Aviation & Logistics: Island Hopping – A Growing Threat

Type carbonblack
Reporter Sean Blanton
Modified 2018-09-14T15:00:17


When we think about the industries that have the most to lose from a serious cyber attack, our minds probably immediately go to the Finance, Healthcare, and Energy sectors. And for good reason - as Carbon Black research shows, 78% of IR professionals say they observe attacks on the financial industry most often, with Healthcare right behind it. When we begin to discuss energy and critical infrastructure, there is a strong argument to be made that WW3 will be waged on that front with literally tens of millions of lives hanging in the balance with an advanced widespread attack.

Today, I want to shift the focus to the Aviation industry - which includes transportation, defense, logistics, and more. An industry that is responsible for the roughly 10,000 airplanes and 1,000,000 passengers that populate our skies across the globe at any given moment. In addition, millions of tons of goods are being transported via air freight, contributing massively to the backbone of the global economy.

It’s Not Me, It’s You

Among the bigger problems the Aviation industry faces today are not necessarily weaknesses in their own defenses - but with island hoppers targeting organizations with less mature security postures along their global supply chain in order to gain access to connected systems. Per the Carbon Black Quarterly Incident Response Threat Report, over a third of today’s attackers are using their victims for precisely this reason. As large enterprises become more and more secure, we’ll see the use of this attack strategy expand.

We’ve been facing a cyber-insurgency from foreign threat actors since 2014. In March of this year, the United States CERT issued an alert around “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors” which includes the aviation sector. In the alert, they describe the tactics, first observed in 2016, used by the Russian Government as such:

“This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert.“

It is absolutely imperative that we stay cognizant of the fact that the route to exploitation often doesn’t begin with us. These tactics aren’t exclusive to the Russians. Threat Actors from China, Iran, North Korea, etc. are all using this increasingly common strategy in order to infiltrate the target - performing reconnaissance, lateral movement, and counter incident response along the way.

The Case of TNT Express/FedEx

In 2015, FedEx began the acquisition of TNT Express, a UK based shipping company. By 2016, the purchase was complete and systems integration was planned to occur over the coming year. What wasn’t planned was the devastating Shadowbrokers leak that hit the world in early 2017, providing attackers everywhere with the EternalBlue exploit.

By June of 2017, the Ukrainian arm of TNT Express was left crippled by a NotPetya attack that entered their networks via a bogus update from a piece of financial software called MeDoc. But this wasn’t just any cyber attack. A widespread effort by a nation state group (think: who was occupying parts of the Ukraine at this time) was underway, targeting the Ukraine and companies that do business there by leveraging the weaker defenses and vulnerabilities that existed along the supply chain.

The damage done? Reported losses of $400 million in the first half of 2018. Around $1.10 of value lost per share of FedEx stock. System integration costs also increased to the tune of an additional $600 million dollars.

This attack crippled their legacy systems which made up the backbone of their infrastructure. Planes were grounded, truck routes ceased, and brand degradation occurred as their name consumed the news cycle for months in the wake of this devastating attack.

What Can Be Done?

As I’ve previously discussed, we all need to take a page out of the pilot’s notebook. Through this approach we can start adopting more comprehensive cyber-security checklists that will reduce risk surface. Much of your risk surface is considered low hanging fruit for attackers. For instance, focusing on vulnerability management, controlled use of administrative credentials, and instituting strict configuration management policies is a start. But we need to go further. The threatscape is the most fluid it’s ever been and teams must be equipped with solutions that:

  • Turn lights on in places that weren’t illuminated before; Think anti-collision lights and warning systems on the entire aircraft
  • Provide an extensible platform that allows for proactivity in defenses; How much control over your systems do you have? Can it be audited?
  • Enable threat hunters; How rich is your data set, where does the data reside, and what threat intelligence are you using?
  • Give teams the ability to automate vital pieces of their workflow, allowing for more cycles to focus on what matters; Solutions working in silos help no one

Furthermore, always be asking questions. What standards are being used when vetting vendors that will handle your data, have a presence within your network, or any other link to your systems that can be used or provide a beacon?

Don’t let a compliance stamp of approval allow you to sleep easy at night while the imminent threat still persists.

Carbon Black offers a platform to address the myriad of obstacles that defenders face on a day-to-day basis. We’ll be a sponsor at the Aviation ISAC conference in Kissimmee, FL this year. We’ll be at Booth #14 from September 19th - 21st so come see us to discuss how Carbon Black can help transform your security practice and truly help you sleep better.

Photo Source: flightradar24.com

The post Aviation & Logistics: Island Hopping - A Growing Threat appeared first on Carbon Black.