CONNECTED CRIME

Cyber criminals are ‘smarter and bolder in their attacks on supply chains,’ targeting new digital surfaces

A new report by leading consulting firm Booz Allen raises cybersecurity concerns and offers mitigation steps as it warns supply chain operators to prepare for serious attacks in 2021

In recent months, global supply chains have been hit with multiple cyberattacks resulting in losses of hundreds of millions of dollars.

These crimes provided further evidence that cyber criminals are becoming bolder and broader in their scope of attacks, including:

 

  • In May, an international rail vehicle manufacturer was blackmailed following a cyberattack targeting the company and its employee data
  • A malware attack on a global shipping company in September disrupted business operations, to an estimated loss value of US$250 million
  • More recently, in October, the world’s fourth biggest container liner disclosed its  information systems were compromised due to a cyberattack.

 

In its 2021 Cyber Threat Trends Outlook, consulting firm Booz Allen reports an expected trend of cyber incidents as criminals proliferate and expand on opportunities to attack new digital surfaces. Their analysis identifies the new ‘hot spots’ for cyber-crime – next generation malware extortions, cloud-based technologies, Artificial Intelligence (AI), Machine Learning (ML) models, 5G and industrial control systems.

 

Next Generation Malware Extortions

Malware attacks have been “enhanced” with ransomware tactics to not only disrupt business operations, but to extort organizations of their proprietary information. To extort greater and faster payments, criminals threaten to disclose data and inform regulatory bodies and stock exchanges of their data breach. Experts foresee further refinement of all these malicious tactics to include threats against clients, suppliers, third-party and other key relational targets. These threats serve as a springboard for cyber criminals to attack the entire chain of partners and vendors.

 

Booz Allen analysts propose instituting both onsite and offsite backups, monthly patching policies for updates, two-factor authentication (2FA) for all accounts, retainer relationships with outside incident response firms, and a hunt program that reviews and identifies suspicious network activity. Whilst most companies have a cyber insurance policy in place, this policy must be frequently reviewed to understand what the remediation activities covered, the report advises.

Accessing and Abusing Cloud-based Development Environments

With the pandemic accelerating the adoption of cloud computing services including SaaS, PaaS, and IaaS, cloud environments have provided cyber-attackers with loopholes for access and abuse. Often, access control misconfiguration has exposed millions of pieces of data and allowed threat actors to access and deploy their attacks. Recently, in July 2020, a cloud communication CPaaS company reported that one of their routing engines’ JavaScript had been maliciously updated and misconfigured to direct users to an unknown URL that gathers their information.

 

To secure cloud-based services against supply chain software attacks, organizations should deploy strict access controls, code signing keys, endpoint detection and response (EDR) tools, and a private-cloud deployment model to provide an extra layer of control over the cloud-based environment. Looking forward, Booz Allen expects continued evolution in the types of attacks abusing cloud solutions, including the convergence of several tactics used in supply chain software attacks to target PaaS solutions used to develop and deploy software applications.

 

Intellectual Property Theft from Artificial Intelligence and Machine Learning Models

While supply chains adopt Artificial Intelligence (AI) and Machine Learning (ML) technologies, malware developers have sought to stay ahead of this trend by building AI-based malware to defeat AI-based security solutions and stay undetected. One example is the self-modifying polymorphic malware which has led to exponential growth of 230,000 new malware samples daily. The underlying data models of AI-based security solutions utilize ML algorithms generated from large amounts of data. This will likely be a prime target for cyber criminals to steal intellectual property.

 

AI and ML models should be treated as proprietary intellectual property and be protected in the same way as any proprietary software. Supply chains developing AI services can consider additional security controls for accessing these models, water-marking trained models and network security tools such as intrusion detection systems.

 

Risks Factors in Welcoming 5G into Industrial Control Systems

As we welcome the 5G networks into industrial control systems and operational technology for greater efficiency, experts foresee the merger to expose new vulnerabilities into businesses. Current industrial control systems are segmented to create boundaries and reduce cyber risks. However, the introduction of 5G is likely to reduce network segmentation and introduce new devices that increase attackers’ incentives to explore new vulnerabilities. The consequences of such high-profile attacks will be more costly than traditional cyber-attacks, given the nature of the control system environments and the roles that these connected systems play.

 

Therefore, it is necessary for companies to consider the structure of existing network set-ups and analyze the risk impact of change before adoption. Booz Allen advises businesses to strategize 5G network architecture to consider possible threat impacts, address existing known security concerns before deploying 5G and strengthen underlying structures through regular updates, as well as implementing a response plan.

 

 

As technically-advanced criminals work 24/7 to identify loopholes in technology advances, supply chains must proactively enhance their cyber security systems and response protocols in the event of such attacks. As part of TAPA’s efforts to address these emerging cyber threats, the Facility Security Requirements (FSR) 2020 Standard has outlined IT security requirements in Section 9, such as documentation of IT policies, staff awareness and training, Power Interruption Mitigation plan, anti-virus and anti-malware software, IT Disaster Recovery Plan (DRP), off-site data backup and encryption, and management of Information Systems’ control access.

