ISMG Editors: Analyzing the Predatory Sparrow Attack
Also: Cyberthreat Activity in Sri Lanka; Cyber Insurance Trends Anna Delaney (annamadeline) • July 15, 2022In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity issues, including lessons learned from the cyberattack on a steelmaker in Iran that caused a serious fire, how the economic crisis in Sri Lanka is affecting cybersecurity and what the rising cost of cyber insurance means for the industry.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The editors - Suparna Goswami, associate editor, ISMG Asia; Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday & Europe; and Tony Morbin, executive news editor, EU - discuss:
- Whether a recent attack on a steelmaker in Iran indicates a sudden increase in the danger posed by online attacks to industrial environments;
- How the economic crisis and political upheaval in Sri Lanka are affecting security leaders and cyber insurers in the region;
- The rising cost of cyber insurance in the wake of bigger payouts.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the July 1 edition discussing how Russia's war has changed the cyber landscape and the July 8 edition discussing the status of the software bill of materials or SBOM.
Anna Delaney: Hello. Welcome to the ISMG Editors' Panel. I'm Anna Delaney and here's our weekly roundup and analysis of the top cybersecurity stories. And I'm joined this week by my brilliant colleagues, Mathew Schwartz, executive editor of DataBreachToday and Europe; Suparna Goswami, associate editor at ISMG Asia, and Tony Morbin, executive news editor for the EU. Great to see you all.
Tony Morbin: Hi, good to be here.
Mathew Schwartz: Wonderful to be here. Thanks for having us.
Suparna Goswami: Wonderful to be back, Anna, after a long time.
Delaney: It's been too long. Suparna, you are at a summit, I believe.
Goswami: Yes, correct. So the background is that of the in-person summit in Bangalore that we had last week. We had our first in-person event in Bangalore after 2019. So, it was great to meet everyone, and great to be back, so it was fantastic to be back on the ground, meeting people. Wanted to have that as a background.
Delaney: Suparna, what was the highlight for you?
Goswami: The highlight was that it was a hybrid summit and it went smooth. And then, we had first-time speakers who were fantastic, and some lovely topics to talk about. And we exceeded the number of guests and delegates that we‘d anticipated. So that was a good problem to have.
Delaney: I loved watching all the photos appear on social media. Looked like a great event. Tony, industrial systems perhaps?
Morbin: No, this is the Lloyd's of London building with all the infrastructures on the outside because I want to be talking about insurance today. And so, Lloyd's a good place, back to the origins of insurance, with shipping insurance and so on in the coffee house.
Delaney: Fantastic view from within as well.
Morbin: From the elevators as well. Not the outside of the building.
Delaney: Looking forward to that. Mathew, how very elegant.
Schwartz: I finally got to return to Amsterdam, like Suparna, for the first time in several years, due to a slight social disruption. So it was wonderful being back. This is a room that I had on one of the canals, the hotel room looking out to the evenings, it just opened the window and watched the Dutch world go by.
Delaney: It's a fabulous city. Love it. And I am in the gardens of Hampton Court Palace, where King Henry the Eighth lived with his wives, and it was taken at a recent flower show. It's worth a visit if you are in this part of the world in the U.K. So Matt, my question for you, has there been a sudden increase in the danger posed by online attacks to industrial environments?
