Palfinger attack highlights escalation in cyber crimes
By Lucy Barnard03 August 2021
Palfinger vice president Alexander Wörndl-Aichriedler speaks to KHL’s Lucy Barnard about the severe cyber attack at the Austrian crane and access equipment manufacturer.
It was an ordinary Monday morning in January when Alexander Wörndl-Aichriedler, vice president in Austrian crane and access manufacturer Palfinger’s Global ICT division, received an urgent call.
Staff in the company’s Bergheim headquarters and elsewhere were having trouble accessing information on some of the company’s computer networks. The company had become the target of a ransomware attack.
“The very moment we had only very limited or no access at all to certain data and programmes within our IT-systems worldwide, we knew that Palfinger was under attack,” Wörndl-Aichriedler remembers. “To prevent further damage, we shut down the whole system immediately and contacted external experts as well as the police.”
For an entire week, Palfinger’s 30-plus factories and assembly locations across Europe, North America, South America and Asia remained at a standstill as the company swung into emergency mode.
“We knew that Palfinger was under attack”
Wörndl-Aichriedler and his colleagues formed a high-level emergency task force focussing on both gaining control of the company’s ICT networks as well as communicating what was happening with employees, investors and other stakeholders.
“Our efforts focused on regaining control step by step and making sure that our control was complete,” Wörndl-Aichriedler says. “As soon we became aware of the attack, we focused on securing datasets, particularly special knowledge, patents, contracts and data from partners and customers or employees [although fortunately these were not specifically targeted by the hackers].”
Palfinger, which employs 11,000 staff across 35 locations and generated revenues of €1.5bn in 2020, declined to comment on the financial hit it has taken as a result of the attack and the week-long stoppage which followed it.
However, as Wörndl-Aichriedler points out, the attack can be seen as part of a recent escalation in cyber attacks, costing businesses around the world billions of dollars.
“Since about 2020 industries, services, hospitals, infrastructure, and even government offices worldwide are being targeted much more often than ever before,” says Wörndl-Aichriedler. “We know of attacks even on dairies. So, the question is not if you will be attacked but when. And yes, it is also true that Palfinger as a global company is more prone to attacks than small local businesses.”
The rise in attacks coincides with an increase in remote working in the wake of the global pandemic which has provided criminals with more ways to worm their way into corporate networks. The rise of cryptocurrencies has also made it far easier for cyber gangs to extort money from their victims.
According to a report by computer security software company McAfee and US think tank the Center for Strategic and International Studies, cyber crime cost firms around the world around US$945 billion in 2020, an increase of more than 50% on 2018.
The most high profile attack so far this year has been an attack on the Colonial oil pipeline in the USA in May in which attackers, known to the FBI as DarkSide, demanded payment of 75 bitcoins or US$4.4m, in exchange for a software application to restore its computer network. The attack disrupted the supply of fuel to the East Coast for about a week causing fuel shortages and panic buying.
The attack, and many others like it, also formed a key area of discussion between US President Joe Biden and Russian President Vladimir Putin at their summit in Geneva in June. US officials point out that many of the criminal gangs carrying out such attacks are based in Russia, a country which, at best, continues to adopt a permissive attitude to cyber crime against western corporations and, at worst may well collude in the practice.
The number of US and European construction firms which have found themselves victims of these attacks is increasing. Recently Arup, Bouygues, BAM Construct, Bird Construction, EMCOR Group, Manitowoc and Professional Excavators and Construction have all been targeted along with dozens of other businesses, educational establishments and public bodies.
Telecommunications conglomerate Verizon found that construction and manufacturing firms accounted for 642 of the 5,250 confirmed data breaches it analysed in 2020 in its 2021 Verizon Data Breach Investigations Report.
“Companies in the construction industry industry possess valuable information including building site plans, investor/client information, and bidding information in addition to highly sensitive employee data,” says Shelby L. Mathers, manager of cybersecurity services at US accountancy firm Weaver.
Heavy machinery turning on its handlers
Most cyber attacks take one of three main forms: a “denial of service” where hackers prevent firms from accessing services or systems; a ransomware attack where a system is encrypted to prevent access to data and sometimes stolen from the network; and a “systems takeover” where an unauthorised user gains control of the computer system. Mathers even raises the possibility that in future cyber gangs could attempt to gain access to heavy machinery to cause damage or attack staff.
