Reports that Belgian aerospace manufacturer ASCO Industries has shuttered several factories due to a ransomware attack on June 7 is certainly news, but what is causing even more raised eyebrows is the company’s almost complete silence on the issue.
However, the proposed buyer Spirit has told SC Media that it was informed by ASCO of the attack on June 11, but could offer no additional details on the incident.
"On July 11, Asco Industries confirmed a malicious intrusion on their servers and communicated that information to public authorities, customers and other stakeholders," said Fred Malley, Spirit's director of communications.
ASCO, which is in the process of being acquired by Wichita, Kan.-based Spirit AeroSystems, reportedly confirmed to the Belgian news site Data News that it had suffered a ransomware attack and has brought in outside help, but declined to offer any additional details. Reports also indicated ASCO has shut down some of its Belgian factories, putting more than 1,000 workers on the sidelines, but the company has not made an official statement.
Spirit and ASCO received conditional European Commission clearance for their merger in March and at this time there is no indication the breach will disrupt the expected closing tentatively scheduled for mid year, but Malley said Spirit is watching for developments.
"Spirit remains vigilant in its close watch on threats to Spirit’s systems and data. There is no indication at this time that Spirit has been impacted by any malware or other data threats. Spirit is closely monitoring Asco’s progress mitigating Asco’s network intrusion as well as any implications on the closing of the acquisition," he said.
The cone of silence put in place by ASCO is in direct contrast to the recent high-profile ransomware attack on Norsk Hydro. The Norwegian aluminum producer was hit in March with LockerGoga ransomware, costing the company an estimated $40 million in recovery costs. However, that company has been applauded by how upfront it was about the attack.
“This comes only a few months after Norsk Hydro was also shut down by ransomware; however, Norsk showed the world that while ransomware is costly and devastating in the moment, it doesn’t have to have a lasting effect on reputation, as the open and transparent way Norsk dealt with the attack resulted in a rise in share price,” said Shlomie Liberow, technical program manager at HackerOne. “Public understanding of ransomware is on the rise, so if ASCO reacts quickly and in a way that keeps relevant stakeholders informed, hopefully it will see no lasting damage to reputation.”
Stuart Reed, VP at Nominet, said some level of silence is understandable during the early stages of the investigation, but noted that communication is key as the recovery process proceeds.
“Communication... is a critical part of any incident response plan. As such, organizations should ensure that after the initial assessment is complete, active engagement with stakeholders and, crucially, any victims of the attack takes place promptly to minimize the impact of a breach. Timely and informative communications can go a long way in repairing trust with customers and preserving brand equity,” he said.
Spirit's stock has declined since June 10, the first business day since the ransomware attack took place; however, this also could be explained by the company being hard hit in other areas, as it is a supplier to Boeing for its currently grounded 737 MAX airliner.
On the other hand, the move to shut down unaffected factories or segments of the network was a step in the right direction.
“The best way to prevent attacks is by implementing security 101 measures. This means patching programs and enabling automatic updates, limiting permissions on systems and having procedures to deal with disaster recovery,” Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, told SC Media.
Trying to isolate the problem does make sense, added Reed, but he pointed out that this decision can add to a victim’s problems.
“Shutting down systems and facilities may help halt the spread of the attack reaching any further. As such, it’s prudent to take this action as far as [it’s] practical, though obviously this post-breach activity is not a long-term solution and carries its own consequences that compound the losses after an attack,” he said.
This means companies, governments and other organizations need to take a much more proactive stance when it comes to their cybersecurity, Galloway and Reed said.
Targets generally are infected due to a human error – someone clicking on a malicious email link, poor patch management or not using all the technology that is available to protect oneself.
One area to look at, Reed said, is the DNS traffic being generated by an organization. Malware has to communicate with its command-and-control server and the DNS layer is often used due to its ubiquitous nature, but this can mean wading through billions of queries, so an infosec team has to lean on technology to get the job done.
“While this equates to potentially billions of queries, the application of threat intelligence and machine learning techniques can analyze this activity at scale to deliver a rich source of information including early indicators of compromise. As such, proactive DNS cyber analytics should be wrapped into the overall security stack to intercept and neutralize attacks such as ransomware before they’re mobilized to cause harm,” he said.
On the other side of the equation are the basics that, if forgotten or not taken seriously, can lead to a massive amount of damage, Galloway said.
“Most ransomware attacks are reliant on exploiting existing vulnerabilities in computer systems. The WannaCry ransomware attack, for example, was caused by a very simple and common bad habit: using outdated and unpatched versions of software. This is... [still one] of the most common security weaknesses among organizations and enterprises,” she said.
So Galloway suggests the best way to protect against ransomware or most cyberattacks is by implementing basic security measures in conjunction with some higher level moves.
“This means patching programs and enabling automatic updates, limiting permissions on systems and having procedures to deal with disaster recovery. Organizations should implement: centralized update management; antivirus protection on all systems and endpoints, preferably with support for on-demand scanning by users of suspicious attachments prior to opening them; SIEM capabilities, for timely attack detection; and automated software audit tools to identify vulnerabilities,” she said.
SC Media has reached out to ASCO but has not received a response.