Schwartz: That's a great question. And there is this fascinating attack — if you're not on the receiving end of it — that came about at the end of June, when our colleagues reported on a steel foundry in Iran that was hit by hackers who claimed to started a fire. And there's some dramatic footage that got posted to social media. Now the hackers appeared to be playing by a few ground rules. They said they waited to cause this fire until there was no one present. So an unusual amount of preparation and a safety conscious ethos, which we might not normally see from criminals operating online. So what does this all mean? I put that question to experts: we've seen this big attack hitting Iran and the attacker said the purpose of this was to highlight the fact that this steel foundry, which is part of a holding company, has been sanctioned, and they also apparently hit a couple of other foundries that were sanctioned by the US and yet, they continue to trade. Apparently, it's still doing a roaring business. It's one of the biggest suppliers of steel products in the Middle East, apparently. So they wanted to highlight this. So what is all this? It's hard to say, although it's fascinating because there's a play on a name in terms of the group that's involved. I won't attempt to pronounce the group's actual Persian name, but it translates to Predatory Sparrow, which, if you're in cybersecurity circles, seems like an innate joke given that many of the advanced persistent threat groups in the nation-state military hacking teams have these designations started by FireEye about where they're from, what they do. Some experts are saying this sounds like Charming Kitten. Charming Kitten is a group attributed to Iran's military intelligence apparatus, which has been responsible for a number of attacks. Long story short, this could be Israel trying to stir things up or some other nation-state group. Experts think this is probably a nation-state group because it's difficult to hack industrial control systems. It takes a laboratory environment where you purchased, eBay etc., the exact systems being used in the environment. And you've attempted to get the right software and patches and everything in place in the lab, so that you can design malware that will work. Checkpoint said that it saw the malware using this attack. And it traces to malware that was used last year against Iran in attacks that are believed to have been done by Israel, which in one case, disrupted train travel, and in another case, disrupted the ability to access fuel from pumps for certain people in Iran. So, long story short, I don't think that we are seeing a dramatic increase in attacks against industrial control systems, they remain a concern. At their worst, they can cause loss of human life. You have a foundry here, if this fire had happened when the equipment had been manhandled, if it had happened, and there were people around this, could have injured people very badly. Thankfully, that didn't happen in this case. But it's a useful reminder that a lot of these environments can be hacked. We're seeing more use of IT equipment, not necessarily OT (operational technology) from it, but lots of IT equipment too, switches and things from Cisco, Juniper, that have well known flaws being used in these environments. So, any organization that runs an OT environment needs to take a good look at how it's protecting its networks. Because the next time hackers come calling, it might not be Israel allegedly attempted to stir things up a little bit.
Delaney: Interesting. And it reminds me of the time around the start of Putin's invasion of Ukraine. There are a lot of people thinking or predicting that Russia would target ICS. And commentators are saying it's difficult to do that successfully. Reminds me of that. So the main lessons learnt from this would be?
Schwartz: The main lessons learned, if you want an operational technology environment, is be aware that this can happen. Keep a close eye on what needs patching, what hasn't been patched. And there are a variety of techniques that can be used to safeguard these systems in a secure, safe manner. And safety is the management of these environments. But there are a lot of approaches that can be used to lock these environments down. Even if you can't patch the underlying systems, which can be sometimes 20 years or more older. So, you need to make sure you're keeping a close eye on all of these things. Basically, have a plan, constantly be reviewing it, make sure that you're not at risk from these types of attacks.
Morbin: It's also a reminder that the Ukraine-Russia situation isn't the only cyber war because the Israel-Iran has been going on for some time. Matt mentioned some of the attacks that Iran has faced, but Israel has also had water treatment plants affected. It's had its air raid siren going off. I've spoken to people on the offensive cyber side in Israel, and there's activity going on. Matt did an article where he mentioned the fact that they weren't best pleased in Israel when it was found that they were seen celebrating the fire in the steel plants.
Schwartz: There was a briefing for a high-level official by an Israeli military intelligence unit. It supposedly featured the footage captured by CCTV cameras of the foundry, experiencing this fire, but the defense minister ordered an investigation into any potential leaks. As Tony rounded up there, this affects lots of people. And it's been a particular aspect — your angle to Israeli Iran relations, or the lack thereof.
Goswami: If I may add, one of the points that lessons learned that Matt was saying is just because it happens rarely, do not ignore it. And that's an important lesson that just because the attack happens rarely, do not ignore the side of the attack.
Schwartz: Absolutely. And I was saying safety because if you talk to anybody in industrial environments, that's their first and foremost concern. And I think they often think of it in a physical manner. We saw the fire being caused by equipment being mishandled. And I couldn't tell personally what was going on, but there was stuff spilling all over the place, looking like molten metal was going everywhere. That's physical, but they need to remember — and there's been a growing push by, for example, CISA in the United States telling critical infrastructure and industrial infrastructure providers — to always think of cyber as well. All these systems are run by computers. And it's not that molten metal might get tipped over the networks, the systems that run these very environments are also at risk. So, this needs to be more of a concern, but I think we are seeing greater attention and focus on it now, which might be, Anna, to your point. Are we seeing a rise in these attacks? Is the threat going up? No. But I do think we are seeing more focus on it. And one side-effect of this attack is we are talking about it, which is good.
