Construction firms are increasingly targets of cyber and ransomware attacks that lead to costly project delays and the exposure of sensitive information. J. Paul Haynes, P.Eng., President and COO eSentire, explores how firms can use cybersecurity to protect themselves from ransomware attacks
One of the most notable ransomware breaches involved the construction firm Bird Construction. This prominent Toronto-based firm has conducted numerous multi-million-dollar projects on behalf of Canada’s military and other Canadian government agencies.
The Maze ransomware gang hit the construction company in December 2019, encrypting company files. Maze operators claimed they stole 60 GB of company data, and it was reported that Maze demanded a $9m ransom.
To pressure the company to pay up, the cybercriminals published on their clearnet data leak site company files containing Personal Identifiable Information (PII) on several employees, including their names, home addresses, banking information, social insurance numbers and tax forms. They also published files pertaining to an important customer, Suncor Energy. It is unknown if Bird Construction ever paid the $9m ransom.
Maze attacked construction giant Bouygues in 2020
One month later, in early 2020, the Maze gang attacked construction goliath Bouygues in France, forcing the organization to shut down its computer systems to prevent the propagation of damaging ransomware.
It was reported that the Maze operators boasted that they had encrypted over 1,000 Terabytes of the company’s data and that they wanted €10m for the decryption key and not to leak the company’s files. To back up their threat, Maze operators published a 1.2 GB file on their Clearnet data leak site that they claimed contained company information.
More recently, between the end of February and mid-July 2022, eSentire’s security research team, the Threat Response Unit (TRU), tracked 81 victim organisations listed on the BlackByte and Black Basta – two Conti affiliate groups – data leak sites.
Construction companies were featured heavily, including Ragle Inc in the US, Plauen Stahl in Germany, and the Canadian firm Trade-Mark Industrial Inc, in addition to construction firms in Spain, Holland, and the UK.
Construction is one of the most targeted industries by ransomware attacks
According to a 2022 report by encryption software firm, NordLocker, an analysis of 1200 firms across 35 industries identified the construction industry as the most targeted segment. These attacks target not only large construction and engineering companies but smaller, family-owned businesses that deliver key tradecraft into projects.
The construction and engineering industry has proven to be lucrative targets for cybercriminals. When the famous bank robber, Willie Sutton, was asked why he robs banks, he reportedly said: “that’s where the money is.” It’s simple algebra. The construction industry is lucrative, and its cybersecurity is not necessarily as mature as other industries such as financial services, military contractors and retailers.
Limited industry regulations and guidelines make construction an easy target
The construction industry is susceptible to cyberattacks because of limited industry regulations and guidelines. As emerging technologies such as artificial intelligence and machine learning, robotics, drones, SmartID tags used on job sites and industrial internet of things (IIoT) automation propagate the industry, security is often seen as an afterthought.
Interestingly, the manufacturing industry has suffered similar IT growing pains and ranks number two behind the construction sector, as industries most targeted, according to the NordLocker report.
Oftentimes construction companies and their employees operate as a distributed workforce, spread across various projects, work sites and countries – and depending on the location, be it abroad or remote locales, are logging into spotty or open Wi-Fi networks. All these factors increase the odds of a breach.
In addition, these remote workers share data and assets across devices and central services, making them susceptible to cyber-attacks and easily tricked into surrendering their credentials.
Construction and engineering firms manage sensitive data which can be easily resold in dark markets
Construction and engineering firms manage lucrative confidential and proprietary information like shared project and consortium details, highly protected trade secrets of their owner-operator customers, engineering specifications and schematics, financial information concerning bids, project insurance and employment and healthcare information.
This type of sensitive data is easily resold in dark markets or can be used to extort funds from companies who are willing to pay large ransoms, so their data is decrypted and returned and not released to the public. If the victim is a public company, losing financial information is particularly concerning as it may expose them to front-running trades.
Access to significant funds also makes the construction and engineering sector a perfect target for fraudulent wire transfers due to business email compromise schemes.
The nature of the industry also makes it highly susceptible to operational disruption, material downtime, and costly project delays. Like healthcare delivery organisations, industries with time sensitivity and facing delay-based penalties and cost overruns tend to pay ransoms more quickly than those businesses that can weather temporary disruptions.
Of course, massive data breaches of intellectual property, bid information, and business interruptions lead to reputational damage that cannot be remedied by insurance.
The industrialization of cybercrime has given rise to ransomware
The cybercrime plague shows no signs of slowing. Ransomware gangs are coordinated, sharing technology resources and tools, expertise, stolen data and intelligence, and they are masters at monetizing every piece of data they get their hands on.
