Cyberwar zone

Earlier this year, Kwabena Konadu received a call from one of the small businesses he advises on IT and cybersecurity.

The company’s chief financial officer had received an email from a purported ethical hacker — cyberspeak for “good guy” — who had found the official’s username and password for accessing company data on the dark web, says Konadu, who has a side business as a cybersecurity consultant in addition to his duties as chair of Northern Virginia Community College (NOVA)’s cybersecurity and cloud computing program.

Konadu traced his client’s breach to a phishing campaign. The executive had received an email that looked like a legitimate request from a bank. Clicking a link in the email prompted a request for a Microsoft 365 login.

“Unfortunately, the CFO clicked on the link and supplied their username and password,” Konadu says. “The same password was being used to log into company financial systems, email and critical resources.”

Konadu has been spending time with the company’s executive team going through the compromised account to determine what sensitive information might have been accessed. So far, he says, the company appears to have gotten through the incident with minimal damage, but Konadu sees the incident as a cautionary tale.

From weak passwords to vulnerable backups to logins that can still be accessed by former employees, many businesses are crawling with access points waiting to be exploited by cybercriminals.

Ransomware — a form of malware that locks down a computer system until a sum of money is paid — has increased in recent years, according to industry and law enforcement experts.

The FBI’s Internet Crime Complaint Center received nearly 850,000 complaints of U.S. cybercrimes in 2021 — a 7% increase from 2020 — resulting in more than $6.9 billion in losses to victims.

But many cybercrimes go unreported, and private sector numbers paint a far worse picture. Cybersecurity firm SonicWall reports that its researchers recorded 623.3 million ransomware attacks worldwide in 2021 — a 105% increase from 2020.

Cybersecurity Ventures, publisher of Cybercrime Magazine, last year projected that cybercrime would cost victims $265 billion by 2031. This steep growth rate — the firm pegged 2015 losses at $325 million — is fueled by increasingly sophisticated methods used by cybercrime operators, many of which mirror the legitimate business world. Just as software as a service is a highly successful legitimate business model, “ransomware as a service” (RaaS) is helping even small-time bad actors scale up their operations.

Palo Alto Networks credited RaaS with helping to fuel a 78% increase in the average ransom payment to cyberextortionists in 2021 — $541,010. The cybersecurity firm’s study found that nearly 60% of victims reported taking more than one month to recover from an attack.

Closer to home, the Virginia Information Technologies Agency (VITA), the state government’s IT arm, reported that state agencies experienced more than 66 million attempted cyberattacks in 2020, with VITA blocking more than 50,000 pieces of malware.

The Virginia legislature’s Division of Legislative Automated Systems was hit by a ransomware attack in December 2021, cutting lawmakers off from critical bill-filing and management functions just one month before the start of the 2022 General Assembly session. That same month, the state Department of Behavioral Health and Developmental Services experienced a ransomware attack that shut down its payroll system.

Figures for 2021 are still being compiled, says VITA spokesperson Stephanie Benson, but “in general, threats have continued to increase in volume and complexity over time.”

Public awareness of the threat is growing, especially after the high-profile May 2021 Colonial Pipeline ransomware attack made a tangible impact on people’s daily lives, causing fuel shortages in 17 states from Texas to New York.

Cybersecurity experts say that for every headline-grabbing attack, there are hundreds of breaches of smaller organizations that can cause considerable damages and headaches for the businesses and their workers, customers and suppliers.

The names and Social Security numbers of some of Fairfax County Public Schools’ employees and students were released on the dark web in 2020 after a ransomware attack on the school system. The school system offered credit monitoring and identity restoration services to staffers as part of its response to an attack that hit amid pandemic-driven virtual learning.

Richmond-based OrthoVirginia — an orthopedic medical practice with 32 locations around the state — reported a cyberattack last year that disrupted its phone and communications systems. Staff found workarounds such as using social media to maintain contact with patients. The practice said it was not aware of any patient or employee information being compromised.

Health care organizations have been a popular target for cybercriminals. The Wall Street Journal reported in March that a criminal group with connections to Russian intelligence agencies planned a coordinated attack to cripple U.S. hospital emergency rooms at the height of the pandemic in 2020.

For a cybercriminal, targets are everywhere, and no individual or business should consider themselves too small to be impacted, says Babur Kohy, who teaches cybersecurity courses at NOVA and runs cyber research organization CyTalks.

“Everyone is compromised, whether we know it or not,” says Kohy. “Detection is the new prevention.”