Delaney: Great insight, Matt. Thank you very much. Suparna, you've been speaking with CISOs based in Sri Lanka, which is facing turbulent economic times and political upheaval. How are CISOs, security leaders being impacted, Suparna?
Goswami: Yes, and I'm working on a feature on the economic crisis and its impact on the cybersecurity market in Sri Lanka. I spoke to a few CISOs there and thought though they're saying that the business priority as far as cybersecurity is concerned has not changed for now, but they're not sure whether it will stay this way in the coming months. So, from my conversation, there were three or four highlights. One was license renewal and they are facing difficulty in renewing the license because they are not able to procure dollars. There's difficulty in procuring dollars because the central bank has put lot of curbs there and dollar value has gone up, I think 80 to 90% in the past three months. So there are multiple companies who are facing a tough time redoing the licenses for the products they have deployed. And a few security practitioners from the manufacturing industry that I spoke with said that currently their licenses for DDoS attacks have expired and they have requested the vendors to extend their service to the existing investment. I also spoke to a vendor who has a good presence in Sri Lanka and the spokesperson said that they have received requests from companies to make best use of the existing investments as new investments in cybersecurity products are difficult to our challenge now, and they have also been requested to set shops in Sri Lanka so that they can pay in Sri Lankan rupees, not necessarily dollars. But given the situation, it is tough for them to set up a shop now in Sri Lanka. And the second one, which I found interesting are that cyber insurers are shying away from insuring the companies in Sri Lanka. And not surprising because given the inability of the Sri Lankan companies to pay in dollars, as well as the sad state of the economy, cyberinsurance companies are wary of providing or renewing insurance of the companies in Sri Lanka. And this has been the case for the past one year. Even if they are going ahead and reinsuring one of the companies, they are charging high premiums. The premiums have again gone up high. And the third one was on threat landscape, though the threat landscape has remained the same. The country is witnessing an increase in state-sponsored attacks as well as phishing attempts. So, adversaries are sending fake emails, marking it as fundraising for the government and people are falling prey on that, and one of the reports, there were 60% increase in phishing attempts in the past two months. These were the main highlights from my conversation with them.
Schwartz: One of the tactics we often see practiced by Russia is never let a good domestic crisis of your enemy go to waste. Are we seeing that in Sri Lanka — with the rise that you've charted in phishing attacks — is that adversaries in a geopolitical sense of Sri Lanka attempting to stir the pot?
Goswami: But one thing the security practitioners said that what they are happy about is there's a lot less ransomware attacks because they know the people have to pay the ransoms.
Schwartz: There's no money.
Goswami: Yes, there's no money, so one cannot be bothered about the ransomware attacks because they know that we won't be able to pay them back. So yes, that's one of the silver lining, they said. Thankfully, you don't have to deal with the ransomware attacks for now, at least for the next few months.
Delaney: Suparna, take us through about how you go about investigating this because this is fascinating, and it's current. So, you're speaking to CISOs and vendors.
Goswami: Yes, I'm speaking to CISOs and vendors. But not all CISOs are ready to come out and comment that they are facing these kind of attacks. So it's like, yes, as an industry, we are facing this, but nobody is ready to accept or they have accepted offline, but they don't want me to quote them. I spoke with one of the insurance companies, as well. And that company said that yes, we are not providing for now, we are wary of Sri Lankan market, we are not reaching out, or even if there is an insurance renewal, we are charging high premium. He said you can't quote me on this because that would have a bad name. But I reached CISOs and vendors to get to the other side of the story: what are they hearing? What is their roadmap? And for them, the roadmap is these few months, it's fine, because the budget approvals have been done. But next year, they are revisiting their priorities. Even the board, the CISOs said it's fine, because the budgets have been approved. For next year, they are revisiting their priorities, and new investments will be hard to come by.