The industrialization of cybercrime has given rise to ransomware-as-a-service, by which smaller criminal groups can purchase, lease or share criminal proceeds in exchange for the use of proven, tested ransomware toolkits. Even the well-known brand of a ransomware gang is used to intimidate victims into paying extortion fees.
On one end of the cybercrime spectrum are the criminal groups, and on the other end are state-sponsored threat actors operating at the behest of nations. Along that continuum, some groups operate within nation-states that turn a blind eye or lack the resources to investigate illegal activity. Some collaborate or coordinate with government agencies or their intermediaries.
Cybercriminals use a variety of tools and techniques to conduct a cyberattack
These cybercriminal groups have access to sophisticated tools and techniques and a skilled employee base with expertise in all facets of a cyberattack, from early reconnaissance, initial access, persistent presence, malware deployment and exploitation. These groups use effective techniques to dupe victims with clever phishing emails and drive-by attacks launched from infected websites.
Additionally, the cybercriminals may use a variety of malware and tools, including malicious software that harvests credentials, installs a backdoor onto a victim’s system, installs remote access tools, collects data, deploys ransomware and even data wipers that can cripple a business.
It’s a good news-bad news scenario. The sophistication of cybercriminal groups makes them hard to stop. Still, their trend to long-term infiltration investment, searching for valuable and sensitive data stores, means there are more opportunities for companies to detect their presence earlier and stop attacks before they become business-disrupting events.
And often, common security tools and processes can help identify vulnerabilities and suspicious activity and expose a threat actor’s presence in one’s environment so the hackers can be shut down and kicked out of the target’s network before damage can be done.
What tools and processes can be used to identify suspicious activity?
Identification and authentication tools
Proper password protocols and multi-factor authentication (MFA), paired with controlled remote access with a Virtual Private Network (VPN) or equivalent service, can slow criminal intrusions. The slight inconvenience of MFA is one of the best defences available to the construction industry.
Phishing and Security Awareness Training
Level up employees’ understanding of cyberattackers’ most common tactics, techniques, and procedures to help the employees identify and report suspicious activity and communications.
Least privilege
Limit employee access to data and systems required for their specific role and no more, and disable administrative rights where possible. Criminals often use stolen credentials to enter your environment, steal information or deploy damaging malware using legitimate user accounts. When not in use, disabling Remote Desktop Protocol (RDP) also reduces an intruder’s ability to operate remotely.
Back-up systems and data
Many companies pay ransoms to restore encrypted data. Having properly segmented backup and fail-over systems will help your organisation recover more quickly from a ransomware attack and, if implemented properly, should enable your organisation to restore its data and files fully. Testing the backups regularly is a crucial step as threat actors will seek to encrypt backups early during their attack steps to help ensure the victim firm will pay.
Patch and update critical systems
Criminals also use known vulnerabilities to deliver malware or access your environment. It’s critical to keep systems patched and follow the vendors’ guidance in updating their solutions, especially when major vulnerabilities are reported.
Vulnerability management program
A vulnerability program should include three elements: awareness of the cyber threat landscape (e.g., from advisories, notifications, cyber news, etc.); vulnerability scanning to understand your cyber threat surface, including ‘discovering’ systems that are inadvertently exposed; and a disciplined patch management program.
Managed Detection and Response (MDR)
MDR provides 24/7 protection against attacks that evade your other defenses, employing focused responders prepared to contain the attack before the criminals can achieve their objectives. If your firm does not have an internal team watching 24/7 (usually requires 10+ security personnel) an MDR service provider is an essential extension of your IT organisation.
Digital Forensics and Incident Response (DFIR)
Engage a DFIR provider on retainer to assist you in developing an incident response plan, provide post-incident expertise, determine the extent of exposure, ensure that any holes within your environment are closed up so threat actors cannot get back into your systems, collect forensics, preserve evidence and work with you to collaborate with law enforcement and your insurer.
While the construction and engineering industry is a prime target of cybercriminals, the headlines are often misleading. You must recognize that while large firms appeal greatly to attackers, small and medium enterprises are particularly attractive targets in comparison due to smaller businesses maintaining less rigour regarding cybersecurity.
You should also recognize that successful cyberattacks are detectable almost all of the time. Too many articles report that “everything seemed normal, and there were no signs of strange activity until we returned to the office to find our business was shut down.” The reality is that there are usually early indications that criminals are targeting your business. Identify the risks, understand the threats and be prepared for an attack.
How you prepare and respond will dictate the difference between a temporary incident with limited impact and a business-crippling attack that invalidates one’s insurance coverage (or leads to hefty premium increases), regulatory penalties and expensive and drawn-out lawsuits.
J. Paul Haynes
P.Eng.
President and COO
eSentire