Hackers roil entire industries with attacks on IT supply chain

Across Paraguay, hackers knocked out online services provided by the foreign ministry and companies. In Sweden, they crippled the payroll and human resources systems of more than 100 government bodies, including the central bank and parliament, as well as hospitals, retailers and others.

In the US, intruders took down a software system that the biggest banks use to process trades, and they crippled a network that connects medical providers and pharmacies with insurance companies. Those attacks, against EquiLend and UnitedHealth Group Inc’s Change Healthcare division, wreaked havoc on Wall Street and the American health-care system.

These incidents all occurred this year. They’re a part of a growing phenomenon in which financially motivated cybercriminals have attacked critical links in the global IT supply chain – the plumbers of the Internet that you might least suspect as targets, bringing down industries and governments across entire countries along with them.

The victims are often little known outside their niches, but they supply the back-office software and services that power large swaths of the digital economy.

Cybersecurity experts say hackers are finding opportunity in the cloud evolution that has fundamentally changed the way organisations handle their IT chores. More and more critical services are now delivered via software applications in the cloud, and to servers owned and operated by third parties, an arrangement that raises the risk of cascading outages whenever one of those outside providers falls to hackers.

The latest attacks reveal that many industries don’t understand weaknesses in their own networks that can cripple them – and the degree to which they’ve become dependent on vulnerable third parties, according to Federico Charosky, founder and chief executive officer of Edinburgh, Scotland-based cybersecurity firm Quorum Cyber.

“We are unfortunately living with a vulnerability in the underlying infrastructure of the whole thing: The connected world – we don’t understand it,” he said. “It’s complex, the technologies are evolving quickly, and the ability to attack this thing we’ve built has been growing a lot faster than the ability to defend it.”

Trying to figure how many single points of failure there are in specific industries, such as finance, is a challenge.

For instance, while financial regulators have spent years attempting to shore up banks that could pose systemic risks to markets if they fail, there’s little public information about the number of software companies supporting them that could affect operations if they are hacked.

In the past year, Wall Street has gotten a view of what such disruptions look like. Three separate ransomware attacks exposed different and little understood weaknesses in the technological underpinnings of the financial system.

In January, New York-based EquiLend, a financial technology company whose software processes trillions of dollars of transactions each month, had key services knocked offline in a breach that caused trading desks at some of the world’s biggest banks to revert to inputting transactions manually.

Two months before that, an attack against the US arm of the Industrial and Commercial Bank of China Ltd., the world’s largest bank, upended the US$26 trillion (RM122.25 trillion) market for US Treasury bond trading. The bank plays a role in clearing Treasury bond trades for many of Wall Street’s biggest firms.

And early last year, an intrusion against ION Trading UK, a maker of derivatives trading automation software, rippled across the operations of more than 40 of the company’s clients.

In all three cases, customers of the breached companies had to revert to manual means of processing trades, reviving practices from an era before electronic trading took off. The prolific Russia-linked ransomware gang LockBit, which was itself disrupted in a multinational law enforcement action in February, claimed responsibility for the breaches.

Cybersecurity experts said it’s unlikely that EquiLend, ICBC and ION Trading were targeted because of their unique roles in the financial system. The companies more likely fell victim to hacking groups that are claiming more victims, more quickly, than at any time in the past, a style that was refined to devastating effect by LockBit, the experts said.

Cybercriminals routinely use automated programs to scan the internet, identify systems with known security vulnerabilities and mass infect those networks, a largely indiscriminate style of hacking where the goal is creating maximum chaos and boosting the amount of money they can extract from victims in extortion payments, the experts say.

“These are dependencies on one supplier – it’s globalisation, and we can’t stop it,” John Fokker, a former supervisor of high-tech crime investigations at the Netherlands national police and now head of threat intelligence for Milpitas, California-based cybersecurity firm Trellix Corp. “We always want to be more efficient, and we want to save costs and be faster. But inherently by doing, so you let go of your back-up systems. You start to trust your supplier. Nobody’s asking, what if that supplier gets hacked?”

IT companies have previously been targeted by intelligence services for espionage purposes, as they provide a single point of entry to stealthily infect multiple customer networks. The hack of IT-management software provider SolarWinds Corp, which was disclosed in 2020 and led to the compromise of nine federal agencies and about 100 companies, allegedly by Russia’s Foreign Intelligence Service, or SVR, is one example.

The experts say that what’s changing now is cybercriminals are adopting a similar approach for profit. Hackers are getting faster at exploiting known flaws in widely used software, and they’re even experimenting with generative AI to refine their methods, a sobering thought that suggests the problem could get much worse, the experts say.

“Over the last 12 to 18 months, there has been a rise in not only new ransomware groups coming online, but a massive rise in the sophistication in attacks carried out,” said Jon Miller, co-founder and chief executive officer of Halcyon, a maker of anti-ransomware software in California. “The reason for the rise in new attackers is simple: Ransomware pays millions of dollars for hours of effort. The more people find out how easy it is, the more people want to do it. And the deeper you can compromise and disrupt a business’s operations, the more they will pay.”

Three hacks so far this year have shown that the entities at greatest risk of causing cascading outages that cut across industries – even entire countries – are IT firms that perform back-office functions.

In February, a ransomware attack against UnitedHealth’s Change Healthcare division caused an outage of the country’s biggest electronic network for processing insurance claims. The breach has created weeks of delays for health-care facilities to get paid for treatments they’ve provided. It forced some patients to pay out of pocket for medications when pharmacies were unable to verify their insurance.

UnitedHealth – the nation’s largest health insurer – said on March 8 that some services had started to be restored, but hasn’t given an estimate of when its services will be fully operational again. The company said that some parts of the network that handle payments and medical claims will come back online in mid-March, while electronic prescribing services are now restored. The BlackCat ransomware group was blamed for the hack.

In January, Tigo Paraguay, the South American country’s biggest telecommunications service provider, suffered a cyberattack that the government confirmed affected one of the services provided by the ministry of foreign affairs, and it may have impacted more than 300 companies, according to the newspaper 5Días.

Millicom International Cellular SA, Tigo Paraguay’s Luxembourg-based parent company, confirmed in a statement that the incident impacted a “limited group of corporate segment clients”. It didn’t disclose how many companies were impacted or technical details of the attack.

Two weeks after that incident, hackers compromised a data center in Sweden belonging to Tietoevry Oyj, a Finnish information technology company, causing an outage of a payroll and human resources system that is used throughout Swedish government and industry.

A total of 120 government agencies and more than 60,000 employees were impacted, according to Robert Gallusson, spokesperson for the National Government Service Centre, which coordinates salary and financial administration for Swedish government agencies. Those included Sweden’s parliament, the Riksdag, and central bank, Riksbank, both of which confirmed the impact to their payroll systems.

In a statement, Tietoevry said that it “immediately isolated the affected platform” after the attack, which took weeks to resolve. The company blamed the Akira ransomware group.

Such hacks highlight the urgency for companies to come up with strategies for understanding the risks of their IT service providers, said Mattias Wåhlén, a threat intelligence expert at Swedish cybersecurity firm Truesec.

“Organisations that outsource their IT shouldn’t just ensure that the environment their IT provider sets up for them follows cybersecurity standards,” he said. “They need to ensure that the providers own back end is secure, too.” – Bloomberg