One PC from disaster: Zaun’s cyber security lesson

A UK-based manufacturer of security fencing recently found itself targeted by a Russia-linked ransomware group who managed to exfiltrate data from their systems. Given the company’s clientele, which includes British government entities*, the fact that the attackers failed to encrypt their systems is a matter of little consequence.

This incident highlights several pertinent issues that asset-intensive organisations, the British security services in this case, should be concerned about, including:

• Cyber supply chain risk
• The direct risk to physical assets resulting from a data breach

Despite Zaun’s efforts to downplay the impact of their recent data breach, asserting that “Full details of all our products are also available on our website and available for unrestricted purchase,” and that they only “believe” 10GB of data was taken, possibly limited to the vulnerable PC, it’s important to note that 10GB of data can still hold significant value for an adversary.

It offers little comfort to customers, including the British military and intelligence agencies, that some of Zaun’s assets are “on public display and in the public domain,” especially considering that their website showcases some of their work is installed within the perimeters of high-security facilities.

Typical client data held by suppliers

While the specifics of what was leaked remain unknown to the public, it wouldn’t be unusual for an organisation involved in manufacturing infrastructure like Zaun to possess information such as:

• Plans and details regarding restricted areas of customer assets – valuable for adversaries planning physical attacks.
• Details about the inner workings and locations of specific technology not publicly available, such as the technical aspects of sensors like seismic analysers – advantageous to adversaries seeking to disable protection prior to a physical attack.
• Information about interconnected third-party systems – useful for adversaries looking to identify and exploit vulnerabilities in third-party alarm monitoring or electronic access control systems, and more.
• Client-specific or custom measurements not easily discernible from a simple inspection of an asset, such as the depth of footings – valuable to adversaries wanting to compromise the asset physically or bypass it through an unseen entry point.

(To be absolutely clear: we are not suggesting that Zaun had any of the above-mentioned information compromised).

For asset-intensive organisations, this incident underscores the importance of demanding and verifying cyber security measures from third-party suppliers.

For all organisations, whether they are suppliers or not, this incident highlights why cyber security is crucial, even for seemingly inconspicuous devices. It all begins with understanding what requires protection and cultivating a workforce that is cyber-aware and cyber-literate enough to identify potential risks early.

Identifying potentially risky IT assets

Zaun has attributed the exposure to a “rogue” PC that was running an unsupported operating system, necessary to operate a manufacturing machine.

Outdated, unsupported technology is not uncommon in industrial settings, including manufacturing. Moreover, IT teams responsible for cyber security are not always aware of its existence.

In circumstances like these, non-IT team members can potentially aid in mitigating cyber-attacks by collaborating with IT teams. Consider the following:

• Are you aware of equipment, such as a PC or other device used to operate machinery, that has never been taken offline for maintenance, or at least not for a year or more?
• Do you occasionally need to reboot or update such equipment yourself, with the option to ignore or postpone the task?
• Does this equipment lack an asset ID tag, even though other company-issued devices like phones and laptops have them?

If any of these points resonate with your situation, don’t hesitate to get in touch with your IT teams promptly to ensure that the device is included in their asset register.

Remember, an organisation cannot protect what it cannot see. Vigilance and collaboration are pivotal in defending against cyber threats in today’s interconnected world.

* Reports of British Ministry of Defence and related services data being leaked first appeared in the Mirror.