Incident Of The Week: Defense Electronics Manufacturer CPI Succumbs To Ransomware Demands
Restoring All Systems Is Multi-Month Process; Compromised Admin Credentials To Blame
Ransomware is industry-agnostic. The motivations for cyber-criminals to pursue organizations and ransom their data is typically for the money. The days of spies physically infiltrating an organization to steal trade secrets are likely gone. Insider threats and cyber-attacks are more viable paths to complete nefarious deeds.
In mid-January, electronics manufacturer Communications & Power Industries (CPI) was victimized by having its data encrypted and held ransom. Founded in 1995, CPI is a global manufacturer of electronic components and subsystems focused primarily on communications and defense markets. The 2,000-person company formed out of Varian Associates and claims to be the largest U.S. manufacturer of electron devices. Some of its customers include the US Department of Defense and the DoD’s DARPA.
See Related: The Cost Of An Enterprise Ransomware Attack
The company had its systems knocked offline by the attack. Hackers requested the company pay $500,000 in exchange for the decryption key. A third-party forensic investigation firm was hired by CPI to investigate the cyber-attack. The origin of the attack appears to have been a phishing attack. According to a source speaking with TechCrunch, thousands of computers on the network were on the same, unsegmented domain. As a result, the ransomware quickly spread to every CPI office, including its on-site backups.
“The root cause appears to be a domain administrator clicking on the malicious link,” said Lawrence Livermore National Laboratory Senior Cyber Analyst Lee Neely. “Controlled use of administrative privileges, including running with the lowest level of privilege is CIS Control 4. Network segmentation, particularly for older operating systems such as XP, is key to not only restrict lateral movement but also mitigate shortfalls in legacy system security.”
See Related: Phishing Attacks Work Because… Humans
CPI chose to pay the ransom and is currently assessing data loss from the attack. At the end of February, a source described the situation as having been able to restore about one-quarter of computers to operational duty. Federal agencies generally advise against making ransom payments as there is no guarantee that the tools necessary to decrypt data will work (assuming that they are even sent). Some states are even considering legislation that would ban organizations from making ransom payments.
At RSA Conference 2020, the FBI presented its cyber-crime findings for how much victims paid in ransom payments. Between October 2013 and November 2019, the FBI identified more than $144 million in bitcoin payments to ransomware actors. This figure was purely ransom payouts and is not the total cost associated with ransomware.
See Related: See All Incident Of The Week Content