Delaney: Good luck, Suparna. I look forward to reading the feature when it comes out. Thank you. Tony, Suparna mentioned cyber insurance. I know you want to speak about it. So, what's happening in the market?
Morbin: Absolutely. And the premiums going up is the main issue. I was going to talk about how the cyber insurance industry isn't working for insurance, brokers, or their customers, according to a recent report by Panaseer, and it's noting the cost of cyber insurance policies in the U.K. and the U.S. are expected to rise for the next two years, and I can see a similar thing happening elsewhere. Now, the ransomware attacks are up 93% year over year from 2021. By some estimates, as well as the number of successful attacks, the insurance is becoming harder to get and more expensive. And we've average payouts of about $3.5 million dollars in the U.S., it's hardly a surprise. One of the issues is that insurers are struggling to accurately assess an organization's security posture and what the risks are that were involved. 87% of insurers in this recent survey say they want a more consistent approach to analyze cyber risks. Insurers need better information to price the risk. And as Nik Whitfield, the founder and chairman of Panaseer, who did the report, said questionnaires aren't going to cut it. One of the reasons is that cybersecurity insurers increasingly want direct access to customer security metrics and measures. They want to see real, live data coming from a customer about their security posture. Now, from my perspective, that can only be a good thing for the industry, as cybersecurity is still immature. While there are best practices being enforced in some sectors, such as finance, there's no overall agreed definition of what good cybersecurity looks like, what the minimum standards should be expected, or what percentage of budget spend is appropriate. And certainly no agreement on how these standards can be enforced. So, while you've got things like the Biden executive order in the U.S., the cyber central's in the U.K., providing baseline cybersecurity requirements for those dealing with the state, the free enterprise market has so far failed to establish consistent cybersecurity norms. So what is it that the insurance rate is important when they're assessing potential customers' security posture, top of their list is cloud security decided by 40% security awareness, 36%, application security 32%, vulnerability management 31%, previous access 31% and patch management 30%. Now, none of these will come as a surprise to security professionals. And they're all things that you should already be doing. But what's different is the need to share the information with your insurer to reduce your insurance premiums or even secure insurance in the first place. And that will include providing evidence, information, and even working with the insurer to improve your security posture. But the insurers themselves aren't that confident that even with that information they can accurately price the risk. It's a dynamically changing environment, increasingly sophisticated threat actors and unprecedented events coming in thick and fast. Plus, it's a global nature of incidents. They're rarely isolated. Maybe the OT ones are an example of the isolated ones, but generally they tend to be pervasive. So insurers and potentially insured are voting with their feet, one in 10 insurers in the U.K. say they're likely to get out of the cyber insurance market if the method of ensuring risk stays the same. And from the other side of the insurance, take the tack of forever increasing their premiums, they priced themselves out of the market, and companies decide not to get insured and put aside the resources to absorb the impact of an attack, which is something that's happening. So it's in both sides' interests for the pricing to be realistic and proportionate to the risk. It's predicted that there will be increased friction, because most organizations don't want to share their sensitive internal data with anyone, let alone third parties that have a right to audit. But ultimately, the organizations will need to demonstrate good security behaviors across the entire environment, which means having and ensuring accurate data to prove that they were low risks.
Delaney: And this is coming up in roundtables. I'm hearing from security leaders as well, venting the frustration, when they call up the insurer. The insurer doesn't know what they're offering. They have no idea what they are covering. There's a lack of information education there. Matt, what are you hearing as to how this is going to evolve?
Schwartz: As Tony was indicating, it's a chicken-and-egg problem. You need to have a robust, well-documented, well thought-out information security programs, plans, procedures, people, technology in place. And sometimes there's a disconnect then in terms of how you interface with an insurer if you don't have that. We see some interesting innovation for a company called Coalition, for example, based in the States. It's a cyber insurance startup, it's got a $5 billion valuation. Last week, I believe, it secured an extra $250 million dollars in funding to drive a U.K. expansion. And what Coalition is doing is taking a cybersecurity-centric approach in terms of knowing what organizations should be doing, looking to see if they are doing that, and then using that to help price the plans. But there's a lot of back and forth there. They can also help the organization make and do what they need to do. Your organization can work with them to better do what they should be doing. If there's a will, there's a way, there's an insurance product. And I suspect that we'll see this more focused, tailored, and sophisticated approach to the problem. It is a holistic approach. They're saying if you want great cybersecurity, and if you want insurance — because who doesn't — to cover your risks, this is how we're going to do this. Now, to Tony's point before, though, how many organizations have the wherewithal or the internal expertise to make use of this or to honor this approach or devalue it? I don't know. But I think that that's where we're going to see the most bang for the buck is organizations that can walk the walk, talk the talk, not just via their insurance, but in terms of how they're approaching it themselves.
