Security experts have been warning that African ground is the next big target for cyber-criminals. This cautionary note must be heeded as governments, the public and commercial services are being attacked by hackers on a daily basis.

This article first appeared in ESI Africa Issue 2-2020.
Read the full digimag here or subscribe to receive a print copy here.

Cyber hygiene is a term within the cyber community, which underlines
ensuring computer users are not unnecessarily exposing themselves to
computer viruses. Malware, ransomware and other nefarious cyber viruses can infect computers, causing them to become ‘ill’ and failing to operate as they were designed and hurting us in the process.

Notably, cyber-attacks are rising in number as more and more people have access to the internet. Worldwide, a massive number of new websites are launching every day, where many are not addressing safety measures for any form of cybersecurity. As Africa’s utilities smarten their services and increase their online engagement with customers, the topic of whether
these companies are in tune with beating cyber-criminals must now be broached.

The ever-evolving threat rising from the cyber world

You are unlikely to find a person that hasn’t received one of the infamous e-mails of an African prince looking for his successor, promising millions of dollars only if a link in an email is clicked on, or a similar scenario. This type of scam was extremely popular a few years ago. However, hackers have evolved and are now using more sophisticated methods and messaging. These cyber criminals have progressed from stealing usernames and passwords, to attacking banks and stealing credit card information and bank accounts.

The Communications Authority of Kenya’s first-quarter report for 2018/19 shows the National Cybersecurity Centre detected 3.82 million cyber threats, a rise from 3.46 million reported from the last quarter. Within the review period, the banking sector remained the most targeted industry followed by government institutions. Taking into consideration the rate of new technologies surfacing, such as tech-grid used for crypto mining, that translates into fertile ground for cyber criminals.

A common issue is that the quality of the website’s services and frontend are placed ahead of the platform’s security. With the growing usage of the internet, competition in the market is fierce. Business owners dive in not realising the importance of online security and, even worse, some government sites have the same issue. There are instances where it is decided to use pre-built website templates instead of building a website from scratch. This tactic can be exploited on many levels, leaving sensitive data unprotected.

You are unlikely to find a person that hasn’t received one of the infamous e-mails of an African prince looking for his successor, promising millions of dollars only if a link in an email is clicked on, or a similar scenario. This type of scam was extremely popular a few years ago. However, hackers have evolved and are now using more sophisticated methods and messaging. These cyber-criminals have progressed from stealing usernames and passwords, to attacking banks and stealing credit card information and bank accounts.

Once they have access, hackers can do what they want, whether it is to steal data, post information, or infiltrate without anyone knowing. There are even instances where no one is aware of an attack until it has a widespread impact beyond the company’s network.

A case in point: Ransomware event in the US

The US Cybersecurity and Infrastructure Security Agency (CISA) reported, on 18 February 2020, a ransomware incident impacting a natural gas compression facility at an unidentified US pipeline operator. The ransomware event impacted both IT and ICS assets by causing loss of view and control impacts that caused the facility to implement controlled shutdown processes and resulted in a reported two days of downtime.

Based on information shared with a supplier of ICS security services, Dragos, as well as noted in public reporting, the CISA alert likely describes the same event reported by the US Coast Guard in 2019.

While causing operational disruption lasting two days, available evidence does not indicate the ransomware adversaries specifically targeted ICS operations. Operational impacts were likely caused by a combination of insufficient segregation of IT and ICS environments and shared Windows operating system infrastructure. Based on reporting, the intrusion appears to have impacted only a natural gas compression facility owned by the pipeline operator. Impacted ICS devices included data historians and human-machine interface (HMI) devices but did not propagate to Layer 1 devices or lower, such as PLCs.

Details of the cyber-attack

Ransomware attackers initially breached the unnamed US pipeline operator via phishing containing a malicious link, according to limited details provided in the CISA report. This allowed the unidentified
attacker to gain access to the victim’s IT network, with subsequent pivoting allowing for spread to ICS network assets. Phishing is a very common initial access vector for cyber-attacks, both ransomware criminals and ICS targeting adversaries leverage this social engineering mechanism to
successfully breach companies.

Following spread throughout the victim’s network, the attacker deployed unidentified ransomware within the environment, leading to operational disruption. The victim disconnected and disabled impacted ICS assets to mitigate any potential threat to operations, then proceeded with a controlled shutdown instead of relying on purely manual control given the ICS loss of view impact. As a result, even though CISA reporting indicates only one compression facility was directly targeted, overall pipeline
operations ceased for two days during restoration from backup operational data and stored configuration files.

After publication, it was learned from multiple sources that the event described in the CISA report was likely the same as an event reported by the US Coast Guard in December 2019. As reported by the US Coast Guard, Ryuk ransomware was ultimately deployed at the facility, creating the disruption in operations.

Recommendations on protection measures

The following are security recommendations asset owners and operators can implement to prevent the infection and spread of ransomware that
could potentially impact ICS operations.

• Ensure employees are trained to recognise and respond to phishing
campaigns, and to report to security personnel when observed.
• Implement flagging or other methods to tag external email to mitigate spoofing of internal email addresses.
• Ensure strong network defences between the IT and OT networks, creating
chokepoints to limit malware spread.
• Keep anti-virus signatures up to date, where possible.
• Ensure corporate networks are thoroughly patched to prevent malware infections targeting disclosed vulnerabilities from entering the environment in the first place and prevent subsequent propagation that may impact ICS networks.
• Critically examine and limit connections including network shares between corporate and ICS networks to only required traffic.
• Aggressively monitor outbound communications from ICS networks to identify signs of infection events within OT space.
• Ensure backups of enterprise and OT network systems are maintained.
• Test backups during a disaster recovery simulation. ESI

Acknowledgement
This article is based on two news items published by our sister publication Smart Energy International, which are titled Are cybersecurity professionals in Africa fast enough to beat cybercriminals (October 2019), and Assessment of ransomware event at US pipeline operator (February 2020).