Multiple Critical Infrastructure Sectors Impacted

Summary

As Critical Infrastructure Security and Resilience (CISR) Month came to a close, a number of sectors were impacted by disruptive cyberattacks over the long holiday weekend. A shifting geopolitical landscape has also intensified national security concerns and, while some of these attacks are opportunistic and financially motivated, others are the result of advanced persistent threat (APT) groups that may have a state-sponsored nexus.

The Healthcare and Public Health (HPH) sector was heavily targeted over the last few weeks. A ransomware attack was discovered on Thanksgiving morning, Nov 23, impacting two NJ hospitals – Hackensack Meridian Health and Mountainside hospital in Montclair. This was part of a larger ransomware attack that impacted Ardent, a healthcare services provider based in Nashville, TN. Ardent operates roughly 30 hospitals and over 200 facilities across six US states including New Jersey, New Mexico, Kansas, Texas, and Idaho.​ Impacted hospitals diverted all patients requiring emergency care to other hospitals in their area. ​The suspected ransomware group is Blacksuit which shares many traits with Royal ransomware and the now defunct Conti ransomware group, both of which frequently target the healthcare sector. The Health Sector Cybersecurity Coordination Center (HC3) released an analyst note Nov 6, warning that Blacksuit is a credible threat to the healthcare sector.​ Additional cyberattacks impacting the HPH sector include the Capital Health network and a BlackCat/ALPHV ransomware attack (also believed to work closely with Conti) that breached Henry Schein healthcare company for the second time in two months.

The Water and Wastewater sector (WWS) was also recently impacted. A Pennsylvanian Municipal Water Authority suffered a cyberattack attributed to CyberAv3ngers via a compromised Unitronics programmable logic controller (PLC). The Iranian-backed cyber threat group has claimed responsibility for at least ten other cyberattacks against Israeli water treatment stations since October 30, and likely targeted the Unitronics PLC system because it is Israeli-made. Other recently targeted water and wastewater agencies include St. Johns River Water Management District in Florida, the North Texas Municipal Water District that was impacted by a ransomware attack attributed to the Daixin Team, and the Greater Paris Wastewater Agency (SIAAP). A joint Cybersecurity Advisory (CSA) providing additional technical details and indicators of compromise (IOCs) was released Dec 1.

Finally, the Energy and Defense Industrial Base sectors were recently impacted by a cyberattack against General Electric (GE), an American international company with divisions in power, renewable energy, and aerospace industries. The cyberattack is attributed to IntelBroker, an initial access broker known for targeting US government agencies in the past. Exfiltrated information contained sensitive Defense Advanced Research Projects Agency (DARPA) data comprised of classified information including weapons programs and artificial intelligence (AI) research. Additionally, Austal USA, a shipbuilding company contracted with the US Department of Defense (DoD) and the Department of Homeland Security (DHS) confirmed that it suffered a cyberattack attributed to Hunters International. Other recently targeted Energy corporations include Slovenian power company, Holding Slovenske Elektrarne (HSE) firm, and the China Energy Engineering Corporation – both of which were attributed to the Rhysida ransomware group.

Additionally, a number of recent vulnerabilities have been identified as initial access vectors used by APT groups targeting government and critical infrastructure sectors. Microsoft's Threat Intelligence team issued an alert regarding the Russian state-sponsored threat actor APT28 (aka Fancy Bear) actively exploiting an Outlook flaw, CVE-2023-23397. Targeted entities include government, energy, transportation, and other key organizations in the US, Europe, and the Middle East. CISA also issued a warning regarding active exploitation of the Adobe ColdFusion vulnerability identified as CVE-2023-26360 to gain initial access to government servers.

Recommendations

The NJCCIC strongly recommends critical infrastructure and government organizations to implement an incident response plan, regularly update software and systems, enable multi-factor authentication (MFA), encrypt sensitive data in transit and at rest, and implement network segmentation. Additional information and recommendations can be found in the linked resources above and the National Cybersecurity and Communications Integration Center informational graphic, Seven Steps to Effectively Defend Industrial Control Systems.