Date: 28/09/2023
Where:
Atlantic islands, Central, and South America. Most recent incident focused on Bermuda
Who’s involved:
The entirety of the Bermudan government’s services
Governments of several neighboring countries
Hackers allegedly based out of Russia
What happened?
The government of Bermuda experienced a network breach in its public infrastructure, first detected on the night of 20/09/2023.
An official statement was put out on 21/09/2023, with a formal Press Appearance by the Island's Premier, Mr. E. David Burt, on 25/09/2023. In the statement, the premier blamed hackers from Russia.
According to the press, all government departments were in some way impacted, though there haven't been any specifics released as to the extent of the damage. The recovery is still ongoing, with payroll and critical infrastructure now largely restored. However, a full restoration will take weeks.
Mr. Burt says that attribution information is still not publicly available as a matter of national security. The classified information indicates that other neighboring countries were attacked, as well.
There is an investigation ongoing as to whether or not any critical information was stolen.
While too early to determine for sure, this attack follows a pattern of major Ransomware attacks that have been launched against other neighboring countries by Russia-based threat actors over the past two years.
Rick Mello, CISO of Sentinel Cybersecurity, said in a statement to Bermuda’s Royal Gazette that, “All signs point to [a] ransomware attack,” based on the reaction from the government and the timeline of recovery.
This is all unfolding in the leadup to Bermuda’s Personal Information Protection Act going into effect, which will impact the disclosure procedures of these events. Beginning in 2025, all cybersecurity events that may impact citizens’ private information have to be explicitly reported in as much detail as possible. It will also encourage more private-public cooperation and the ability for responders to work with staff from other countries if it’s deemed necessary.
Analysis:
Bermuda is the latest Atlantic island nation that’s found itself to be the target of a major cyberattack tied to Russian threat actors.
The attacks have crippled Bermuda’s public infrastructure since the night of 20/09/2023, and are expected to do so for the next several weeks. Bermuda’s Premier, Mr. E. David Burt, has stated that other Atlantic locales were impacted as well, but did not disclose which ones. While the details still haven’t been confirmed by Bermuda’s government, expert opinion seems to indicate that this is a Ransomware attack. If this is true, it means that Bermuda would join Haiti, the Dominican Republic, and Venezuela as the latest victims of such an offensive. This is likely part of a broader trend by Russian threat actors against developing nations, whose own experts see a solution in regional “cyber-cooperation”.
So far, there has been a lack of transparency in the name of national security, a policy that is slated to change in 2025 when Bermuda’s Personal Information Protection Act goes into effect. Increased transparency and information sharing are factors that both Bermuda’s own Privacy Commissioner, Alexander White, and other experts from the Caribbean and Latin American cybersecurity communities have insisted will be needed to improve resiliency in the developing areas of the western hemisphere. Since 2020, Russian ransomware groups such as Conti, Clop, and others have crippled infrastructure in these regions and gone largely unpunished.
In 2022, the Dominican Republic and its neighbors had to cooperate and share information to combat the Conti Ransomware, which had threatened to do significant damage to the entire Caribbean. A reason for these moves towards regional cooperation, especially among nations with smaller economies, is the fear of a nightmare scenario such as the 2017 Petya and NotPetya Ransomware attacks. These nearly shut down Ukraine’s banking and healthcare sectors, while inflicting nearly a billion US dollars in damages on the Maersk corporation.
Mitigation guidelines for institutional malware targets as recommended by ENISA and CISA:
Immediate Response
1. Containment:
Isolate affected systems to prevent the spread of malware.
Disconnect affected systems from the network.
2. Eradication:
Remove malware from affected systems.
Apply patches and updates to fix vulnerabilities.
3. Incident Reporting:
Inform internal security teams.
Report the incident to relevant local, national, or international authorities.
Forensic Investigation
1. Collect Evidence:
Preserve logs, memory dumps, and other relevant data.
Document every action taken during the incident response.
2. Investigate:
Analyze the malware to understand its functionality and purpose.
Determine the scope and impact of the incident.
Communications
1. Internal Communication:
Inform employees and stakeholders about the incident.
Provide guidance on actions they should take to prevent further damage.
2. External Communication:
Notify affected parties and the public, as appropriate.
Coordinate with external partners and vendors to address the incident.
Recovery Measures
1. Restore Operations:
Rebuild affected systems.
Restore data from backups.
2. Monitor:
Closely monitor network traffic and system behavior for signs of malicious activity.
Update threat intelligence feeds and security controls.
3. Post-Incident Review:
Evaluate the incident response to identify areas for improvement.
Update incident response and recovery plans based on lessons learned.
Preemptive and Proactive Measures
1. Security Awareness Training:
Educate users on recognizing and reporting phishing and other malicious activities.
Perform regular simulated phishing exercises to reinforce learning.
2. Cyber Hygiene:
Regularly update and patch systems and applications.
Enforce the use of strong, unique passwords.
3. Network Segmentation:
Segment networks to limit lateral movement of attackers.
Use firewalls, intrusion detection/prevention systems, and other security tools to monitor and control traffic.
4. Vulnerability Management:
Regularly scan for and remediate vulnerabilities.
Prioritize vulnerabilities based on risk to the organization.
5. Backup and Restore:
Regularly backup critical data and systems.
Test restore procedures to ensure data integrity and availability.
Legal and Regulatory Compliance
Compliance with Laws and Regulations:
Adhere to relevant legal and regulatory requirements related to data breach notification and reporting.
Consult legal counsel to navigate legal obligations and potential liabilities.
Collaboration and Information Sharing
Collaborate with Other Organizations:
Engage in information sharing with peer organizations, industry groups, and government agencies.
Leverage shared threat intelligence to enhance situational awareness.
Mitigation Summary
These mitigating practices, when effectively combined, form a robust and resilient approach to managing the risk posed by malware attacks. The key is to be proactive, keep abreast of the evolving threat landscape, and continuously refine and update strategies and controls to counter emerging threats.
Comments