and the chair of techUK’s first-ever National Security Committee. Knibbs oversees Vodafone’s division that provides vital highly confidential cybersecurity and network security services. Prior to Vodafone, he served in the Royal Signals Parachute squadron, in GCHQ and has experience as a networking engineer.