Russian threat escalates

Following Russia’s invasion of Ukraine in late February, the Biden administration and federal agencies urged businesses, individuals and critical infrastructure operators to take immediate steps to lock down their networks, as intelligence agencies have seen evidence that the Russian government has been exploring options for retaliatory cyberattacks against the U.S. and NATO member nations.

“The more Putin’s back is against the wall, the greater the severity of the tactics he may employ,” President Joe Biden said during a March 21 appearance at the Business Roundtable’s CEO Quarterly Meeting in Washington, D.C. “One of the tools he’s most likely to use … is cyberattacks. … The magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming.”

In April, the FBI, the NSA, the Department of Energy and the Cybersecurity and Infrastructure Security Agency released a joint federal advisory warning companies about the existence of a new malware suite designed to attack industrial control systems that run electric and water utilities, oil refineries and factories. Federal officials said the toolkit was developed by a state-sponsored hacker group but would not state which nation was behind it. Cybersecurity experts said the toolkit is most likely Russian and apparently was intended to target liquefied natural gas production facilities.

Regardless of industry or whether they’re located in Northern Virginia or hours away from the Beltway, Virginia companies are heeding the federal warnings.

“The technology available to hostile actors has evolved, and the reality of nation-states leveraging it to conduct devastating asymmetric warfare is more clear than ever,” says Adam Lee, vice president and chief security officer for Richmond-based Fortune 500 utility Dominion Energy Inc. “Critical infrastructure in Ukraine was impacted by major cyberattacks in 2015 and 2016, and government sources tell us similar attacks are underway in the current Russia-Ukraine conflict. Dominion Energy partners with federal and state agencies to share information, improve our cyber defenses and ensure attacks like the ones in Ukraine won’t happen here.”

Now is a time for all businesses to be extra vigilant, says Virginia Tech cybersecurity professor Luiz DaSilva, director of the Commonwealth Cyber Initiative, an organization coordinating higher education cybersecurity research efforts in Virginia.

“We already are seeing supply-chain disruptions and increased gas prices. Cyber-criminals could take advantage of this very delicate time that we are going through right now to launch major cyberattacks,” DaSilva says.

Companies that operate in industries most affected by the sanctions the U.S. and other countries have placed on Russia are perhaps the most obvious potential targets of attacks, says Luke McNamara, a principal analyst with Mandiant, a Reston-based cybersecurity firm that entered into an agreement in March to be purchased by Google for $5.4 billion.

“Certainly, energy and financial services but media and entertainment and transportation are also sectors that, because of historical patterns of targeting and where these sanctions are landing, would be a little more at risk,” he says.

But McNamara says the fact that so many businesses from different parts of the economy are depending on the same major companies for software and cloud-based services means there may be no such thing as an unlikely victim.

For instance, the 2020 SolarWinds attack impacted more than 18,000 customers of the IT management software company after Russian state-sponsored hackers installed malicious code in a widely issued software update. Victims ranged from the U.S. departments of Defense and Homeland Security to technology giants such as Microsoft Corp., Intel Corp. and Cisco Systems Inc. to hospitals, local governments and schools.

“It’s very important for organizations to think about, even if you are a smaller organization, where do you fit within the ecosystem?” McNamara says. “If there are certain sectors that may be more at risk right now, how does that risk translate to you and your specific business?”

An interconnected world

Thinking about cybersecurity beyond the walls of your own business is an important mindset, says Bobby Turnage Jr., an attorney who leads the cybersecurity and technology team at Richmond-based Sands Anderson PC. Businesses also need to consider the security of vendors that have access to their systems or data, he says.

“Depending on your circumstances, you might have to provide notification to impacted individuals” in the event of a data breach, he says. “You also might have to — or decide to — provide identity theft and credit monitoring services” due to the compromise.

Requirements to notify authorities of a cyberattack are receiving increased attention from regulators.

In recent months, the U.S. Securities and Exchange Commission has proposed tighter cybersecurity reporting rules for public companies and investment advisers and funds.

Federal budget legislation signed by President Biden in March includes a new requirement for critical infrastructure operators to report cyber incidents to the Department of Homeland Security within 72 hours, and to report ransom payments within 24 hours. The directive covers public and private owners of utilities, health care facilities, critical manufacturing, communications and many other industries.

“We don’t want to hold the company [that reports an attack] accountable. We do want to go after the malware actors,” U.S. Sen. Mark Warner, D-Virginia, told an audience at the Center for Strategic and International Studies in March as he spoke about the new legislation. “This is a giant, giant step forward.”

Only about 30% of cyberattacks on the private sector are currently being reported to the government, Warner said. More information sharing can allow the government to better communicate potential threats to infrastructure owners.

