The start of this year’s Fourth of July holiday indicates we are not as independent or free as we should be when it comes to cybersecurity. On July 2, 2021, one of the largest supply-chain cyberattacks since SolarWinds occurred at Kaseya, an IT management software company. The ripple effect has touched hundreds of US companies, but the perpetrators claim the effects go much deeper. On the heels of heightened tension with the Russian government, the attack by Russian cyber gang REvil is both serious and sophisticated, radically affecting medium-sized businesses—the businesses least equipped to defend themselves.
In April of this year, President Biden placed sanctions on Russia, promising to hold Russia monetarily responsible for cyber interference or harm. He has also vaguely threatened Russia with hacking repercussions, giving a ‘you hack me, and I’ll hack you’ ultimatum. Exactly how prepared are the United States’ cyber defenses when faced with malicious and well-equipped Russian actors like REvil? So far, it is not encouraging. We are being hit right where it hurts: our vulnerable, medium-sized businesses.
Does this feel like déjà vu yet?
Two years ago, REvil made another smaller-scale ransomware attack on local governments in Texas. Their mode of operandum is the same: through supplier infiltration, malware is broadcast to any customers associated with the supplier. Sadly, thanks to COVID-19, we are now familiar with the term, ‘super spreader’—someone who unknowingly spreads a virus largescale. Malware spreads similarly through IT supply chains. By targeting companies that supply hundreds to thousands of customers, malware is ‘super spread’ without the knowledge of the contaminated supplier. Sophos reports, “REvil actors not only found a new vulnerability in Kaseya’s supply chain, but used a malware protection program as the delivery vehicle for the REvil ransomware code.”
Both Adam Bricker (Executive Director of the Carolina Cyber Center) and Chris Wallace, (Carolina Cyber Center’s Director of Security Services and Architecture) agree that this spells trouble for small to medium-sized businesses. “This is a double supply chain attack,” says Wallace, “where the initial attack targets a firm that supplies remote management software to many service providers, who each, in turn, provide services to multiple customers of their own.” It is not the capable and secure big businesses that struggle the most, then. “Third-party companies are often under little obligation to validate the security of their solution or held to any type of standard. Unfortunately, smaller businesses are unaware of even the standards that should be applicable,” notes Bricker.
While this may not be true for Kaseya, it points to a foundational issue in the way we think about security for small or medium-sized businesses. The 2020 Cyberspace Solarium report states, “when U.S. vulnerabilities are reduced and adversaries are forced to expend more resources, burn sensitive accesses, or utilize unique and expensive cyber weapons to achieve their desired results, cyberattacks will be reduced.” However, the recent uptick in cyberattacks places that in question. Bricker comments on the report’s advised labor-layered cyber deterrence: “Their first major assumption is that the approach would alter the cost-benefit calculus of our adversaries. Our national leaders in cybersecurity must revisit that assumption because it is inherently flawed. We are not altering the cost-benefit calculus of our adversaries.”
It is not all doom and gloom, however. “Even though small and medium-sized businesses are falling through the cracks,” says Wallace, “it doesn’t have to stay this way. First, put someone knowledgeable in charge of your security. You do not want your CFO, with no knowledge of IT, to carry the weight of your security—consider a fractional CISO. It will continue to be profitable to hack smaller businesses until you start defending yourself. Know what is normal and what is not. Second, look at your contracts when you use a third-party servicer.” Both Wallace and Bricker agree that you must understand what your third-party service provider takes responsibility for. Do they claim indemnity for any harm their product causes you (usually)? It is not about zero trust…it’s about intentional trust (subject of a future article). Know who you can trust and who you cannot. Be cautious of a service provider who has no skin in the game when it comes to your security. And do not forget to look at your cyber insurance policy. It is becoming more common that cyber insurance policies avoid covering certain types of cyberattack incidents. Not only this, but your insurance company might have a financial stake in the incident response firm they hire to support your respond and remediation efforts! Finally, do not be afraid to ask for help as you look to implement these reasonable and prudent measures into your businesses. At the Carolina Cyber Center, we want the opportunity to earn your trust, whether it is through providing cybersecurity services or training you to protect your own business.