Published On: Tue, Sep 6th, 2022

Lack of management facilitated cyber attack on GEBE

PHILIPSBURG — Aurora InfoTech submitted a report to utilities company GEBE about the circumstances that led to the Blackbyte ransomware attack on the company on March 17. Its findings are at times staggering. “One needs only to look at the cabling at the rear of the equipment racks in the IT-room to better understand the network’s lack of management and upkeep,” the report states.

That’s a nice way of saying that GEBE’s network was in a shambles in the run-up to the ransomware attack. Aurora’s 48-page report reveals the weaknesses of GEBE’s IT-systems and provides a detailed insight into the way cyber criminals like the Blackbyte group operate. Highly technical stuff for computer nerds.

The report also contains down to earth observations that show how Blackbyte managed to hold the utilities company hostage. “In our professional opinion the cyber attack was successful due to the organization’s lax security posture at the time,” the Aurora-report states. “There was little security protection on the servers or the Fortinet firewalls, because the FortiGuard Security subscription had expired.” In other words: GEBE was asking for problems and that is exactly what it got.

Aurora warns that GEBE has to remain extra vigilant because 80 percent of organizations that experience a cyber attack are more likely to experience a repeat-attack.

The March 17 cyber attack hit 55 servers and 168 workstations at GEBE, including the enterprise resource planning system and its data backup solution, the Microsoft Data Protection Manager.

GEBE made the cyber attack public and refused to pay a ransom. Blackbyte retaliated by publishing samples of GEBE-data on its Tor.Onion auction website. Aurora has installed monitoring software and discovered that so far, the credentials of 93 GEBE-employees have been exposed on the dark web.

By now, Aurora has implemented a layered security approach, using various tools that are monitored around the clock by its Security Operations Centers. Since March 24, these SOCs have detected more than one million threats to GEBE’s network and they have hunted down 778 threats. “Any of these possible threats could have been a repeat of the cyber attack,” the report states.

Blackbyte was formed in July 2021. The organization increasingly attacks unpatched internet-facing infrastructures such as Microsoft Exchange Server. The origin of Blackbyte is currently unknown through it is most likely based in Eastern Europe or Russia. Aurora warns that Blackbyte attacks “outdated, undermaintained and unsecured editions of the Microsoft Exchange Server dating back to the 2013, 2016 and 2019 editions of this mail server software.

That GEBE’s IT-infrastructure came under attack is not surprising. Aurora points out that the information needed to attack GEBE’s online resources such as IP address information for its network and mail servers was readily available on the public internet through a DNS-search. “Probing the IP address would have resulted in a welcome banner from GEBE’s Microsoft Exchange Server with critical information such as the software version number.”

Aurora found that GEBE’s IT-department used the same local administrator account and password on all computers within its environment and that it had not applied security-updates on the on-premise Microsoft Exchange Server against certain vulnerabilities. There is also no security awareness training for the staff.

A review of the company’s Microsoft 365-users after the cyber attack showed that there are still user accounts with unchanged passwords, that there are still users with multiple accounts and that there are also questionable or unknown user accounts on the system. Aurora has pointed this out, but no action was taken.

Aurora furthermore requested exclusive access and control of the Fortinet firewalls. GEBE agreed, but it never issued a mandate. “To this day others are implementing changes to the firewalls that are not in line with cyber security best practices,” the report states. “This puts the organization at risk.”

The report is highly critical of GEBE’s IT-department. Currently there is no director in place, the skillset of its employees is not up to par, knowledge and skillsets are compartmentalized, there is a lack of established and documented policies and procedures and decisions are taken on an ad-hoc basis. Tasks are executed based on current knowledge and this may be not in line with best practices.

The question is of course whether GEBE has learned something from the detrimental effect of the cyber attack on its business. The Aurora-report places a big question mark behind this question. It found “an apparent willingness to return to old times and to push back against security” and an unwillingness to implement critical security measures such as  multifactor authorization on the Microsoft 365 environment. The IT-department still lacks formal IT-training as well as an overall understanding of cyber security.

Aurora also mentions “an alarming practice:” the fact that GEBE has provided staff with computers for personal use. These users have full administrative privileges and are free to install whatever software they wish. Aurora sent an email to GEBE about this situation but it did not receive a response.


Related articles:
MP Gumbs Requests Question Hour to Receive Answers about GEBE’s ongoing cyber-attack woes
NV GEBE takes another two weeks to consider disconnections (Updated with Commentary)
MP De Weever: Issues at GEBE a matter of national security now
Parliament has no authority over GEBE