Feds warn not to take a cyber vacation after hacking on holidays

Deputy National Security Advisor Anne Neuberger told reporters Thursday that while the White House does not have specific evidence of an upcoming attack this weekend, hackers often target companies over holiday weekends when security operations centers may be ill-equipped to handle such threats.

“To be clear, we have no specific threat information or information regarding attacks this weekend,” Neuberger said. “But what we do have is history.”

Earlier this year, an affiliate of the “REvil” cyber gang targeted software company Kaseya at the start of the July 4 holiday weekend, leading to the single largest ransomware attack to date.

The Russian-linked cyber criminals first gained notoriety after launching an attack on JBS meat processor during Memorial Day weekend, extorting the company for $11 million in ransom.

And just before Mother’s Day weekend, Colonial Pipeline paid a $4.4 million ransom to the DarkSide group after being forced to shut down its operations. Its pipeline, stretching from Texas to the Northeast, delivers 45% of all fuel consumed on the East Coast. The FBI later recovered $2.3 million of the ransom from DarkSide, a Russia-based hacking group that used malicious software to hold the company hostage.

After the Colonial Pipeline incident, the TSA mandated pipeline owners and operators designate “a 24/7, always available cybersecurity coordinator” – like a chief security officer – to coordinate with both TSA and CISA in the event of a cyber incident during a weekend or holiday. But there are no such requirements for a slew of critical infrastructure sectors including dams, public health and agriculture.

On Thursday, Neuberger said U.S. entities need to practice better cyber hygiene to prevent cybercriminals from taking advantage of weak defenses.

“Yes, there are attackers, but they’re leveraging vulnerabilities across the networks that we have,” she said. “We continue to see successful attacks occurring against vulnerabilities for which there are patches.”

The White House has noticed a “decrease in ransomware” in recent weeks but does not believe the U.S. is out of the woods yet, according to Neuberger.

“We think it’s an important step in reducing the risk to Americans,” Neuberger said. “But there could be a host of reasons for it. So we’re noting that trend, and we hope that the trend continues.”

According to Tuesday’s joint advisory, the following ransomware gangs have been reported to the FBI most frequently in the past month:

• Conti
• PYSA
• LockBit
• RansomEXX/Defray777
• Zeppelin
• Crysis/Dharma/Phobos

The agencies recommend companies practice basic cyber hygiene to protect their networks, including: creating an offline backup of data, avoiding clicking on suspicious links, updating software and using strong passwords and multi-factor authentication.

“Cybercriminals have a long history of launching cyberattacks over long weekends, holidays and events like the Super Bowl,” said Tom Kellermann, head of Cybersecurity Strategy at VMware. “They are well aware of skeleton crews that are tasked to defend during these periods and how response times will be extended. Organizations must prepare in advance by implementing proactive threat hunting, as recommended by CISA.”

Last week, President Biden demanded chief executives of some of the largest technology companies in the U.S. – including Google, Amazon, Apple, Microsoft and IBM – do more to safeguard against cybersecurity threats.

The warning followed Mr. Biden’s summit with Russian President Putin in June, soliciting a crack down on ransomware groups housed within Russian borders.