Cyberattacks seem to be more devastating than ever and taking targeted companies even longer to resolve.
The latest attack to receive wide attention continues that trend: An ongoing cyber incident at CDK Global, whose software car dealerships use to manage everything from scheduling to records, has crippled dealerships for days now, with no clear end in sight.
In May, a cyberattack on Ascension, a St. Louis-based nonprofit network that includes 140 hospitals in 19 states, forced the system to divert ambulances from several of its hospitals. It took almost a month to fully resolve the issue.
And in February ransomware attack on Change Healthcare, a subsidiary of healthcare giant UnitedHealth Group, caused billing disruptions at pharmacies across the US and threatened to put some health providers out of business.
Experts say hackers are getting more sophisticated and can hide in an organization’s systems for longer undetected. These hackers target companies in a supply chain-style attack, taking down entire industries to leverage more money. And certain industries that often use outdated systems, like healthcare, are becoming even easier targets.
“We can’t even compare what was going on ten years ago to what’s going on today,” Dror Liwer, co-founder of cybersecurity company Coro, told CNN. “(Hackers) are in the game for much bigger gains than they were before.”
Why hacks are so much more devastating
Hackers are not just more sophisticated, but they’re also more patient, Liwer said.
Hackers hide themselves inside an organization’s framework for a while, and move laterally through that framework, affecting numerous parts of the system. They wait until it’s the right time to launch attacks. And the longer the hackers wait, the bigger the damage.
“When (hackers) turn the attack on and execute, it’s truly crippling to the organization which then generates more revenue for them,” Liwer said.
Experts with whom CNN spoke said it’s difficult to get specific details on individual cyberattacks immediately. For one thing, companies want to protect their brand reputation from potential litigation. Also, organizations may not want to reveal specific details of the attack before an investigation concludes, the experts said, in case there are any copycats.
Eric Noonan, CEO of cybersecurity provider CyberSheath, said that ransomware attacks typically breach through avenues like a phishing email. These breaches can go undetected for days or even weeks as the hacker moves laterally.
The actual deployment of ransomware is often quick and widespread, Noonan said. Most victims find out they’ve been hacked once they lose access to important files or receive digital ransom notes.
“Ransomware is the digital equivalent of squatters taking over a home. The initial entry goes unnoticed allowing the squatters to occupy and control the property and by the time homeowners notice there is a problem the process for regaining control and ownership is disruptive and expensive,” Noonan said.
While companies used less interconnected systems in the past, the move to the cloud and reliance on third-party systems — despite helping daily business operations — creates complex systems that are more susceptible to widespread hacks.
“It also creates kind of a bullseye and it helps attackers focus their efforts on specific types of infrastructure or specific cloud platforms,” Noonan said.
And hackers are targeting organizations that serve in the supply chain of industries. By attacking CDK’s software, for instance, hackers were able to bring the vehicle dealership industry to a standstill. Change and Ascension, large hospital chains, were not able to provide adequate care to their many branches. That gives hackers leverage to ask for larger and larger sums of money, said John Dwyer, director of security research at Binary Defense, a cybersecurity solutions firm.
Though hackers have more leverage, the success of paying a ransom and a speedy recovery is elusive, experts said.
“There’s never been a story written on a company that successfully paid a ransom, and then quickly recovered their systems,” Noonan said.
Healthcare is an easy target
Noonan said the issue isn’t that hackers are necessarily getting more advanced, but that many organizations lack modern, up-to-date systems. Most organizations don’t do incident response exercises, which is why it’s taking longer to recover from these massive hacks.
“Much of our critical infrastructure is way behind in terms of being prepared for recognizing cyber threats when they appear, but then more importantly, recovering from them,” Noonan said. An FBI report found that ransomware attackers targeted the healthcare and public health sector the most, followed by critical manufacturing and government facilities.
As systems become more interconnected, there is only so much a business can do to upkeep its cybersecurity – especially when relying on third party systems, like car dealerships do with CDK.
“Auto dealerships are not in the business of cybersecurity, so they aren’t really up to the task of protecting that kind of a system. It’s up to the vendor,” Cliff Steinhauer, director of information security and engagement at National Cybersecurity Alliance said.
Steinhauer also said it’s a constant game of “cat and mouse.”
“Every time we fix something, the hacker can still break it. And they only have to be right once, we have to be right every single time,” Steinhauer said.
Hospital attacks have surged. A nurse who works at Ascension Providence Rochester Hospital near Detroit, Michigan, previously told CNN that the ransomware attack on the networks is “putting patients’ lives in danger,” as healthcare workers have to resort to paper charting with a load of patients to take care of.
Others say healthcare is targeted because of the field’s aging technology, Steven McKeon, founder and CEO of software companies MacguyverTech and MacNerd, said in a release. This technology helps patients request prescription refills, view test results and schedule appointments, but is also more susceptible to hacks.
CNN has reached out to Ascension and Change for comment.
How to prevent long shutdowns
Dwyer said companies can do a better job of using third-party expertise since many internal security teams are pretty small. The best examples use an internal team that is an expert on the internal systems of the organization and hire third-party cybersecurity providers to bolster their size.
Organizations can also put into place systems that can look at security across their business, Liwer said.
Others say there should be mandatory minimum cybersecurity requirements for publicly traded companies. Those minimum standards should be viewed like seatbelts and airbags, Noonan said — they won’t prevent accidents from happening, but will better prepare companies.
“There’s many software companies or critical parts makers or parts of the supply chains that Americans have never heard of – these companies, the applications and the software or parts that they make until they’re no longer available. There’s many other CDK’s out there,” Noonan said.
— CutC by cnn.com