This kind of communication is ongoing, says Lee of Dominion Energy.

“The FBI, Department of Homeland Security, Department of Energy, and even the TSA for our natural gas business, have worked with us to help us understand the threats we face and to provide us with the latest threat intelligence — even to highly classified levels — to stay ahead of sophisticated attackers,” he says.

In Virginia, he says, the Youngkin administration has promoted constant communication between Dominion and the Virginia National Guard, state agencies and members of the governor’s team to better protect the electric grid.

Employees on the front lines

NOVA’s Kohy says it’s helpful to remember that cybercrime is ultimately a human enterprise.

“Technology is used as an enabler,” he says.

Most breaches rely on an employee clicking a link, sharing a password, keeping sensitive information in a vulnerable place, or failing to set up safety nets such as multifactor authentication.

And cybercriminals are getting progressively better at exploiting these weaknesses, says Sharon Nelson, president of Fairfax-based cybersecurity firm Sensei Enterprises Inc.

“This moves at the speed of light,” she says. “You wake up and there is something new out there every single day that you haven’t seen before.”

Nelson and Sensei Vice President John Simek say criminals are increasingly using social engineering to gain victims’ trust and get them to turn over sensitive information. For example, a bad actor may do research to discover who a company’s IT services provider is, then call that person and claim they’re with that company and need login credentials.

In addition to email, criminals may use texting or other means of communications to try to breach systems. While automated filters are important and can help, they don’t block everything. That means frequent employee training on how to recognize malicious actors is an essential piece of any cybersecurity plan, says Chris Moschella, risk advisory services senior manager with Keiter, a Richmond-based accounting firm that performs IT audits and cybersecurity services.

“Employees need to really change their thinking and need to think of themselves as part of the security apparatus within a business, and not just a consumer of the security apparatus,” he says.

Simple actions are important

But there’s even more low-hanging fruit that those who work in the field say businesses of all sizes should think about when assessing their security.

Simek says he’s yet to work with a company that doesn’t have old administrative accounts left active after former employees have left the company. A 2022 survey by software provider Beyond Identity found that 83% of employees admitted to maintaining access to accounts from a previous employer.

As employees work in an increasingly hybrid world, accessing company networks from home, work and locations such as coffee shops, cybersecurity experts emphasize that multifactor authentication — a process requiring an individual to receive a unique code via text or email to access an account — is a must, despite the inconvenience of extra sign-in steps.

“It’s not just for businesses but for everybody, even in your personal and daily life,” Simek says. “Multifactor authentication will stop the vast majority of compromises, even if they get your password.”

Backups can be an important defense against ransomware, but Moschella points out that many businesses fail to secure them. “The thing people miss is that ransomware does spread to backups,” he says. “It’s good to have a recent backup that is not persistently connected to the network.”

While the list of potential vulnerabilities facing a company can seem overwhelming, Turnage encourages businesses to start by looking at the security threats and vulnerabilities that are applicable to them, and to then prioritize security adjustments in light of available resources and associated risks. 

Making data security a priority from the board and executive levels down should be a necessity for all businesses going forward, Turnage and other experts say.

“The cyberthreats that we face are not going away,” says Mandiant’s McNamara. “It really is a marathon.”

Best cyber practices

In a national survey of 600 business leaders released in March by New Jersey-based Provident Bank, just 50.17% of respondents said their businesses were fully prepared for cyberattacks, and 50.64% said that cyberattacks are something they worry about daily. Here are some suggestions to fortify your workplace against cybercrimes:

Make sure your business is installing software updates on a regular basis, as the vulnerabilities these updates fix are a popular door for criminals to get into a system.

Require strong passwords (15 characters or more, with a mix of numbers, letters and symbols) and multifactor authentication on all company accounts.

The Internet of Things (IoT) and operational technology, including everything from connected HVAC systems to security systems and smart locks, are increasingly being exploited by cybercriminals. A common weakness is failure to reset the factory password on connected devices.

Keep multiple backups of your data, and make sure at least one of those backups is disconnected from your network at any given time. Test your backups regularly to be sure you’ll be able to restore your data.

Take the time to create an incident response plan for cyberbreaches. The faster your team can start responding, the more likely you’ll be able to contain the damage.

Consider using geo-blocking as a way to limit the range of countries that can communicate with your corporate network. This can prevent employees from downloading harmful attachments based on overseas servers.

The federal Cybersecurity and Infrastructure Security Agency (CISA) provides many free resources for businesses, including evaluation tools and best practices that can help businesses start to understand their cybersecurity needs. Find them at cisa.gov/uscert/resources/business.