A warning to Canadian government and businesses: COVID-19 opens a back door to cyberattacks
With Canada directing a lot of resources to fight COVID-19, the government “maybe unintentionally leaving the back door open to serious state-sponsored cyberattacks,” according to Richard Rogerson, Managing Partner of Packetlabs. Packetlabs is a company of ethical hackers specializing in real-world simulated cyberattacks to protect governments, businesses, and organizations. Due to remote work during the pandemic, the danger of cyberattacks has increased exponentially.
“We just saw a very serious, active cautionary tale play out in Australia after they announced a massive and successful cyberattack last week,” said Rogerson. “Australia was targeted by a state-sponsored cyberattack across several industries and all levels of government. In the wake of the attack, the Australian PM urged businesses to shore their defences, stating that the “malicious activity” was also seen globally. Canada needs to take that warning seriously and get our house in order.”
Rogerson points out that COVID-19 has forced several companies to cut corners for quick remote access, which resulted in exposure to insecure applications that often make use of weak credentials. This gives a tempting opening for cyberattacks.
Packetlabs is taking this opportunity to sound an early warning, hoping that the Canadian Government and businesses take steps to reduce the risk of a successful cyberattack. According to Rogerson, some of the things that the governments and businesses can do now to mitigate such an attack are:
1) Consider themselves a target (even if they are far removed from the Government or sensitive information). Canadian steel manufacturers are an example as they are in the supply chain for the production of controlled goods. If they are compromised by a cyberattack, there could be an impact on operations that would cause a financial impact on their business, and ultimately to Canadian defence capabilities.
2) Actively test weaknesses and schedule a penetration test. Similar to a fire drill, governments and companies need to explore their businesses from an attacker’s perspective. Unfortunately, not all industries take cybersecurity seriously because they feel they do not have sensitive information or mandated requirements for testing. A penetration test is basically a cybersecurity fire drill.
3) Don’t assume your IT guy is on top of it. Managed service providers / IT Service providers and companies throughout the supply chain end up being the weakest links, they enable remote access to 20-30 targets at a time. Most manufacturing environments are internet-connected and make use of weak/default credentials and some still use seriously outdated legacy operating systems including Windows XP.
4) Educate your staff about phishing. A lack of internal network segmentation enables an attacker who compromises a business using targeted phishing attacks to move throughout the environment without any additional security layers. In phishing campaigns, Packetlabs typically have a 15-20 per cent submission rate often leading to remote access with even administrators falling victim to phishing campaigns and compromising their business within 1-2 hours.
5) Embrace two-factor authentication. According to Rogerson, Packetlabs can obtain administrative privileges over an entire network within two weeks on nearly all the attacks they perform. What many businesses use is single-factor authentication, traditionally a simple username and password. Single-factor authentication is easy to guess and/or steal through phishing or other means.
“Our job is to make the attacker’s job more difficult,” added Rogerson. “We work to isolate outdated legacy applications, find all missing critical security patches, and provide recommendations to improve overall security.”
Rogerson points out that the easiest way for governments and businesses to protect against a cyberattack is to keep their computer systems up to date with easily available security patches. Australian authorities have identified their attacks as being ‘copy-paste compromises,’ meaning that the attacks took advantage of programs in the public domain. This also shows that because commonly available programs can be compromised for a major cyberattack, the attackers don’t even need the persistence or funding of a state actor to be successful.
“The Canadian Government and Canadian businesses need to get serious about their cybersecurity, or we could see a real shutdown through weak remote worker systems, phishing, copy-paste compromises, or other proven tactics. The good news is that if we learn from the Australia attack, we can start plugging the holes in our systems today,” he said.