Booz Allen’s Outlook report also warns of cybercriminals and state-aligned cyber threat actors  increasingly looking to target the parcel and shipping sector because the importance of their operations and infrastructure has increased as a consequence of the coronavirus pandemic.

It states: ‘Enterprising cybercriminals may leverage the increased public reliance on the shipping sector to infect shippers and their customers. The elevated level of shipment notifications may reduce the public’s caution regarding delivery notifications, increasing their susceptibility to phishing. Expanded package delivery could make reshipment scams more viable and less likely to be discovered.

‘Cybercriminals may also take advantage of overstressed operations around holidays or other critical periods to extract ransoms from shippers. State-aligned adversaries may view the parcel and shipping sector as a particularly valuable social and economic target for possible disruption that falls below a threshold for retaliatory response. Adversaries can obtain a wide variety of outcomes by targeting this sector, ranging from impacting national morale to interfering with democratic elections.

 

Rising Cyber Risk to the Parcel and Shipping Services Sector

The coronavirus pandemic has made more broadly apparent the critical importance of the parcel and shipping sector to the national well-being. Since the pandemic began in early 2020, consumer spending on America’s largest online retailer rose 35% from the same period in 2019. This shift in consumer behavior stretches the limits of the capacity of the U.S. parcel and shipping services sectors that will continue over the interim as society reacts to the pandemic’s uncertain cycles. Booz Allen believes these trends will continue well into 2021.

Cyber threat actors of all kinds will seek to leverage this new reality to enrich themselves and promote their malicious interests.

Cybercriminal Threats

Ubiquitous public and private reliance on the parcel and shipping sector makes it an increasingly valuable target for profit-motivated cybercriminals. Consumers are increasingly accustomed to receiving multiple order status emails, delivery notifications, package receipt notifications, and return labels for just a single item. Phishing schemes involving malicious delivery updates spiked during the early months of the pandemic.

It is clear that phishing attempts represent only the surface of potential threat vectors against the parcel and shipping sector, but cybercriminals will increasingly seek to slip malicious emails and attachments into overwhelmed consumers’ inboxes.

Targeting Shippers with Ransomware

In 2021, cybercriminals will likely seek to disrupt parcel and shipping sector operations during critical periods of operation. Ransomware deployed across a shipper’s network in the days leading up to a major holiday or during a period of coronavirus-related economic lockdown could have dramatic impact on operations and consequential financial implications for shippers industry-wide.

Reshipping Scams

The parcel and shipping services sector has long been used to launder funds and illicitly obtained goods, the report claims. Booz Allen’s experts predict reshipment scams will increase as consumer behavior trends toward more home deliveries. Tracking such scams will likely be increasingly difficult, particularly because greater numbers of package deliveries can be used as a form of cover for criminal activities. Cybercriminals will likely be increasingly able to recruit reshipping or other money mules, witting or otherwise, who need extra income during the global coronavirus-induced recession and unemployment.

State-Aligned Threats

Cybercriminals are not unique in their interest in targeting organizations involved in parcel delivery. Booz Allen believes state-aligned threat actors may also prioritize U.S. mail and parcel delivery services to support their strategic goals. U.S. adversaries may take advantage of the elevated importance of the parcel and shipping sector to disrupt critical services, undermine public confidence in U.S. public sector services, or generally demoralize the population.

 

Strategic Disruptions

The elevated utility of the parcel and shipping services sector, particularly during a global pandemic, could elevate its status as a target for U.S. adversaries intent on disrupting American life. Disrupting this sector would be a particularly acute social and economic pain point for U.S. citizens relying heavily on shipping for medicine, food, and other necessities during recurring periods of economic lockdown and social distancing.

Impacting Critical Services

Beyond universal, last-mile parcel and mail delivery, the shipping services sector also plays a crucial role in certain critical government functions that adversarial nations could try to disrupt. The coronavirus pandemic has quickly increased the number of states supporting universal vote by mail, greatly expanding a service provided by the shipping sector that is critical to American democracy.

Mitigations

Booz Allen’s advice to concerned organizations in the parcel and shipping services sector includes:

  • Increase the level of network monitoring around periods of increased public reliance on the sector, such as holidays and other critical periods such as elections or natural disasters.
  • Pay close attention to the strategic and geopolitical environment, with the understanding that the parcel and shipping services sector is a viable target for asymmetric cyber attack. Prioritize activities based on this evolving risk profile.
  • Launch public relations campaigns to educate the public on the type of communications they can expect as clients.
  • Train employees to be vigilant when receiving and opening emails from organizations in the parcel and shipping services sector and know how to identify/report a potential phishing email.
  • Review your overall cybersecurity controls for network and authentication layer segmentation to ensure that crown-jewel assets have additional protections if an incident were to occur.

 

You can download a copy of Booz Allen’s 2021 Cyber Threat Trends Outlook using this link

cyber-threat-trends-outlook-2021.pdf (boozallen.com)