Ransomware attacks against enterprises (“Blackmailing Enterprises: You are Patient Zero“) and academia (“Blackmailing Academia: Back to pen and paper(?)“) are not a new phenomenon, and they are a lucrative business for those who couldn’t care less about laws, ethics or getting caught. Just recently, a major US fuel pipeline was hit by a ransomware attack.
In this particular attack, the office systems of Colonial Pipeline were successfully infiltrated and the attackers tried to extort at least 100 GB of data. “Extortion” is the next level of ransomware attacks: instead of “just” encrypting the data and asking for money in exchange for the decryption key, the attackers threaten to publish that (presumably confidential or personal) data unless the victim pays a ransom.
What happened to Colonial Pipeline is not unique, new or surprising. Like any other enterprise, university or organisation, they were already under attack before this incident. The attackers eventually succeeded because their hope to gain big bucks gave them enough persistence, drive and motivation to break through. Colonial Pipeline is now in the delicate situation of having to decide whether or not to pay out. Whatever their decision, major damage has already been done to the East Coast’s economy.
While the energy transferred through their pipelines is much lower than through those of CERN*, the similarities cannot be ignored: CERN also runs a vast office network that is interconnected with the operating systems (Colonial Pipeline immediately disconnected the latter once they became aware of the attack). And while the attackers in this particular case stated on their webpage “Based on our principles, we will not attack […] education [and] non-profit organizations”, other gangs might target CERN.
This is why CERN is currently:
- putting into production a new and more powerful firewall with sophisticated threat protection;
- buying a new antivirus and so-called “endpoint detection and response” (EDR) software for all CERN-owned devices, personal laptops and, eventually, home computers;
- deploying more and more second-factor authentication for remotely logging into CERN services;
- discussing how to even better protect CERN’s technical network and the control systems hosted thereon;
- increasing its monitoring and detection capabilities;
- teaming up ever more closely with our Worldwide LHC Computing Grid partners and the eduGAIN, EGI-ACE and EOSC-hub communities;
- conducting another phishing awareness-raising campaign targeting all of its staff and users; and
- reviewing and providing input on the computer security aspects of more and more new projects.
Even so, we are counting on you to take the following actions to help protect CERN’s assets, resources, services and systems:
- Make sure that your devices are always up to date;
- Use a strong password to protect your assets, both those of CERN and your own;
- Watch out when browsing the web or opening emails;
- Take special care when teleworking;
- Call on CERN central IT services when in need of a database, virtual machine, webserver and the like;
- Programme and develop code in a secure fashion and avoid automatically downloading external dependencies from the internet;
- Feel free to contact us at Computer.Security@cern.ch if you have questions or need help!