InfoSec World 2020 — Small suppliers and SMBs shouldn’t think they are immune to hacks. In fact, some of the most prolific hacks started with attacks on third-party suppliers, such as HVAC companies and small defense manufacturers. The Target hack quickly comes to mind.
In the InfoSec World 2020 session, You’ve Been Pwned…But Your Customers Are the Target, Christopher Hickernell, senior IT security analyst at MHI Shared Services Americas, retraced one of the largest hacks ever on the U.S. power grid.
It all started with an attack on All Way Excavating USA, a 15-person construction company near Salem, Ore., that works with utilities and various government agencies. According to the Wall Street Journal, the hack on All Way Excavating set off so many alarms that U.S. officials took the unusual step in early 2018 of publicly blaming Russia.
A reconstruction of the hack has been detailed in the WSJ article, and Hickernell walked conference attendees through the high points. The hackers used vulnerabilities inside All Way Excavating and other third-party contractors to work their way up the supply chain. It’s believed that some two dozen contractors were breached in all.
In this attack, the hackers exploited the trusted business relationships of the utility’s contractors and business partners to gain entry into the main network. The hackers also placed malware on the sites of all the online trade publications frequently read by the utility engineers. They sent our fake resumes pretending to be job seekers. Once they made their way into the utility, they reached computers systems that monitor and control the flow of electricity.
The takeaway from Hickernell: In a cyber world, every and any business can be targeted, so companies have to focus on the cyber hygiene basics like frequent patching and making sure their employees are aware and trained to be on the lookout for these types of attacks.