In the world of cybercrime, manufacturers remain in the crosshairs. It is a disturbing trend that should be front of mind for any manufacturers as they continue to buildout digital systems and extensively connected IoT environments. Simply put, the risk to OT environments is real and can ultimately cripple an organizations failing to take proper measures.
The latest manufacturer to fall succumb to a costly attack is electronics manufacturer Foxconn. The attack targeted Foxconn's Mexican facility, presumably over the Thanksgiving weekend. The manufacturer of well-known brand names including Sharp, Innolux, FIH Mobile and Belkin is the largest electronics manufacturing company in the world recording revenues of $172 billion in 2019 with over 800,000 employees globally. The company is also an Apple manufacturer.
Expert thoughts
In an email, Andrea Carcano, co-founder of Nozomi Networks, tells IndustryWeek, “Successful attacks such as DoppelPaymer demonstrate that extorting large organizations can be much more profitable than attacking unsuspecting individuals. The DoppelPaymer ransomware made headlines last year after attacking and extorting various large organizations. Targeted ransomware like DoppelPaymer, BitPaymer, SamSam, Ryuk and others attack large businesses because this tactic can be much more profitable than attacking unsuspecting individuals. Disruption to a company’s operations can be costly, which is something that threat actors leverage in their attempts to force victims to pay the requested ransom," he says. "DoppelPaymer isn’t the first ransomware to exfiltrate data and threaten to leak it if the requested ransom isn’t paid. We’ve also seen this with Maze ransomware, where exfiltrated data was released after companies refused to pay. Ransomware can pose a further threat in relation to the General Data Protection Regulation (GDPR)."
Carcano continues, "These kinds of ransomware scenarios should be factored into an organization’s incident response plans. Beyond a technical response, decision makers need to be prepared to weigh the risks and consequences of alternate actions. Ransomware threat actors typically rely on spear phishing links or vulnerable public services to gain initial entry into a network. Afterwards, they move laterally to gain access to as many nodes of the network as possible, allowing them to increase the magnitude of the disruption," he says. "To protect OT and IoT environments from ransomware, cybersecurity best practices such as strong segmentation, user training, proactive cyber hygiene programs, multi-factor authentication and the use of continuously updated threat intelligence, should be considered.”
In a statement, Gurucul CEO Saryu Nayyar also provided commentary. “This is the second major breach of an OEM fab in as many months. It shows the attackers are becoming more sophisticated, going after bigger game, and improving their business model. We can expect this to become their new standard model. Break in. Steal data to use for extortion. Deploy ransomware. Profit. It is a win-win for them, and a lose-lose for the victim even if they have backups in place to deal with a ransomware attack," says Nayyar. “Organizations need to up their game if they want to avoid becoming the next news-worthy breach. User education, MFA, and a solid perimeter can help keep attackers from getting in. While inside, a robust security stack, with security analytics, can help identify a breach and mitigate it before the attackers steal data or encrypt systems. We can only hope the international law enforcement community will rise to the occasion and do their part, because these cybercriminals show no sign of stopping on their own.”
It's quite likely the attackers may have gotten into the operations side of things, explain Chloé Messdaghi, vice president of strategy with Point3 Security in an emailed statement. "This is a case that showcases a lack of zero trust practice and data backup done poorly. The very best way to avoid the havoc that ransomware can cause is to have a working plan in place," Messdaghi says.
Four Security Hygiene Steps
Messdaghi provides four crucial steps for manufacturers going forward.
1. Identify your business critical data, where it will be stored and how often it should be backed up.
2. Create a backup plan that includes storage that’s not readily accessible through your network, and that’s protected by 2FA that’s complex, frequently changed and known by only one or two people. "We refer to the 3-2-1 approach: three copies of data stored across two mediums and one cloud storage provider," says Messhaghi.
3. Take this approach and work it into a disaster recovery playbook.
4. Revisit and update that playbook at least quarterly. "Are your tools the same? Are your personnel the same? Are the data flows and regulatory requirements the same? A playbook that’s more than 60 days old is bound to be at least a little moldy, and likely outdated. With the recent spate of attacks, more companies are adopting the air gap approach," says Messdaghi. “In Foxconn’s case, they may well have to actually pay the ransom, because hitting and halting production is an attacker’s dream. And out of $172 Bil in revenues, they’ll peel off $34 million - an enormous amount but if production’s hit, that might be their only option.”