Cyber Intelligence Weekly

Cyber Intelligence Weekly (December 3, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here:

Before we get started on this week’s CIW, I’d like to highlight a festive "Chew On This" episode, unwrapping a crucial gift for CIOs and organizations — the wisdom of a proactive incident response strategy.

📅 Save the Date: Wednesday December 13, 2023

🕛 Time: 12:00pm EST

🎙️ Special Guest: @Nick with Echelon’s @Matt Donato and @Paul Interval

Discover how a proactive incident response strategy protects sensitive data, ensures compliance, preserves reputation, and reduces costs.

Our experts will guide you through adapting to evolving threats, ensuring business continuity, and maintaining trust amidst the holiday spirit. Don't miss this timely discussion blending security with the season.

Mark your calendar and fortify your organization for the challenges ahead! Register for the third course of Chew on This here:

Away we go!

1. U.S. Water Utilities Targeted in Series of Hack Attacks

In a concerning development for U.S. national security, federal investigators have confirmed that multiple water utilities across the United States have been targeted by hackers. This revelation comes in the wake of a cyberattack on a Pennsylvania water utility, where hackers breached the facility's control system. According to several news sources, these attacks have affected less than ten water facilities, all using the same Israeli-made industrial control system.

These incidents, while not causing any disruptions to water supply or compromising drinking water safety, are alarming due to the ease with which they were carried out. The hackers, believed to be associated with Iran's Islamic Revolutionary Guard Corps, managed to deface computer screens at these facilities, primarily through exploiting default passwords on internet-connected devices. This series of cyberattacks has prompted a joint advisory from U.S. and Israeli authorities, highlighting the vulnerability of these critical infrastructures.

The most publicized of these attacks was at the Municipal Water Authority of Aliquippa near Pittsburgh, where hackers left an anti-Israel message. This utility, serving about 15,000 people, had to resort to manual operation of one of its pump stations after handing over the hacked equipment to the FBI. In response to these threats, there has been a concerted effort by CISA, the FBI, private experts, the Water ISAC, and water industry executives to remove vulnerable industrial equipment from internet access to prevent further breaches. The Water ISAC and CISA have laid out clear mitigations here.

U.S. Water Utilities Targeted in Series of Hack Attacks

These recent breaches have underscored the urgent need for enhanced cybersecurity measures across the U.S. water sector, which comprises over 150,000 public water systems. Many of these systems face challenges in funding and staffing adequate cybersecurity defenses. Congressman Chris Deluzio, representing the district that includes Aliquippa, stressed the importance of this issue, emphasizing that local officials often serve as the frontline defense against such cyber threats. This series of cyberattacks serves as a stark reminder of the vulnerabilities in critical infrastructure and the need for heightened security measures.

2. Global Sting Takes Down Ransomware Syndicate in Ukraine

In a major crackdown on cybercrime, law enforcement agencies from seven countries, including the U.S. and Canada, have successfully arrested key members of a notorious ransomware gang based in Ukraine. This group, active since 2018, has been responsible for encrypting thousands of servers of large enterprises globally, causing an estimated $82 million in damages. Their modus operandi involved demanding ransoms in cryptocurrency, targeting various companies including a prominent chemical company in the Netherlands, from whom they demanded $1.3 million.

The operation, carried out amidst the ongoing conflict in Ukraine, resulted in the arrest of the gang's 32-year-old alleged leader and four principal accomplices. Their identities, however, remain undisclosed. These cybercriminals were known for using sophisticated ransomware variants like LockerGoga, MegaCortex, Hive, and Dharma. Their arrest, according to Europol and Ukrainian police, has effectively dismantled the gang. The criminals employed tactics such as phishing emails with malicious attachments and brute force attacks to infiltrate networks. Once inside, they used malware and tools like TrickBot, Cobalt Strike, and PowerShell Empire to compromise systems and prepare for ransomware deployment.

This operation follows a previous wave of arrests in 2021, where 12 individuals connected to the same group were apprehended in Ukraine. The data from devices seized during these earlier arrests played a crucial role in identifying other members of the gang. Last week's operation saw searches in four Ukrainian cities, including Kyiv, with real-time support from Europol's headquarters in the Netherlands. The police confiscated computer equipment, vehicles, bank and SIM cards, electronic devices, cash, and cryptocurrency assets. The arrested suspects had varied roles within the criminal organization, ranging from compromising IT networks to laundering the cryptocurrency ransoms paid by victims to unlock their encrypted files. This successful operation marks a rare positive step in the global fight against ransomware and cybercrime.

3. Healthcare Under Siege, New Jersey and Pennsylvania Hospitals Hit by Ransomware

In case you were wondering, threat actors still love to attack over the holidays! Hospitals in New Jersey and Pennsylvania are currently grappling with the consequences of cyberattacks, a disturbing trend that has been increasingly targeting healthcare facilities. This week, Capital Health, which operates two hospitals and various smaller healthcare facilities in the region, announced a network outage due to a cybersecurity incident. This disruption follows another recent cyberattack on Ardent Health Services, a provider that runs multiple hospitals in New Jersey, compelling them to redirect emergency vehicles away.

In response to the attack, Capital Health affirmed that they are still providing patient care, including emergency services, by resorting to protocols designed for system downtimes. The incident has necessitated the rescheduling of some elective surgeries and outpatient appointments, and they anticipate operating with system limitations for at least the next week. The company's IT team is actively working to restore the network and data systems while collaborating with law enforcement and cybersecurity experts.

This cyberattack is part of a growing trend where ransomware gangs target healthcare facilities, exploiting their critical need to maintain operations and the likelihood of paying ransoms. This nefarious strategy has been particularly prominent since the COVID-19 pandemic began in 2020. The increasing frequency of these cyberattacks is alarming, with a notable rise in incidents throughout 2023. This situation underscores the urgent need for enhanced cybersecurity measures in healthcare institutions to protect patient safety and data security.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here:

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign up to get Cyber Intelligence Weekly in your inbox.