The ransomware attack targeting smartwatch and wearables maker Garmin in late July highlights the vulnerability of connected IoT devices and the consequences this kind of disruption can have on crucial industries like supply chain, OT and even aviation.
The ransomware strain known as WastedLocker was used to attack Garmin Connect and shut down access to its official website, its data-syncing service for users, its aviation database services and even certain production lines in Asia. The outage even took down its call centers, so that users’ calls, emails and online chats remained unanswered. The result was a days-long maintenance window where users could not access the full functionality of Garmin’s consumer wearables and sportswear, as well as GPS and aviation navigation equipment.
The Garmin Connect disruption also led to a number of concerning challenges for the aviation industry. Pilots were unable to download updates from Garmin’s databases onto their navigation systems, which the FAA requires before takeoff. The Garmin Pilot App, which is used to schedule and plan flights, was also shut down temporarily. Fortunately, the airline industry has established disaster recovery plans and backup procedures to ensure that critical services can be maintained in the wake of a disruption like this. Even so, the attack highlights how crucial these connected devices are and the dangerous potential if they are disrupted.
The WastedLocker ransomware is affiliated with the Russian cybercrime group known as Evil Corp. This is the same criminal organization behind other recently impactul ransomware strains known as Dridex, Locky and BitPaymer. WastedLocker attacks have been remarkably targeted and focus on larger organizations that can afford to pay ransoms ranging from $500k to $10 million. The malware was first spotted in the wild in May of 2020. By July, it was regularly impacting large enterprises with newsworthy results.
Unlike other cybercrime groups that release compromised data online or sell it to the highest bidder on the dark web, Evil Corp has not been taking such actions when affected companies fail to pay ransoms. Instead, their targeted approach involves compromising employee accounts, systematically assessing security capabilities and exposures, and then disabling capabilities like malware protection. Evil Corp then exploits these vulnerabilities to deliver and widely propagate the ransomware attack through the environment.
In late 2019, U.S. officials offered a $5 million reward for information that would lead to the arrest of the Evil Corp’s leaders. This came in response to the many millions of dollars stolen from U.S. business and citizens leading up to 2020, but has had no effect on the group’s targeted campaigns.
The Garmin Connect outage makes it clear that bad actors understand the chaos they can bring by disrupting supply chains. It also highlights the significant impact that attacks on traditional IT infrastructure like user credentials and remote-work laptops can have on manufacturing operations.
Cybercrime organizations have learned that if they impact one disconnected organization with no ripple effect, the ransom they can demand is limited. But if they systematically target an enterprise that consumers and other enterprises rely on, they can demand and expect much more lucrative ransom payments. If bad actors have penetrated a large amount of the enterprise environment through reconnaissance efforts and have disabled controls that would help them recover from an attack — as Evil Corp routinely does — they know they can demand even larger payments. This applies to no industries more than those that rely on OT to deliver core services and capabilities.
Due to the ever-increasing attack surface and opportunity for material disruption, industries that rely on OT should ultimately ask themselves the following questions:
According to Garmin, no customer data was compromised in the attack and the impact was limited to its service and manufacturing ability — good news for consumers. This also gives us the ability to shift focus towards discussing what we should learn from these events.
In 2020, preventing and recovering from a ransomware event is more complex than ever before. These attacks no longer impact only PCs and servers in our environments, but also IoT and OT systems in manufacturing, energy and critical infrastructure, supply chain, healthcare and more. Whether we consider the cyberattacks on renewable energy and oil and gas operations from earlier this year or many of the healthcare attacks witnessed even during the pandemic, two things are for certain:
Computers such as OT and IoT devices can and are being impacted by ransomware events and cyberattacks every day, and in many cases, just as easily as a desktop, laptop, or server. In fact, many of the most impactful, newsworthy ransomware events in recent months have involved the encryption of IT, IoT and OT alike.
Failing to understand how these devices are truly interconnected and support and enable key business capabilities means that any security strategy developed around protecting our critical environments and networks is only partially complete. This also means that the ability to truly recover the business from a widespread ransomware event without being forced to pay the ransom and obtain the decryption key may be exponentially lower.
OT enterprises in particular should assess their ability to rapidly detect, prevent and respond to a ransomware attack that impacts or moves laterally through IT, IoT or OT devices with the potential to impact critical operations, before impacting critical operations. As noted by the NSA and CISA in their recent urgent cybersecurity advisory, the ability to continuously and holistically monitor all forms of networked devices is a key capability in safeguarding our OT operations and brands moving forward.
And lastly, as security professionals, it’s important that we remember that one of our most positive levers for change is to learn from known enterprise attacks and how they can help prevent attacks in similar operations and environments. When immediately followed by a tactical and continuous risk mitigation strategy — along with details around the likely cost of doing nothing versus the expense associated with taking action — this can be incredibly powerful in helping to move the needle when security knows that it needs to be moved to safeguard the brand.
Sign up to receive the latest news