Cyberattacks on data centers may end up being everyone’s problem – Phil Muncaster, a guest writer for ESET, explains how prepared data center operators are for the increased risk of cyber-attacks.
As the war in Ukraine continues, so does the potential for further escalation in kinetic hostilities. At the same time, the odds that the conflict may lead to major cyberattacks against targets beyond Ukraine’s borders seem to shorten. This has put the world on heightened alert, and one critical component of today’s digital-centric world – data centers – is no exception.
Indeed, data centers may be first in the firing line if cyber-hostilities expand beyond Ukraine. Well-timed new guidance from the UK’s National Cyber Security Centre (NCSC) has warned that “the cascading effects of a loss of service can be huge.”
Why are data centers a prime target?
Amid the pandemic and the rise of the remote worker, much attention in cybersecurity has shifted to the distributed workforce. The threats posed by an explosion in home working endpoints and an expanded corporate attack surface still remain, and must be mitigated. But that shouldn’t detract from the importance of data center security. These strategically important hubs of computing power and data represent among the most attractive targets for advanced threat actors.
Why? Because data centers are a key link in the digital supply chain, whether they’re owned outright by a single enterprise, or host multiple customers in hubs owned by managed service providers, colocation firms, and cloud service providers (CSPs). Depending on the data center, an attack could impact any number of critical industries, from healthcare and finance to energy and transport.
Yes, data centers are nominally better defended than many on-premises corporate IT assets, but they also represent a bigger target, and therefore a bigger payoff for attackers. Why spend time and effort attacking multiple targets when you can hit one data center and cripple hundreds or thousands in one go?
What are the main threats?
Despite spending US$12bn on security globally in 2020, data center owners must also realize that the threat landscape is constantly evolving. In the event of a cyberattack, one likely end goal is service disruption or destruction of data. That means some of the biggest threats will be:
Malware: ESET has already detected three strains of destructive wiper malware used during just before and during the conflict so far: HermeticWiper, IsaacWiper and CaddyWiper. The first of them was deployed just hours before the invasion began, whilst IsaacWiper hit Ukrainian organizations the following day – although both had been planned for months, with code-signing certificates obtained in April last year. Although the initial access vector is unknown, these pieces of malware were written to destroy critical files.
None of these wipers, nor a fourth wiper malware targeting Ukrainian assets, WhisperGate, were focused specifically on data centers. However, a previous attack against Ukraine, in 2017, did end up causing collateral damage to data centers outside the country. NotPetya was disguised as a piece of financially motivated ransomware, but in reality, it worked like HermeticWiper to target machines’ Master Boot Record (MBR) so they could not reboot.
Distributed denial-of-service (DDoS) attacks: We’ve already seen serious DDoS campaigns against Ukrainian state banks and government websites. And officials in Kyiv have said that government sites have been under almost constant attack since the invasion began, with attacks hitting 100Gbps in some cases. DDoS could also be used to distract data center security staff while more covert destructive malware attempts are launched.
Physical threats: It may sound like the stuff of an action movie, but sabotage attacks on data centers cannot be ruled out in light of the escalating war in Ukraine. In fact, reports suggest a Swiss data hub owned by inter-banking service SWIFT was recently placed under armed guard. It’s a risk that the NCSC highlights in its new guidance:
“As a data center owner, ask yourself if you have physically separate communications routes into the data center, diverse power supply and back-up power options, and whether building service rooms are protected from physical attack or sabotage.”
Time to plan, and build resilience
The fact that attacks on third countries have yet to materialize doesn’t mean data center owners are in the clear: far from it. Advanced threat groups have in the past demonstrated their skill, sophistication, and resolve, in campaigns such as the SolarWinds attacks that compromised the networks of at least nine US government agencies. Attackers can spend months readying their tooling and conducting reconnaissance. Indeed, some groups may already have achieved persistence inside some data center IT environments.
The NCSC claims owners should focus on six key areas:
- The physical perimeter including all data center buildings.
- The data hall, with a particular focus on access controls in shared data centers.
- Meet-me rooms should be secured with access control and screening, intrusion detection such as CCTV, entry and exit searches, rack protection, anonymization, and asset destruction.
- People, which means driving a good security culture backed by training and awareness-raising.
- The supply chain, with risk assessments covering physical, personnel and cybersecurity risks.
- Data center owners should optimize preventative measures, but also assume compromise and take steps to detect and respond rapidly to threats to minimize their impact.
We have a useful checklist of steps to improve cyber-resilience, including tighter access controls, prompt patching and multi-factor authentication. We all hope it won’t come to that. But even if the hostilities don’t spill over into a wider conflict, these steps will help to ensure every data center is built on secure, compliant foundations.