How XDR Helps Protect Essential Infrastructure from Threat Actors

Cyber attacks on a country’s or municipality’s essential infrastructure can have devastating effects on the ability to support their citizens. In many cases, attacks targeting essential infrastructure are conducted by gangs of threat actors backed by rogue nation-states. Employing an extended detection and response (XDR) solution provides enhanced protection for the IT environments necessary to maintain essential infrastructure.

What is Considered an Essential Infrastructure Sector?

Essential infrastructure sectors comprise the systems, networks, and enterprises responsible for supporting modern society and protecting a nation’s citizens. The specific entities designated by a government as being essential vary to a degree. For example, the Australian Government’s Security of Critical Infrastructure Act 2018 (SOCI) defines the following 11 sectors as being part of society’s essential infrastructure.

• Communications
• Data storage or processing
• Defense industries
• Energy producers and providers
• Financial services and markets
• Food and grocery
• Health care and medical
• Higher education and research
• Space technology
• Transport
• Water and sewerage.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has a slightly different view and designates 16 sectors as being essential. In addition to the sectors defined in SOCI, the CISA includes sectors encompassing dams, chemicals, emergency services, nuclear reactors, and commercial facilities.

Essential infrastructure facilities provide valuable targets for threat actors. A successful attack can have wide-ranging effects that go far beyond the initial target. Impacts on critical infrastructure can have a long-lasting impact on the population that cannot be easily mitigated.

Essential Infrastructure for SMBs

The threat to essential infrastructure is not confined to large facilities that serve the general population. Many small and medium-sized businesses (SMBs) operate in the designated essential sectors or depend on related services. Following are some examples of essential infrastructure that may be at risk for SMBs.

• A small trucking company’s communications are brought down by a cyberattack making it impossible to dispatch vehicles or make deliveries.
• A small financial services firm is attacked by ransomware and cannot recover the affected systems in time to close a lucrative deal.
• A medium-sized manufacturing plant’s water cooling system is disrupted by cyberattacks against the IT systems that monitor the assembly line, halting production at a substantial cost to the company.

While the effects of these kinds of attacks may not impact the general public, they can put an SMB out of business.

The Dangers of Cyber Attacks on Essential Infrastructure Sectors

While all cyber attacks are potentially damaging to the victims, those that impact essential infrastructure are particularly dangerous. Threat actors leverage this fact when going after high-value targets in the hopes of forcing the victim to quickly pay to recover systems affected by ransomware.

Implementing robust cybersecurity in the critical infrastructure sector is vitally important for the following reasons.

• Data loss affecting entities in the essential infrastructure sector often involves sensitive resources. Information regarding a nation’s defense posture or energy grid is extremely valuable to adversaries and puts the population at risk.
• One of the goals of cyberattacks on essential infrastructure is to disrupt the critical services that support modern society. A successful attack can cripple an organization such as a healthcare facility and make it impossible for it to provide care for its patients.
• An attack on the food chain or water treatment facilities can result in shortages or contamination that risks the population’s health and quality of life.
• A cyberattack focused on the defense sector can impact a nation’s ability to defend itself effectively. An attack conducted during a military engagement can substantially affect its outcome.
• Attacks on critical infrastructure can be politically motivated and backed by nation-states. The goal may be destabilization, allowing the attackers to take advantage of the victimized nation.

Recent Attacks on Essential Infrastructure Sectors

Let’s take a look at some recent attacks targeting essential infrastructure entities. The FBI reported 649 complaints made to its Crime Complaint Center regarding ransomware attacks on critical infrastructure organizations in 2021. Reporting indicated that 14 of the 16 entities designated as essential infrastructure by the CISA were victims of cyberattacks. Companies operating in the healthcare system were targeted by 148 ransomware incidents.

Ventia

Ventia is one of the largest essential service providers in Australia and New Zealand. The company was the victim of a cyberattack over the weekend of July 8th and 9th of 2023 which caused it to take key systems offline. As of July 12th, the company was still restoring external-facing networks. Ventia has not disclosed details of the attack, but the signs point to a ransomware attack. The outages caused by the attack can result in millions of dollars in lost revenue for the company.

Dole

A cyberattack in February 2023 resulted in Dole temporarily shutting down North American production plants and halting food shipments to grocery stores. A ransomware attack forced production to be shut down and led to a shortage of Dole salad kits in stores located in multiple U.S. states.

South Staffordshire PLC

This water distribution company was targeted by a cyberattack in August 2022. In this case, the attackers accessed customer data including names, addresses, and payment account numbers. While no immediate damage was done to the water distribution network, affected customers may be subjected to fraud or identity theft.

Threat Actors Focused on Attacking Essential Infrastructure

Multiple state-sponsored hacker groups have targeted essential infrastructure facilities around the world. They often employ sophisticated advanced persistent threats that attempt to remain hidden and move laterally through the environment until they find an appropriate target.

The Lazarus Group

Lazarus is a North Korean hacker group that has conducted successful cyberattacks against supply-chain and critical infrastructure organizations in the U.S. and Europe. VoIP company 3CX was breached with X_TRADER, a trojanized application that allowed malware distribution through a backdoor. The rogue application provides the group with a template for further attacks against essential infrastructure targets.

Maui ransomware

The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are among the entities warning of the danger presented by North Korean state-sponsored threat actors since at least May 2021. One of the group’s weapons is Maui ransomware. The malicious software is an encryption binary that is executed manually by a remote operator. A combination of Advanced Encryption Standard (AES), RSA, and XOR encryption is used to render the victim’s data unusable.

Iranian Government-Sponsored APT Cyber Actors

Hackers backed by the Iranian government are attacking US and Australian essential infrastructure targets. The group takes advantage of vulnerabilities in Fortinet and Microsoft Exchange to gain initial access to the environment. They are considered an advanced persistent threat using these vulnerabilities in preparation for further exploits.

How XDR Enhances the Protection of Essential Infrastructure Sectors

Samurai XDR offers enhanced cybersecurity against threat actors targeting essential infrastructure sectors. Following are some of the advantages of deploying Samurai XDR.

• Samurai’s XDR platform employs threat intelligence from NTT’s Tier 1 internet backbone which aids and enriches the platform’s advanced AI and ML analysis. This analysis enables the solution to detect known and unknown threats to an organization’s IT environment.
• Samurai XDR can identify the subtle lateral movements that may indicate the presence of an APT by combining weak signals from multiple sources. This ability has increased importance in defending the operational technology (OT) networks deployed in many essential infrastructure facilities. Threat actors may gain access to an IT network to compromise the OT network. XDR can help prevent this type of malicious movement within an environment.
• The platform helps organizations with limited cybersecurity resources by consolidating and prioritizing threat information. XDR greatly reduces false positive alarms and enables security personnel to concentrate on the most serious threats.

Customers can contact the threat detection experts at Samurai and request a free trial.