Morbin: The insurance industry is wanting to have the kind of telemetric data that they get from...
Schwartz: Every other thing they insure.
Morbin: Things like the transport industry, and the survey had 44% of insurers, not confident about the way that they were evaluating risk in cybersecurity. It affects both sides, the companies that want to be insured are not necessarily creating the data level and sharing it, the insurers aren't necessarily showing what data they need and how to use it. We're talking about an immature industry. And yet, we're talking about something that regulation is the big driver of people adopting safer approaches. But insurance is another one, because people want to lower their premiums. So they have an incentive. There's an incentive on both sides. And we're talking about a market that's forecast to grow from 11.9 billion this year to 29 billion in 2027. So it's not something that's going away, it's going to increase, but it's flawed at the moment.
Schwartz: That's a great point study. Because if the insurers get a better sense of what they're looking for, from a financial perspective, they will be able to demand it. And we could see some good changes and improvements, where they come in and say, "The best-in-class companies with the lowest premiums are doing it this way. Would you like our help to help you do it this way?" And hopefully, more organizations say yes.
Delaney: Hopefully, indeed. Great points. Thank you all. So, final question. What's something new that you've learned in cybersecurity, this week or recently?
Goswami: I'd like to point up to a tweet that my colleague Rashmi mentioned to me. It was not new learning, but I found it interesting that Russia experienced the most data breaches for second consecutive quarters in a row. Because I always had the impression that Russia is the one that’s attacking the other countries, but they're also facing large number of breaches. So that came as a surprise too.
Delaney: Definitely. That's a great one.
Schwartz: Ukraine's hacker army or friends appear to be having an impact. I've been hearing that. And on the heels of that, one of the things that I learned at RSA this year, back in June, and that I have to keep reminding myself about is Russia is launching online attacks against Ukraine. But many cybersecurity experts I've spoke to say that Ukraine's defensive ability is the best in Europe, they think. So there's been a lot of chatter about how there's been no cyber war, but in terms of online attacks aimed at supporting Russia's invasion being launched by Russia and allies, a lot of them aren't having the impact that Russia might have desired.
Morbin: Yeah, because they'd already seen NotPetya. And they'd been under attack since 2014. So, they had a lot of practical real-world experience.
Delaney: And training.
Schwartz: Definitely.
Delaney: Tony, what have you learned?
Morbin: I was going to cheat and say that cyber insurance is going to grow to 29 billion by 2037. Also, looking at this subject, I did see that a couple of states, California, for example, are mandating cyber insurance. I didn't realize that it was mandated. So, that was interesting.
Delaney: I read recently that ransomware attacks have increased 500% in the last year. I don't know if you agree with that, Matt, but I'm sure your articles on ransomware have increased 500% this year.
Schwartz: It feels like it. My short answer there is we don't know the full volume of ransomware attacks, because the only ones to get publicized are the victims who don't pay, and they get publicized by the criminals who wish they had. So there's a lot of competing interests. I will say that the volume of attacks is always higher than we want. And here in Britain, the National Cybersecurity Center has said they're seeing an increase both in ransom payments and attack on victim volume. So, 500%, I don't know. But still alarmingly high, I suppose.
Delaney: And the demands in ransom and the figures are higher than ever as well.
Schwartz: Sometimes.
Delaney: These are great nuggets of information. Thank you very much. That is unfortunately all we have time. But Matt, Suparna and Tony, thank you, and enjoy your week.
Schwartz: Thank you, Anna.
Morbin: Thank you.
Delaney: Thanks so much for watching. Until next time.