Spend any time studying official cyberattack disclosures and two words that crop up with striking regularity are “sophisticated” and “targeted.”
Every attack is said to be sophisticated just as every attack is either targeted or even highly targeted. These terms have been a common element in press releases and regulatory disclosures ever since cyberattack incidents (usually data breaches) started becoming more frequent around 15 years ago.
If there was once a time when the distinction between a run-of-the-mill cyberattack and something more developed or clever seemed like a reasonable distinction, that moment passed years ago. Today, everyone knows these words are often a form of verbal misdirection, an attempt to downplay security failings. If every attack features elements of sophistication and targeting, then stating this becomes meaningless.
Worse, describing cyberattacks such as ransomware as sophisticated and targeted is often untrue. In fact, many ransomware attacks are often not terribly sophisticated and even exploit basic weaknesses that are common enough that they might be better described as entirely predictable.
Back to Basics
This brings us to the unusual recent disclosure by U.S. company BHI Energy. The company’s security team detected a ransomware attack on June 29 after noticing that data had been encrypted on its network.
Sent to the Iowa state breach notifications office (but made public by news site Bleeping Computer), the letter reveals that the attackers—identified as the Akira ransomware gang—were later discovered to have gained initial access to the company systems a month earlier, on May 30.
It then describes the incredibly straightforward weaknesses that allowed the threat actor (TA) to gain a foothold:
“The TA’s initial access was achieved by using a previously compromised user account of a third-party contractor. Using that third-party contractor’s account, the TA reached the internal BHI network through a VPN connection.”
The outcome of which was not happy:
“The TA ultimately exfiltrated 690 gigabytes of data between June 20, 2023, and June 29, 2023, including a copy of BHI’s Active Directory database.”
Weakness No. 1: A compromised account. This is, of course, by far the most likely way attackers will begin any intrusion because it bypasses whole layers of security while allowing attackers to impersonate a legitimate user.
Weakness No. 2: This account was used by a third-party contractor, precisely the sort of account defenders forget about and can’t easily monitor for compromise.
Weakness No. 3: Not unsurprisingly, the contractors accessed the network through a VPN connection, something which also makes monitoring more challenging if it’s trusted by default.
All three of these are common issues that crop up in many ransomware attacks, including the likelihood that the contractor account was not defended with mufti-factor authentication (MFA). What they are not is particularly sophisticated techniques or especially targeted.
The words sophisticated and targeted don’t feature anywhere in the notification. Granted, this is an official communication rather than a public press release, but it makes refreshingly down-to-earth reading.
What BHI Energy is not trying to do here is hide behind the idea that the cyberattack it suffered was so clever that it was somehow unavoidable. On the contrary, it is admitting failings, hence the list of steps it says it has since taken to stop the attack from happening again.
It is a pity more don’t follow this example. Excuses and evasion undermine trust, the very thing cyberattacks feed on.