Feds Disrupt Cyberattack Aimed at Pacific CommunicationsTarget Was Submarine Cable Servers Covering 95% of Regional Telecommunications
Federal agents blocked a cyberattack launched against a submarine cable in Hawaii that provides phone and internet services to several countries, an investigative branch of the U.S. Department of Homeland Security says.
The Homeland Security Investigation agents say an unnamed Oahu-based private company that manages the cable was targeted by an international hacking group, but did not provide more details on the nationality or other specifics of the actors. Still, a suspect is in custody, according to a news report in the Honolulu Star Advertiser.
"This is only one of the many examples of cyber incidents that HSI has responded to in Hawaii and the Pacific Region," HSI Special Agent in Charge John F. Tobon told the Star Advertiser. "Not only do we aggressively pursue these bad actors, but we also provide significant support to the private sector victims."
According to Tobon, disruption of the attack happened before any significant damage was done, however, they were able to collect credentials that allowed access to the systems.
Law enforcement officials were able to successfully interfere with the attack after "out-of-state colleagues" identified the unfolding attack, then blocked access that would have allowed the threat actor to do significant damage, the news report says.
The cables are part of operational technology, which is used to sustain connections for the Pacific regions, including for Japan, Australia and mainland U.S. This map illustrates the various submarine cables that are present across the world, and more than a dozen run across the Pacific Ocean.
Some security experts say that if the actor had been successful in the attack, it could have marked an act of war.
Risks to OT
The underwater cable systems are part of the OT that supports the telecommunications critical infrastructure. Due to the language in the news report, some experts say that the breach was on the servers and likely did not damage the cables.
Still, if the threat actors had been successful, damage such as a massive statewide blackout, data leaked from the servers or worse could have occurred.
Roya Gordon, former intelligence specialist for the U.S. Navy and former cyberthreat intelligence lead for OT and critical infrastructure at Accenture, tells Information Security Media Group some of the possibilities.
"If the attackers were able to successfully carry out this or a similar attack on the trans-Pacific undersea cables, as well as impact the redundant network routes, a communications blackout for the entire state is entirely possible," she says. "Other potential impacts could be invasions into privacy of the communications traversing the cable, or the cable operators being held for ransom. Having the power to isolate an entire state from the rest of the country or world also holds value to terrorists or other threat actors."
Gordon, currently a security research evangelist for Nozomi Networks, says that 95% of communications are facilitated by these underwater cables, according to a study by the Atlantic Council in 2021.
The outcome could have been comparable to the Colonial Pipelines cyberattack, which shut down critical gas pipelines on the U.S. East Coast, leading to a gasoline shortage, says Eric Byres, CISA ICS advisor and CTO of ICS software cybersecurity firm aDolus Technology.
"The loss of supporting servers can result in the shutdown of an entire system. And that is the typical impact of these types of attacks. The extended shutdown of a key part of the national infrastructure, either for financial crime reasons like ransomware or military and political reasons, like we have seen in Ukraine over the past decade," Byres says.
Criminal Identity and Motivation?
A few observers have already noticed the news report includes very few details, including a lack of information on the arrest, the nationality of the cybercriminal, motivation of the crime and other details typically released by government agencies.
HSI says it will not be releasing additional specifics of the cyberattack due to the ongoing investigation.
ISMG contacted HSI for comments. A spokesperson responded, but comments were not immediately available upon publication.
Mike Hamilton, former CISO for the city of Seattle, says the unspecified details in the report could be because the cybercriminals committed an opportunistic attack, rather than one planned over time. The attack, had it been successful, could have had major repercussions, he says.
"If the attack had succeeded, there may have been significant disruption to not only the Hawaiian population but the critical military installations we have there - Pearl Harbor, for example," he says. "While this may not have been intended to disrupt military communication, it would have appeared as an act of war. That actor should be glad that he or she was stopped before that happened and that perception was created."
Preparation During Geopolitical Instability
While much about the cybercrime is speculation at this moment, during tensions between the U.S. and Russia amid the Russia-Ukraine crisis, security teams have been on high alert.
Government agencies, such as the FBI, CISA and DHS, have continued to advise mitigation steps to reduce risk. Critical infrastructure, such as the telecommunications sector, has been a target in the past by nation-state actors.
aDolus Technology's Byres says that following CISA's guidance of implementing multifactor authentication following this attack is more critical than ever.
"Accessing control by just using passwords is 1980s security and is too easy for an attacker to bypass. Instead, companies need to make sure that access is controlled by something the user knows, such as a password, plus something in their physical possession, such as a smartcard or phone."
Hamilton, currently CISO for incident response firm Critical Insight, says there are certain lessons that security teams can keep in mind.
"The learnings from this event should include a resilience plan for loss of main communication channels - for example, satellite backup as a last resort - because it's known that Russian specially fitted submarines have the capability to surveil undersea cables. They also have the capability to sever them. In this time of geopolitical instability, it’s a good time to review communication resilience," Hamilton says.
Nozomi Networks' Gordon reminds organizational leaders that incidents such as this can happen at a moment's notice.
"Be agile and remember that all of our critical infrastructure is under constant attack from various threat actors, many of which don’t even understand the downstream hardware connected to the servers they're attacking. CISOs should already know that things can go sideways in a moment's notice, due to circumstances beyond their control. Organizations should continue to engage with partners and suppliers, educate staff, prepare for the inevitable, and follow established best practices."
This is a developing story, and it will be updated when more information becomes available.