Know Your Enemy

Inside BlackByte and Cobalt Strike - the ransomware group and post-exploitation tool used in a recent high-profile hack, and how both pose new risks to the industrial sector.

While rogue individuals with an agenda and advanced cybersecurity skills are still prevalent, most headline-grabbing hacks are now originating from well-organized, highly talented groups or organizations. Not only does this dynamic provide access to a greater pool of talent, but it makes stopping a multi-faceted attack more difficult.

One of the most notorious of these cyber terrorist groups is BlackByte. The Ransomware-as-a-service group recently made headlines by hacking the National Football League’s San Francisco 49ers right before the league’s biggest weekend – the most recent Super Bowl.

The group was able to exploit a vulnerability in the team’s Microsoft Exchange server and implement a tool called Cobalt Strike. Users were then sent hourly ransom notes via a print bomb to all printers connected to the infected machine.

While the 49ers have downplayed the impact of the hack, it did result in the release of financial documents that BlackByte posted to a site on the dark web. No ransom demands were made public, but the amount of data actually stolen remains unknown.

The growing reach, ability and boldness of these groups should give everyone in the industrial sector pause – regardless of your role or job title. If they can access data from a billion-dollar franchise, your IP and financial data is, at least, just as vulnerable.

The good news is that we have people like Lauren Podber, Principal Intelligence Analyst at Red Canary, to help guide us in getting ahead of groups like BlackByte. Lauren and her cohorts at Red Canary specialize in managing cybersecurity endpoint detection, planning and response. She recently sat down to discuss BlackByte, the importance of having a response plan at the ready, and what hacks to look out for over the next 12-18 months.

More in Video