new York
CNN
—
Cyberattacks appear to be more devastating than ever and are taking even longer for targeted companies to resolve.
The latest attack to receive widespread attention continues that trend: An ongoing cyber incident at CDK Global, whose auto dealerships use software to manage everything from scheduling to registrations, has been crippling dealerships for several days now, with no clear end in sight.
In May, a cyberattack on Ascension, a St. Louis-based nonprofit network of 140 hospitals in 19 states, forced the system to divert ambulances from several of its hospitals. It took almost a month to completely resolve the issue.
In February, a ransomware attack on Change Healthcare, a subsidiary of healthcare giant UnitedHealth Group, caused billing disruptions at pharmacies across the United States and threatened to put some healthcare providers out of business.
Experts say hackers are becoming more sophisticated and can hide in a company’s systems for longer periods of time without detection. These hackers are targeting companies in supply chain-style attacks, destroying entire industries to get more money. And some industries that often use outdated systems, like healthcare, are becoming even easier targets.
“We can’t even compare what was happening ten years ago to what’s happening today,” Dror Liwer, co-founder of cybersecurity company Coro, told CNN. “(The Pirates) are in the field for much bigger gains than before. »
Hackers are not only more sophisticated, they are also more patient, Liwer said.
Hackers hide for a period of time within the framework of an organization and move laterally across that framework, affecting many parts of the system. They wait for the right moment to launch attacks. And the longer the pirates wait, the greater the damage.
“When (hackers) initiate an attack and execute it, it really cripples the organization, which then generates more revenue,” Liwer said.
Experts CNN spoke to said it’s difficult to immediately get specific details about individual cyberattacks. For one thing, companies want to protect their brand reputation from potential litigation. Additionally, organizations may not want to reveal specific details of the attack until after the investigation is complete, experts said, in case there are copycats.
Eric Noonan, CEO of cybersecurity vendor CyberSheath, said ransomware attacks typically come through avenues such as a phishing email. These breaches can go unnoticed for days or even weeks as the hacker moves laterally.
Ransomware deployment is often rapid and widespread, Noonan said. Most victims discover they’ve been hacked when they lose access to important files or receive digital ransom notes.
“Ransomware is the digital equivalent of squatters taking over a house. The initial entry goes unnoticed, allowing squatters to occupy and control the property. By the time owners realize there is a problem, the process of regaining control and ownership is disruptive and costly,” Noonan said.
While businesses previously used less interconnected systems, the move to the cloud and reliance on third-party systems, while contributing to day-to-day business operations, creates complex systems that are more vulnerable to widespread hacks.
“It also creates a kind of target and helps attackers focus their efforts on specific types of infrastructure or specific cloud platforms,” Noonan said.
Hackers also target companies that are involved in the supply chain of industries. By attacking CDK’s software, for example, hackers were able to cripple the car dealership industry. Change and Ascension, two large hospital chains, have been unable to provide adequate care to their many branches. That gives hackers a way to demand larger and larger amounts of money, said John Dwyer, director of security research at Binary Defense, a cybersecurity solutions company.
Although hackers have more leverage, paying a ransom and rapid recovery remain elusive, experts say.
“There has never been a story written about a company that was able to pay a ransom and then quickly recover its systems,” Noonan said.
The problem, Noonan says, is not so much that hackers are becoming more sophisticated, but that many organizations lack modern, up-to-date systems. Most organizations don’t do incident response exercises, which is why it takes longer to recover from these massive hacks.
“Much of our critical infrastructure is far from ready to recognize cyber threats when they appear, but, more importantly, to recover from them,” Noonan said.
Gabby Jones/Bloomberg/Getty Images
The UnitedHealth website on a smartphone in New York, United States, Friday, July 7, 2023.
An FBI report found that ransomware attackers primarily targeted the healthcare and public health sector, followed by critical industrial facilities and government facilities.
As systems become more interconnected, there is little a business can do to maintain its cybersecurity, especially when it relies on third-party systems, as car dealerships do with CDK.
“Car dealerships are not cybersecurity professionals, so they are not really able to protect this type of system. That’s up to the vendor,” said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance.
Steinhauer also said it was a constant game of “cat and mouse.”
“Every time we fix something, the hacker can always break it. And they only have to be right once, we have to be right every time,” Steinhauer said.
Attacks on hospitals have increased. A nurse who works at Ascension Providence Rochester Hospital near Detroit, Michigan, told CNN that the ransomware attack on networks is “putting patients’ lives at risk” because healthcare workers are dealing with paper records with large numbers of patients to care for.
Others say health care is being targeted because of aging technology in that area, Steven McKeon, founder and CEO of software companies MacguyverTech and MacNerd, said in a statement. This technology helps patients request prescription refills, view test results and schedule appointments, but it is also more susceptible to hacks.
CNN has reached out to Ascension and Change for comment.
Dwyer said companies can do a better job of tapping into third-party expertise because many internal security teams are quite small. The best examples use an internal team that is expert in the organization’s internal systems and use third-party cybersecurity vendors to add scale.
Organizations can also put systems in place that can ensure the security of their entire operations, Liwer said.
Others believe there should be mandatory minimum cybersecurity requirements for publicly traded companies. These minimum standards should be thought of like seat belts and airbags, Noonan said: They won’t stop accidents from happening, but they will better prepare businesses.
“There are many software companies or manufacturers of critical components or parts of the supply chain that Americans have never heard of — these companies, the applications and software or components that they make until they are no longer available. There are many other CDKs,” Noonan said.
CNN’s Sean Lyngaas contributed to this report.