Protecting critical national infrastructure (CNI) against attack is a huge undertaking for governments and for those organizations that deliver CNI services.
New regulation in Europe — the NIS2 Directive — includes an increased focus on resilience for CNI, covering traditional critical services like banking, utilities, transport and public safety as well as new provisions for digital service providers. In 2025, the Digital Operational Resilience Act (DORA) will enforce more stringent resilience and security requirements on the financial sector. And in the UK, the forthcoming Cyber Security and Resilience Bill will demand more investment in security too.
To understand more about the reasons behind all these regulations being introduced, we spoke to Steve Knibbs, director at Vodafone Business Security Enhanced (VBSE) about the threats to CNI, why ransomware is a big challenge for CNI organisations, and how as a CNI provider itself the company is expanding its approach.
BN: How much is ransomware a problem for CNI organizations?
SK: The number of ransomware attacks is still rising each month. In our Threat Intelligence report for the last quarter, the ransomware leak sites posted just over 1500 new victims, an increase from nearly 1280 in Q1 2024 — this number covers those who did not pay the ransom before being posted publicly so the overall number may be higher.
The ransomware groups both new and existing mostly use phishing, stolen credentials or exploiting well-known vulnerabilities to gain access to their targets. In Q2 2024, ransomware groups have moved over to targeting more network edge devices like routers that have known vulnerabilities in order to gain access.
Mass exploitation of critical vulnerabilities has continued to be a popular method among the threat groups. Exploiting vulnerabilities in edge devices to gain initial access has become a favourite of many ransomware and APT (Advanced Persistent Threat) groups that lead attacks. For example, the Qilin ransomware group concentrates specifically on issues in the backup software and security products that organisations use to protect themselves, in order to get that initial access. Once they are in, they use tools like Mimikatz to escalate privileges, then use faults in common IT management or infrastructure software to deploy ransomware. Qilin’s attack against a pathology company, Synnovis, affected primary care providers and hospitals across London and the South East of the UK.
BN: Why are attackers focusing on CNI and what are their aims in doing so?
SK: CNI is invaluable to the country — it is what takes care of citizens, what keeps businesses moving, and what keeps daily life safe and secure. With this in mind, any compromise could lead to more impact on society. We have seen attacks on hospitals in the US and Australia lead to canceled operations and missed hospital appointments, which has a direct impact on patients. Attacks can have other direct impacts like stopping access to water or causing travel delays, and there can be indirect effects like making it impossible to work. Where there is that level of potential risk, attackers think that they can more easily secure a payoff.
Others may see ransomware as a way to make money as a byproduct of their goal to cause problems and chaos in the economy. Hacktivist groups are more likely to want to damage CNI capabilities and affect operational performance, but they will not say no to the money either.
BN: What weaknesses can they take advantage of?
SK: Different groups have different techniques, tactics and procedures (TTPs) that they employ to attack organizations. For example, Chinese-state sponsored groups have exploited recently discovered vulnerabilities on security edge devices like VPNs before they could be patched by their target network’s administrators. Issues in security products were heavily targeted. Patching these assets fast is essential to stay ahead of attackers looking for vulnerable assets.
Once the groups start using a TTP that is successful, these critical vulnerabilities are targeted by multiple other threat actors for ransomware as well. It’s a race for the security teams to enact changes before they can be targeted, and it is also a race between threat groups as well.
BN: Who are the big threat groups that are carrying out these attacks?
SK: The top two ransomware groups with the most successful attacks have been Alphv/BlackCat and LockBit. However, law enforcement groups destabilized these groups, making arrests and breaking up their operations. This has dropped the number of attacks that those groups were able to carry out.
While these actions have been successful, new groups are coming onto the scene to replace them — some are brand new, and some are older groups that have just re-badged themselves. Play and BlackBasta are increasing their activities each month as well.
Why do we give publicity to these groups? It’s by knowing how these groups operate, the kinds of issues that they target and how fast they work, that you can prepare your defenses. Knowing how these groups operate, you can understand your potential risk exposure and how long you have to harden your infrastructure against attacks against specific issues. This is an effective use of threat intelligence data that can help you be more successful in your operations.
BN: What can be done to stop ransom attacks on CNI?
SK: To prevent these attacks from taking place, CNI organizations need complete visibility of their network, monitoring for any intrusions, making it possible to detect and block threat actors from progressing any further into IT systems.
Many adversaries are becoming more sophisticated, learning new ways to stay under the radar and avoid being detected for longer. These groups are no longer using malware in their attacks, they are instead using the tools that are already on the network to create malicious scripts without being detected by security applications or devices.
At the heart of it, we have good cybersecurity management principles in place for IT, Operational Technology (OT) and Industrial Internet of Things deployments. There has been a huge amount of work done in these technology sectors so that we can help keep all our networks secure. Improving CNI security and keeping ahead of attackers is hard because CNI organizations have massive, complex networks to manage and fixing all those potential issues in good time is the issue. When attackers can move faster than security teams, they have more opportunities to take advantage of problems.
For CNI companies, this is a continual lifecycle challenge to keep these long-term technology projects secure. CNI organizations can stay ahead by applying the right processes and taking a defense-in-depth approach, so we can help prevent attacks from being successful.
Image credit: ra2studio/depositphotos.com
