Cyber attackers are constantly using malicious emails to infiltrate critical national infrastructure. Up to 80% of critical national infrastructure companies suffered an email-related security breach in the past year, according to a new report from security solutions provider OPSWAT.
Compromising virtual private network (CNI) infrastructure, such as utilities, transportation, telecommunications, and now data centers, can lead to widespread disruption, making it a prime target for cyberattacks. A recent report from Malwarebytes found that the services sector is the hardest hit by ransomware, accounting for nearly a quarter of global attacks.
The OPSWAT report, which surveyed 250 IT and security leaders from global CNI organizations, revealed that email-based attacks are proving profitable for attackers. For every 1,000 employees, CNI organizations experienced:
- 5.7 successful phishing incidents per year.
- 5.6 account commitments.
- 4.4 Data breach incidents.
But despite the significant number of email attacks targeting their industry, 50.4% and 52.8% of respondents still assume that email messages and attachments, respectively, are benign by default.
Why do threat actors target email?
Email offers attackers an easy way to deploy phishing attempts, malicious links, and damaging attachments that provide access to a target system. More than 80% of CNI organizations expect threat levels from all types of email attacks to increase or remain the same over the next 12 months, with phishing, data exfiltration, and zero-day malware attacks being the most likely.
The report’s authors noted that as operational technology and IT systems become “increasingly linked,” prioritizing email security is critical.
They wrote: “There are still significantly fewer OT networks that are isolated and digital transformation activities over the past decade have resulted in OT networks being connected to the Internet. This means that a successful email cyberattack can spread to the organization’s OT network to cause damage and initiate further attacks from within the OT network.
“The threat level posed by email attacks is expected to increase over the next 12 months, so critical infrastructure organizations looking to strengthen their email security posture must take a radical approach that emphasizes prevention and elimination of email-borne threats.”
UK sees CNI data centres as helping to bolster its security
Last week, the UK government announced that data centres will now be considered CNIs – the first new designation since 2015. This was done to help boost the country’s security as they become increasingly important to the smooth running of essential services, as demonstrated by the CrowdStrike service outage in July.
WATCH: How hackers infiltrate critical infrastructure
UK data centres will now receive increased government support to recover from and anticipate critical incidents. A dedicated team of senior government officials will coordinate access to security agencies such as the National Cyber Security Centre and emergency services when needed. The designation could also serve to deter cybercriminals.
In contrast, CNI organisations in the UK face increased regulatory scrutiny. For example, the Information Systems and Networks Regulations apply to operators of essential services within CNI sectors, and telecommunications providers must comply with the Telecommunications Security Act.
Data centers are likely to be monitored more closely for compliance with existing and future legislation, which may include requirements for physical security measures, audits, contingency plans, risk reporting and security software.
Unfortunately, CNI companies are not outstanding when it comes to regulatory compliance, which influences the high frequency of email-based cyberattacks. OPSWAT’s report showed that 65% of CNI leaders say their organization is not compliant with regulatory standards. This percentage drops to 28% when considering only EMEA respondents.
CNI organizations are increasingly targeted by cyber attackers
NCC Group’s latest Threat Pulse report revealed that 34% of ransomware attacks in July targeted CNIs, up 2% from June. Malicious actors becoming less wary of law enforcement repercussions could be a contributing factor.
According to WithSecure experts, the action taken against the DarkSide group after it disrupted the operations of the Colonial Pipeline company involved “a concerted effort by ransomware groups to avoid sanctions.”
“Ransomware groups would attempt to fall below a perceived line that they believed would trigger action by a law enforcement agency, and many groups publicly stated that they would not target hospitals,” the researchers wrote in the Ransomware Landscape report.
However, the large number of attacks against the CNI since 2023 suggests that they now “have no reservations about attacking any Western organisation” as the resulting police action “may be perceived by criminals as inevitable” regardless of the chosen target.
WATCH: UK, US and Canadian cyber authorities warn of pro-Russian hacktivist attacks on operational technology systems
Legacy technology provides easy access
In its 2023 annual review, the NCSC said it was “highly likely” that the cyber threat to the UK’s CNI will have increased in 2023, in part due to its reliance on legacy technology.
Organisations that manage critical infrastructure are notorious for hosting legacy devices, as it is difficult and expensive to replace technology while maintaining normal operations. Evidence from Thales submitted for a UK government report on the threat of ransomware to national security stated: “It is not uncommon within the CNI sector to find [ageing] “long-lived systems that are not routinely updated, monitored or evaluated.”
Other evidence from the NCC Group found that “OT systems are much more likely to include components that are 20-30 years old and/or use older software that is less secure and no longer supported.”
A Microsoft report from May corroborates this, describing its security measures as “often poor,” making “OT attacks not only attractive to attackers, but also relatively easy to execute.” The Redmond security researchers also highlight that the number of attacks on water and other key critical infrastructure systems has been increasing since late 2023.
