There is bad news and good news when it comes to ransomware. The bad news is that it’s destructive, pervasive and isn’t going away anytime soon. The good news (if you really want to see it) is that the problem could be a whole lot worse. While ransomware is proliferating at never-before-seen levels, threat actors are mostly looking for a quick cash grab: Infiltrate a network, hijack the information, hold it for ransom, get a quick and hefty payout — preferably in cryptocurrency — and get out.
However, bad actors can do much worse if their plan is less about money and more about creating chaos or damaging physical systems. In April 2020, one of the largest cyberattacks ever in Taiwan struck a key piece of critical infrastructure, the CPC Corporation — a state-owned petroleum, natural gas and gasoline company, and the largest gasoline supplier on the island nation. And CPC was far from alone. The next day, a privately held competitor, Formosa Petrochemical Corporation, suffered a similar attack, and several organizations working in the semiconductor industry were also hit.
While neither of the petrochemical strikes damaged production, both caused issues with revenue and payment systems, impacting the lives of Taiwanese citizens. Still, it could have been a lot worse.
The ColdLock attack
On May 4, 2020, a number of CPC gas stations throughout Taiwan suddenly found themselves unable to process payment through VIP cards or electronic apps. While CPC initially denied reports that they were the victim of a cyberattack, claiming it was nothing more than a system crash, the truth was they had been hit by ColdLock ransomware. This was a new strain of ransomware cybersecurity company Sophos called “a file-less attack. It runs from a PowerShell script where the ransomware code is directly loaded into memory and then executed, all without writing an executable file to the disk.”
Shortly after this attack, employees at oil refiner Formosa starting noticing irregularities in their own networks. To prevent spread of the attack, Formosa shut down its information technology (IT) systems.
Many of the recent, high-profile ransomware campaigns leveraged the steal, encrypt and leak method to extract payment quickly. This method is in essence no different than famous kidnappings from the Lindbergh baby to Frank Sinatra Jr. to John Paul Getty III. Take something valuable and demand a large sum of money for its “safe” return. In the cybersecurity space, this tactic was demonstrated in recent attacks such as those by criminal gang REvil on software provider Kaseya.
On its face, the ColdLock ransomware seemed less sophisticated, as there were no real financial demands, nor were there any public demands issued by a hacking group. Still, the attacks were highly targeted and effective, striking Taiwanese industries dealing with critical infrastructure. This has led many to believe that extracting money was not the goal of ColdLock. As yet, no one has claimed responsibility for the attacks, but they might have been the work of a nation-state actor — possibly China — seeking to cause mass disruptions in Taiwan.
Of course, the attacks were likely more sophisticated than they first appeared. Investigations have shown that the hackers infiltrated systems well before the attack was perpetrated. Once the attackers gained access, they installed backdoors and went to work. According to Cyberint Research, “Technical analysis of the threats deployed in these incidents identifies the initial use of a PowerShell-based loader that uses ‘reflection’ to execute a ransomware payload in memory. Subsequently, this ransomware payload encrypts both user files and databases present on local, removable and network drives. Notably however, the presence of a file check, which if found results in the ransomware process terminating, provides an effective ‘kill switch’ and could allow victims to contain or prevent the spread of this threat.”
Cyberint also suggested that the attacks could have been trial runs for larger strikes intended to cause disruptions around the time of President Tsai Ing-wen’s second inauguration.
The critical infrastructure threat
Though ColdLock was not a massive attack, nor destructive to physical critical infrastructure systems, it was a well-planned hit that impacted the daily lives of Taiwanese citizens and created economic turmoil for a short period of time. The real danger is when cyberattacks on critical infrastructure do harm to physical systems, as with Stuxnet or Oldsmar.
Given the progression of modern warfare and increasing geopolitical tensions, such as the Russian invasion of Ukraine, it’s becoming increasingly likely that nation-state actors will begin to target these necessary systems. Attacks on water-wastewater, nuclear, electrical, health care, transportation or any other critical assets can be not only disruptive, but also risk human life and safety.
In Taiwan, the state-run CPC is a high-value target, and the fact that several critical infrastructure companies were hit in a short time proves just how susceptible these systems can be to a motivated bad actor. As tensions between Taiwan and China have risen in recent months — China considers the island nation its territory, despite the fact that Taiwan has its own democratically elected leaders and government — cyberattacks have continued to rise. House Speaker Nancy Pelosi’s brief visit to Taiwan in August triggered what authorities called an “unprecedented” number of attacks on government websites, private companies and critical infrastructure.
Attacks like the one on CPC show why it’s so important for government agencies and private industry to protect their critical assets. Good cyber hygiene takes time and resources — resources companies often would rather spend getting goods to market — but the impact of an effective strike on critical infrastructure, especially on physical systems, can be scary to contemplate. And things will likely get worse before they get better.