Outsourcing group Interserve is recovering from a cyberattack which took place over the weekend that may have seen the details of up to 100,000 people stolen. Hackers broke into a human resources database owned by the outsourcing firm, which recently helped build the Birmingham Nightingale Hospital, on May 9 and stole information on current and former Interserve employees, a company insider said.
Outsourcing giant Interserve announced late last night that it suffered a cyberattack earlier this month. I'm told hackers got into their HR database on Saturday https://t.co/YHkFe9LiHx
— James Cook (@JamesLiamCook) May 13, 2020
Samantha Humphries, security strategist at Exabeam:
“Coming hot off the heels of a UK and US Government advisory that healthcare and medical research organisations are being targeted by malicious cyber campaigns, the incident Interserve and Bam Construct are now dealing with demonstrates that this threat is actually far more diverse. Malicious actors are clearly going beyond the hunt for valuable intellectual property related to vaccines and research, instead targeting the organisations mounting our critical national response to the pandemic.
This is part of a broader geopolitical tension – one that seeks to undermine public confidence in a government under significant pressure to show that it is putting lives first. This attack has all the hallmarks of a nation state enabled group; it steps outside the ‘normal’ increase in traditional social engineering attacks we’re seeing from traditional cybercriminals.
For many of the organisations now caught in the coronavirus crosshairs, this will likely be the first time they have been targeted by the coordinated and sophisticated attacks typical of ‘advanced persistent threat’ (APT) groups. It’s fairly certain that – given the remote working reality we are facing – these groups are taking advantage of the additional threat vectors posed by corporate networks that now extend far beyond the four walls of the office and into employees’ homes. Here, the same standards of controls and security are not easily attainable for most organisations.
Against the most sophisticated attackers, traditional protections are often inadequate. Targeted organisations will need to be able to quickly detect and respond to any breach – which will almost certainly enter through the many new corporate side doors of employees’ home networks. Central to this will be monitoring for tactics, techniques and procedures (TTPs) specific to various state-sponsored groups, as well as utilising behavioural analytics technologies on the network. This will learn the normal behaviour of the network and immediately notify security analysts when activity deviates from this baseline – this is often the first indication of a breach or infiltration.”
While specific details are scant, it is encouraging that to see Interserve working closely with the NCSC, and in all likelihood other agencies and private sector organisations, to determine how this reported breach happened and what information was compromised. Interserve\’s network is vast, and this attack was likely strategic and with purpose as hackers are fully aware of the treasure trove of assets available if they are able to breach the vast ecosystem of customers and partners connected to the company.
No matter whether its UK companies, US companies or companies located in other parts of the world, adversaries today hold a large advantage in the cyber cat and mouse game. Nation state backed crime groups are well funded and most often have the resources to carry out comprehensive cyber strikes.
However, today a wider variety of hacking tools that would typically be used by sophisticated groups are trickling down to smaller groups or individuals. Ultimately, this creates a bigger challenge for security analysts (the defenders) to stay ahead of threats. Identification, remediation and 24×7 threat hunting and activating an incident response team is critical to prevent malicious and material damage from occurring in the supply chain.
Unfortunately, health and education sectors are common targets for cybercriminals throughout Covid-19. The inherent weakness in their cybersecurity is one factor, but the value in their data is another. In this case, hospital data can be used in insurance fraud, drug prescription forgery, extortion or as a means to enable future attacks on the service or the individual victims. The sheer size and scope of the healthcare industry and the fact that the public sector uses many contractors and outside parties makes it a difficult task to admin and secure. Likewise, in education, we have seen valuable research being a constant target in recent years.
Both sectors are particularly vulnerable to ransomware, but the biggest concern here is the use of stolen data as a means to enable further attacks. It is much easier to fool victims with a phishing email once you know details about them and their colleagues. Hence, to mitigate future attacks and build cyber resilience, organisations and individuals need to ensure that adequate defences are in place. Secondly, data must always be backed up, so systems can be restored if needed. As well as good practices, these sectors need a cultural and institutional change with regard to cybersecurity to stop them suffering disproportionately to other organisations.
First, every company is a software company. While Interserve is described as a construction and support service company, it relies on software to run its business. As such, its software cybersecurity posture is a key component of overall business risk. Regardless of industry, every company must take a proactive, comprehensive approach to cybersecurity to help minimise the risk of business disruption, bad publicity, and lost revenue.
Second, attackers will not hesitate to take advantage of calamity. During a global pandemic, when organisations worldwide are struggling to respond to a health emergency, attackers have targeted Interserve as one of the organisations supporting the NHS. Attackers most likely believed that Interserve’s attentions were focused elsewhere, increasing their susceptibility to a cyberattack.
Now is the perfect time for all organisations to take stock of their cybersecurity and make necessary changes to strengthen their posture.
Coming hot off the heels of a UK and US Government advisory that healthcare and medical research organisations are being targeted by malicious cyber campaigns, the incident Interserve and Bam Construct are now dealing with demonstrates that this threat is actually far more diverse. Malicious actors are clearly going beyond the hunt for valuable intellectual property related to vaccines and research, instead targeting the organisations mounting our critical national response to the pandemic.
This is part of a broader geopolitical tension – one that seeks to undermine public confidence in a government under significant pressure to show that it is putting lives first. This attack has all the hallmarks of a nation state enabled group; it steps outside the ‘normal’ increase in traditional social engineering attacks we’re seeing from traditional cybercriminals.
For many of the organisations now caught in the coronavirus crosshairs, this will likely be the first time they have been targeted by the coordinated and sophisticated attacks typical of ‘advanced persistent threat’ (APT) groups. It’s fairly certain that – given the remote working reality we are facing – these groups are taking advantage of the additional threat vectors posed by corporate networks that now extend far beyond the four walls of the office and into employees’ homes. Here, the same standards of controls and security are not easily attainable for most organisations.
Against the most sophisticated attackers, traditional protections are often inadequate. Targeted organisations will need to be able to quickly detect and respond to any breach – which will almost certainly enter through the many new corporate side doors of employees’ home networks. Central to this will be monitoring for tactics, techniques and procedures (TTPs) specific to various state-sponsored groups, as well as utilising behavioural analytics technologies on the network. This will learn the normal behaviour of the network and immediately notify security analysts when activity deviates from this baseline – this is often the first indication of a breach or infiltration.