As the war in Ukraine sadly continues, so does the potential for further escalation in kinetic hostilities. At the same time, the odds that the conflict may lead to major cyberattacks against targets beyond Ukraine’s borders seem to shorten. This has put the world on heightened alert, and one critical component of today’s digital-centric world – data centres – is no exception, as Phil Muncaster from our Security Partner, ESET, goes on to explain.
Indeed, data centres may be first in the firing line if cyber-hostilities expand beyond Ukraine. Well-timed new guidance from the UK’s National Cyber Security Centre (NCSC) has warned that “the cascading effects of a loss of service can be huge.”
Why are data centres a prime target?
Amid the pandemic and the rise of the remote worker, much attention in cybersecurity has shifted to the distributed workforce. The threats posed by an explosion in home working endpoints and an expanded corporate attack surface still remain, and must be mitigated. But that shouldn’t detract from the importance of data centre security. These strategically important hubs of computing power and data represent among the most attractive targets for advanced threat actors.
Why? Because data centres are a key link in the digital supply chain, whether they’re owned outright by a single enterprise, or host multiple customers in hubs owned by managed service providers, colocation firms, and cloud service providers (CSPs). Depending on the data centre, an attack could impact any number of critical industries, from healthcare and finance to energy and transport.
Yes, data centres are nominally better defended than many on-premises corporate IT assets, but they also represent a bigger target, and therefore a bigger payoff for attackers. Why spend time and effort attacking multiple targets when you can hit one data centre and cripple hundreds or thousands in one go?
What are the main threats?
Despite spending over £9bn (US$12bn) on security globally in 2020, data centre owners must also realize that the threat landscape is constantly evolving. In the event of a cyberattack, one likely end goal is service disruption or destruction of data. That means some of the biggest threats will be:
Malware: ESET has already detected three strains of destructive wiper malware used during just before and during the conflict so far: HermeticWiper, IsaacWiper and CaddyWiper. The first of them was deployed just hours before the invasion began, whilst IsaacWiper hit Ukrainian organizations the following day – although both had been planned for months, with code-signing certificates obtained in April last year. Although the initial access vector is unknown, these pieces of malware were written to destroy critical files.
None of these wipers, nor a fourth wiper malware targeting Ukrainian assets, WhisperGate, were focused specifically on data centres. However, a previous attack against Ukraine, in 2017, did end up causing collateral damage to data centres outside the country. NotPetya was disguised as a piece of financially motivated ransomware, but in reality, it worked like HermeticWiper to target machines’ Master Boot Record (MBR) so they could not reboot.
Distributed denial-of-service (DDoS) attacks: We’ve already seen serious DDoS campaigns against Ukrainian state banks and government websites. And officials in Kyiv have said that government sites have been under almost constant attack since the invasion began, with attacks hitting 100Gbps in some cases. DDoS could also be used to distract data center security staff while more covert destructive malware attempts are launched.
Physical threats: It may sound like the stuff of an action movie, but sabotage attacks on data centers cannot be ruled out in light of the escalating war in Ukraine. In fact, reports suggest a Swiss data hub owned by inter-banking service SWIFT was recently placed under armed guard. It’s a risk that the NCSC highlights in its new guidance:
“As a data centre owner, ask yourself if you have physically separate communications routes into the data centre, diverse power supply and back-up power options, and whether building service rooms are protected from physical attack or sabotage.”
Time to plan, and build resilience
The fact that attacks on third countries have yet to materialize doesn’t mean data centre owners are in the clear: far from it. Advanced threat groups have in the past demonstrated their skill, sophistication, and resolve, in campaigns such as the SolarWinds attacks that compromised the networks of at least nine US government agencies. Attackers can spend months readying their tooling and conducting reconnaissance. Indeed, some groups may already have achieved persistence inside some data centre IT environments.
The NCSC claims owners should focus on six key areas:
- The physical perimeter including all data centre buildings.
- The data hall, with a particular focus on access controls in shared data centres.
- Meet-me rooms should be secured with access control and screening, intrusion detection such as CCTV, entry and exit searches, rack protection, anonymisation, and asset destruction.
- People, which means driving a good security culture backed by training and awareness-raising.
- The supply chain, with risk assessments covering physical, personnel and cybersecurity risks.
- Data centre owners should optimize preventative measures, but also assume compromise and take steps to detect and respond rapidly to threats to minimise their impact.
We have a useful checklist of steps to improve cyber-resilience, including tighter access controls, prompt patching and multi-factor authentication. We all hope it won’t come to that. But even if the hostilities don’t spill over into a wider conflict, these steps will help to ensure every data center is built on secure, compliant foundations.
Defending the data center: The time to act is now | WeLiveSecurity