KP’s ransomware attack: Why it’s crunch time for non tech brands
When reports emerged last week of a letter from UK-based food manufacturer KP Snacks warning stockists that supplies of its crisps and nuts would be disrupted for at least a month following a ransomware attack, few in the cyber security industry were surprised.
Experts have long warned that non-tech companies such as food producers are particularly susceptible to online attacks that can have immediate consequences on their supply chains and reputations.
Illumio’s director of critical infrastructure solutions, Trevor Dearing, says that attacks on the IT systems of manufacturers, logistics companies and healthcare organisations – which target the operational part of the business – are becoming more frequent.
“Unlike a bank or retailer where the target is customer information, these attacks disrupt the logistics or manufacturing process – they can have immediate real-world impacts,” says Dearing.
This impact was also felt last year when US meat processing giant JBS Foods was hit by a similar ransomware attack, leading to a shutdown of nine beef processing plants.
It was noted at the time that food production companies were heavily exposed to attackers as many medium to large-sized ones tend to run legacy tech and overly complex, cross connected ICS environments.
In the retail sector meanwhile, which plays a key role in the wider supply chain network, firms have experienced an average of 44 cyber-attacks in the last 12 months (that’s one every eight days) according to data from Keeper Security’s 2021 Cybersecurity census report.
Keeper says that attackers are taking advantage of IT shortages in the sector – a shortage which over half of all IT leaders (59%) agree has impacted cybersecurity in their organisation.
A lack of investment and culture around cyber security may also be to blame in these sectors. Data analytics and consulting company GlobalData has compiled a Consumer Thematic Scorecard – which ranks consumer brands based on how they are expected to perform within key themes – and it shows that many of the top brands fall short when it comes to cyber security.
In fact, the top twenty leading companies – which include Unilever, Reckitt, Nestle, P&G PepsiCo, L’Oréal, Diageo, and Kraft Heinz – see an average score of 2.9 out of 5. Comparatively, P&G stands out at a score of 4 out of five.
GlobalData consumer analyst George Henry concludes: “The growth of the digital economy has emphasized how susceptible non-tech companies such as food producers can be to online attacks.
“With such importance placed on food security today, the same importance must also be placed on halting manufacturing line downtime, the exposure of patented technology, and damage to brand reputation.”
In KP’s letter, dated 2 February and circulated by Nisa stores, the 150-year-old Slough-based firm revealed that the hack had wiped out its IT and communications systems beginning on 28 January and was not able to process orders or dispatch goods as a result.
“Through the weekend our IT Team and third-party experts have been assessing the scale of the intrusion and continue to do so. As a result, at this stage we cannot safely process orders or dispatch goods,” the letter continued.
KP has not said whether it plans to enter negotiations with the attackers or whether it intends to pay the ransom.
While the CISA and FBI strongly discourage paying such ransoms (arguing that it would cause an increase in such attacks) Felipe Duarte, a security researcher at Appgate believes that KP’s chances of conceding are high.
“Attackers know that companies with a large supply chain will want to get their operations back on track, so the likelihood of them paying the ransom is high. KP now has to make the difficult decision as to whether or not they pay it,” he says.
It was reported that JBS foods ended up paying its attackers (Russian-based ransomware-as-service gang REvil) $11million in ransom to get its operations up and running.
The criminal gang behind the KP attack meanwhile, is thought to be the Conti RaaS cybercrime syndicate.
A warning about Conti’s malicious activities was issued by the US Cyber Security and Infrastructure Agency and the FBI last September following a surge of attacks including one on the Irish health service.
Affiliates on the gang’s payroll typically use several different techniques to infiltrate their victims, including targeted spear phishing, exploiting remote monitoring, management, and desktop software.
“The Conti ransomware gang has been prolific recently, with Delta Electronics also being a victim of their attack within the last week. They are known to use advanced techniques in their attacks and were one of the first groups to weaponize the Log4Shell vulnerability after it became public,” says Duarte.
Duarte adds that Conti is an extremely savvy and cautious operator, particularly considering the international interest that it has aroused in the past.
“Conti itself is actually a rebranding of its successor, the Ryuk Ransomware gang, and the result of a need to cover its tracks after too much media attention. But even with those efforts, Conti remains one of the most dangerous active ransomware gangs nowadays,” he explains.
A Zero Trust approach
Judging from its quick and transparent response KP appears to have acted diligently – alerting its key suppliers and bringing in third party experts to help minimise the damage.
But what can be done to prevent gangs like Conti, which are constantly scanning for new victims, from targeting other ops-heavy firms?
In their warning to business last year, CISA and the FBI provide a comprehensive list of mitigations to reduce the risk of Conti attacks which include Use of multifactor authentication; network segmentation; regularly scanning for vulnerabilities; keeping software upgraded; investigating use of unauthorized software; restricting access to remote desktops and regular auditing of accounts admin.
Craig Lurey, CTO and cofounder of Keeper Security, believes that many of these non-tech firms need to start with the basics – which includes understanding the risks associated with poor password hygiene.
“Basic cyber security training should be a requirement and formal onboarding step for all existing employees and new starters – a strategy which our census reveals is supported by 85% of IT leaders within UK retailers,” he says.
For Duarte, implementing a Zero Trust Security strategy that’s founded on the assumption of compromise should be high up on most CIO and CSO’s agendas, which includes applying policies such as network segmentation.
He says: “While we don’t yet know the infection vector used in KP’s attack, organisations can better prepare for attacks such as this one by implementing Zero Trust policies such as network segmentation.
“Segmenting the networks and certain data, assuming all connections can be compromised, can restrain threat actors from moving freely across a network.
“Zero Trust increases the chance of detecting an ongoing attack, and (if well implemented) minimizes the damages caused by cyber security incidents.”
Dearing agrees that taking a Zero Trust approach and by only allowing known and verified communication between environments, security teams will stop an attack on the IT systems affecting the management or logistics processes.
“With the move to industry 4.0 and the adoption of cloud connected Industrial IoT, the potential impact of a ransomware attack will only continue to grow. That’s why it is important to act now and put security measures in place that will make our infrastructure resilient to attacks – even once they’ve breached our perimeter,” he says.