Aviation and logistics: Why island hopping is a growing threat

By Jason Madey, Carbon Black

Earth's teeming skies

Earth's teeming skies

Think about the industries with the most to lose from a serious cyber attack, and our minds usually zero in on the finance, healthcare and energy sectors.

There is good reason for this, as recent research shows that 78 percent of IR professionals say they observe attacks on the financial industry most often, with healthcare right behind it.

Consider energy and critical infrastructure, and there is a strong argument to be made that WW3 will be waged on that front with literally tens of millions of lives hanging in the balance with an advanced widespread attack.
Let's focus on the aviation industry - which includes transportation, defence, logistics and more. An industry that is responsible for the roughly 10,000 aircraft and a million passengers populating our skies across the globe at any given moment. In addition, millions of tons of goods are being transported via air freight, contributing massively to the backbone of the global economy.

Among the bigger problems the aviation industry faces today are not necessarily weaknesses in their own defences, but with island hoppers targeting organisations with less mature security postures along their global supply chain in order to gain access to connected systems.

My company's recent survey disclosed that over a third of today's attackers are using their victims for precisely this reason. As large enterprises become more and more secure, we'll see the use of this attack strategy expand.

We've been facing a cyber-insurgency from foreign threat actors since 2014. In March of this year, the United States CERT issued an alert around 'Russian government cyber activity targeting energy and other critical infrastructure sectors' which includes the aviation sector. In the alert, they describe the tactics, first observed in 2016, used by the Russian Government as follows:

"This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organisations such as trusted third-party less secure networks, referred to as 'staging targets' throughout this alert."

It is absolutely imperative that we stay cognisant of the fact that the route to exploitation often doesn't begin with us. These tactics aren't exclusive to the Russians. Threat actors from China, Iran, North Korea, etc. are all using this increasingly common strategy in order to infiltrate their targets - performing reconnaissance, lateral movement and counter incident response along the way.

The case of TNT Express/FedEx

In 2015, FedEx began the acquisition of TNT Express, a UK-based shipping company. By 2016, the purchase was complete and systems integration was planned to occur over the coming year. What wasn't planned was the devastating Shadowbrokers leak that hit the world in early 2017, providing attackers everywhere with the EternalBlue exploit.

By June of 2017, the Ukrainian arm of TNT Express was left crippled by a NotPetya attack that entered their networks via a bogus update from a piece of financial software called MeDoc. But this wasn't just any cyber attack.

A widespread effort by a nation state group (think: who was occupying parts of the Ukraine at this time) was under way, targeting the Ukraine and companies that do business there by leveraging the weaker defences and vulnerabilities that existed along the supply chain.

The damage? Reported losses of $400 million in the first half of 2018. Around $1.10 of value lost per share of FedEx stock. System integration costs also increased to the tune of an additional $600 million dollars.
This attack crippled legacy systems which made up the backbone of their infrastructure. Planes were grounded, truck routes ceased and brand degradation occurred as their name consumed the news cycle for months in the wake of this devastating attack.

What can be done?  We all need to take a page out of the pilot's notebook.  Through this approach we can start adopting more comprehensive cyber-security checklists that will reduce risk surface.
Much of an organisation's risk surface is considered low hanging fruit for attackers. For instance, focusing on vulnerability management, controlled use of administrative credentials, and instituting strict configuration management policies is a start. But we need to go further. The threatscape is the most fluid it's ever been and teams must be equipped with solutions that:

  • Turn on lights in places that weren't illuminated before; Think anti-collision lights and warning systems on the entire aircraft
  • Provide an extensible platform that allows for proactivity in defences. How much control over your systems do you have? Can it be audited?
  • Enable threat hunters: How rich is your data set, where does the data reside, and what threat intelligence are you using?
  • Give teams the ability to automate vital pieces of their workflow, allowing for more cycles to focus on what matters. Solutions working in silos help no-one

Further, always ask questions. What standards are being used when vetting vendors that will handle your data, have a presence within your network, or any other link to systems that can be used or provide a beacon

Don't let a compliance stamp of approval allow you to sleep easy at night while the imminent threat still persists

Advanced data security vendors offer technology that addresses the myriad of obstacles that defenders face on a day-to-day basis.

Tags cyber attacksTNTFedExNotPetya

Show Comments