In today's ever-evolving digital landscape, cyberattacks are becoming increasingly pervasive and even the most secure systems are at risk. Last week, Hydro-Québec, a major Canadian utility company, was subjected to a malicious distributed denial of service (DDoS) attack that paralyzed their critical networks. The DDoS, or 'Distributed Denial-of-Service attack,' floods the site with multiple requests, leading to a shutdown of the website. In addition, in a series of other computer attacks by pro-Russian groups have targeted Canadian critical infrastructure in the past few days.
In this blog post, we will explore the details of the attack on Hydro Québec - including the technical components involved and how attackers carried out their assault - as well as best practices for staying ahead of these types of attacks in the future.
In Quebec, the Port of Montreal, Port Quebec, the Laurentian Bank, the graphics card manufacturer Matrox in Dorval, and the Prévost bus company are among the organizations affected by the series of DDoS attacks. Outside of Quebec, the attacks targeted several other organizations across the country, including Prime Minister Justin Trudeau's website, the port authorities of Halifax, Nova Scotia, and Port Alberni, British Columbia.
DDoS attacks do not generally threaten the confidentiality of the victims' data. Still, it leads to a complete shutdown of the site. A DDoS attack on a company's website, web application, APIs, network, or data center infrastructure can cause downtime and prevent legitimate users from buying products, using a service, getting information, or any other access.
There are two main reasons DDoS attacks remain a perennial problem for CISOs: 1) because they are easy and inexpensive to execute, and 2) they can cost an organization millions of dollars in terms of remediation costs, lost revenue, lost productivity, loss of market share, and damage to brand reputation. Some costs can be quantified more easily than others.
Figure 1 – Attacker Sends Commands to a Botnet, the Hundreds or Thousands of Bots Send Requests to the Targeted System, which is Brought Down by the Overwhelming Traffic
The hackers, identified as NoName057 (16), claimed responsibility for the attack. In response, Hydro-Québec said it has a dedicated team of 300 security experts to prevent and counter cyberattacks as much as possible. However, the recent attack has raised many questions about the efficacy of such measures and the preparedness of businesses to prevent such an attack. As we suggested, a pro-Russia hacker group claimed responsibility for the cyber-attack on the Hydro-Quebec website Thursday morning.
Parts of the Quebec power utility's site were still down around 11:00 a.m., a day after the attack, however, they were restored within 24 hours of the attack. A Hydro-Quebec spokesperson said no personal data was compromised. In an online post, the group NoName057 (16) announced it was behind the hack but did not specify why it reportedly targeted Hydro-Quebec. The hacker group wrote, “Continuing our visits to Canada, the website of Hydro-Québec, the company responsible for generating and transporting electricity in Quebec, was put down."
In analyzing how the attack was perpetrated, A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet “junk” traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.
An important takeaway is the need for a comprehensive incident response plan. By having a plan in place, teams are better equipped to respond in a structured and efficient manner, reducing the risk of further incidents and minimizing the potential impact of the incident. Finally, conducting a thorough post-incident analysis is essential to identify the issue’s root cause and make improvements where necessary. Organizations can better prepare for and respond to future technical incidents by considering these key takeaways.
When a cyberattack strikes, it is vital to have a plan for how to respond. The first step is to isolate the affected systems from the network to prevent further damage. Next, gather as much information as possible about the attack, including how it occurred and what data may have been compromised. It is essential to notify the appropriate parties, including IT personnel, law enforcement, and affected customers or partners. From there, you must take steps to contain and eradicate the attack, assess the damage, and restore any lost data or systems. Learning from the attack and making necessary improvements to your security measures can help prevent future incidents.
An incident response playbook provides a standardized response process for cybersecurity incidents and describes the process and completion through the incident response phases as defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 Rev. 2,5 including preparation, detection and analysis, containment, eradication, and recovery, and post-incident activities.
Here is an excellent resource for understanding how a DDoS attack IR Playbook should be created - https://www.incidentresponse.org/playbooks/ddos
Hydro-Québec's experience serves as a cautionary tale and a reminder of the importance of cybersecurity. Organizations must prioritize security measures, even with finite resources, as digital threats are more sophisticated today than ever. Preparing for, defending against, and responding to cyberattacks requires expertise, resources, and understanding. We can learn from Hydro-Québec that businesses need to be proactive in their decision-making on cybersecurity initiatives, including acknowledging the risks, understanding those risks, and engaging in proper risk mitigation.
Organizations must protect themselves from data compromise due to negligence or malicious intent. Organizations like Hitachi Systems Security can offer advanced protection in preparation for such issues to ensure optimal security and negate the chances of a breach.