This is not a broken record. This is not part of the script from the movie Groundhog’s Day. It is just the sad reality that cybersecurity attacks just keep coming. The threat landscape continues to evolve with hackers having access to far more sophisticated tools. Each time another breach impacts a manufacturer it clearly demonstrates just how much today’s hackers value having access to the mountains of data these companies possess.
The most recent victim is Canadian plane maker Bombardier, who announced yesterday that it suffered a limited cybersecurity breach. An initial investigation revealed that an unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application, which was running on purpose-built servers isolated from the main Bombardier IT network. The company acknowledged the attack after some of its data surfaced on the ransomware gang Clop's dark web portal. Many security expects are speculating the attack is part of the Accellion "supply chain" breach.
In a statement released by Bombardier, it was noted that the manufacturer “promptly initiated its response protocol upon detection of the data security incident. As part of its investigation, Bombardier sought the services of cybersecurity and forensic professionals who provided external confirmation that the company’s security controls were effective in limiting the scope and extent of the incident. Bombardier also notified appropriate authorities, including law enforcement, where required and will continue to work with the authorities as the investigation continues.”
In this specific breach, personal and other confidential information relating to employees, customers and suppliers was compromised. “The ongoing investigation indicates that the unauthorized access was limited solely to data stored on the specific servers. Manufacturing and customer support operations have not been impacted or interrupted. Bombardier can also confirm the company was not specifically targeted—the vulnerability impacted multiple organizations using the application.”
“The fallout from the Accellion-centered breach continues, purportedly this time with Bombardier. The takeaways should be pretty clear to people keeping score. Always keep software up-to-date or replace it with next-generation software that’s supported by the vendor,” says Trevor Morgan, product manager with data security specialists comforte AG, in a statement.
The silver lining for Bombardier is that it can use the opportunity from this latest breach to invest more time in checking all entry points to systems and their global network and hopefully root out any other suspicious activity, Sam Curry, CSO of Cybereason tells IndustryWeek. "While small in nature, the alarms should be blaring for all companies because Bombardier has admitted that designs for airplanes and plane parts are now available for free on the dark web. Losing IP is devastating for companies and in this case, don't be surprised when China, Russia, and other nation states use the stolen information for profit," says Curry. "Accellion has urged its customers to migrate away from the vulnerable FTA web server that appears to have resulted in 100 companies being attacked and data stolen from 25 of them thus far. Their transparency is commendable."
Added Morgan, “If you think you’re safe from breaches like this, then it’s probably time you really reconsider your data security strategy and methods. Complacency is your worst enemy. And if you’re still depending on security methods that protect borders and perimeters, it’s probably time to think from a more data-centric perspective. If the data is the valuable part, protect the data and not the walls around it. That’s the data-centric approach in a nutshell.”
Unfortunate trend
The numerous cyber events focused on manufacturers are a part of an unfortunate trend. According to the X-force Threat Intelligence Index for 2021, released by IBM today, manufacturing was the second most-attacked industry. Specifically, manufacturing moved to second place in 2020, up from eighth in 2019. This may be driven by the interest malicious actors have in targeting infrastructure with connections to operational technology. Similarly, energy jumped from ninth place in 2019 to third place in 2020, further underscoring attackers’ focus on OT-connected organizations in 2020.
Other key insights from the report identified that manufacturing, professional services and wholesale were the most commonly targeted industries by Sodinokibi (the most common ransomwware type X-Force observed in 2020) potentially because Sodinokibi actors assessed organizations in these industries have a low tolerance for downtime—perhaps especially during the pandemic—or house especially sensitive data.
Additionally, manufacturing bore the brunt of data theft attacks in 2020, experiencing 33% of all data theft incidents. Energy came in second, at 21% of attacks, with finance and insurance third at 17% of data theft attacks. Twenty-one percent of attacks on manufacturing in 2020 were from ransomware—a significant percentage indicating that threat actors find manufacturing to be a profitable sector for ransomware attacks. And, in pure numbers, manufacturing experienced more ransomware attacks than any other sector. This sector’s low tolerance for downtime— often amounting to millions of dollars in losses for each hour of downtime—is probably a contributing factor in its high profitability for threat actors.
As with most cyber events, this story is still unfolding. We will update this article as we learn more.