“From a safety perspective, the adoption of more advanced technology features at job sites, such as remote control and monitoring over equipment as well as the deployment of IoT devices, can expand the attack surface for the company,” says Mathers. “If compromised, machinery may deviate from execution plans and potentially cause injury to those onsite, damage to facilities, or potential lack of safety equipment due to supply chain compromise.”
And, as well as the terrifying prospect of heavy machinery suddenly turning on its handlers at a hacker’s behest, the potential cost of an attack can also be frightening.
According to the Ponemon Institute’s 2020 cost of a data breach study, the average cost of a data breach in 2020 was US$3.86m. Cost implications may include damage to systems and equipment, injury to personnel, replacement of materials, lost income related to inability to conduct business and construction delays, loss of reputation, and potential lawsuits.
And it doesn’t end there. There is also the time and resources that need to be dedicated to resolving and recovering from an incident, both from an operational and a reputational perspective as well as the need to reporting the attack to staff, investors and shareholders and potential investigations by law enforcement.
When Milwaukee-based crane manufacturer Manitowoc was hit by a cyber attack in June the company immediately issued a statement to shareholders, announcing that it had “promptly engaged an industry-leading third-party information technology firm and forensics specialist and legal counsel to assist in the investigation.” When asked by KHL how much these measures had cost, Manitowoc declined to comment.
And on top of all these costs there can also be the tricky question over whether to pay a ransom if it has been demanded.
Although many firms agree to pay expensive ransom demands on the understanding that they can then claim this back under their cyber insurance policies, few companies disclose publicly that they have done so. Company directors have to weigh up whether they can attempt to restore their systems from a secure data backup and whether the cyber criminals will actually give them back the stolen data as promised. Directors may also face pressure not to pay for the reason that by paying criminals they continue to make cyber attacks profitable for the criminals and encourage future attacks on themselves and others.
Canadian contractor Professional Excavators and Construction refused to pay the ransom demanded for its attack in April 2021 but said it was forced to spend more than CAN$100,000 repairing its IT systems.
“To recoup that money, we probably have to do $1m of additional work this year just to be able to cover off $100,000 in additional cost,” company president Jan Gryckiewicz told Canadian media. “Because there’s no money that changed hands between us and whoever put this ransomware out, I don’t think the RCMP will pursue anything,” he says. “Basically, it’s up to us to clean this up.”
The owners of the Colonial Pipeline paid the requested ransom within several hours of the attack but, the US Department of Justice announced that it was later able to recover 63.7 of the 75 bitcoins, accounting for around US$2.3m of the US$4.4m originally paid.
The recent increase in attacks comes despite unprecedented corporate spending on cyber security measures designed to protect companies from just such attacks.
According to online trading comparison site tradingplatforms.com, the global cyber security market is expected to grow 20% over the next two years to stand at US$158.8bn in 2023 from around US$131.8bn in revenue in 2021.
Does cyber security work?
It predicts that services, like data risk analysis, data masking, and vulnerability discovery, represent the largest and the fastest-growing sector of the market set to reach a US$61.4bn value in 2021. This figure is expected to increase by 25% to US$77.2bn in the next two years.
But, with no common standards in existence to assess how well cyber security software actually works, critics are beginning to question the point in paying for expensive security measures which still cannot prevent firms from online crime?
Like most other corporations, Wörndl-Aichriedler says that Palfinger had already invested heavily in its IT security before it was targeted.
“We run a full range of up-to-date security measures to increase protection. However, there will always be groups who will do everything they can to successfully complete their attack,” he says. “There will be attacks in the future. This we must keep in mind and be prepared.”
Mather says that having strong firewalls and installing antivirus software is still worth the investment. “These preventative measures should be considered the bare minimum requirements of an organization’s defence strategy,” she says. “Many attackers are looking for easy targets, and having layered defences in place, such as firewalls (network and host-based), intrusion detection/prevention mechanisms, anti-virus and anti-malware, email filters, etc. may slow down an attack and/or deter the attacker. Having network detection, prevention and monitoring in place can help identify attacks sooner which provides for a faster and more efficient response and ultimately minimizes the overall impact of an attack.”
However, she adds that the best way to defend against cyber attacks is to keep watch for possible dangers and put in place the right systems to mitigate the impact of any attacks (see box). “The true protection against such attacks is done before they ever happen,” Mathers says. “It is incumbent upon companies to remain vigilant in assessing evolving threats on a regular basis. There’s no silver bullet for IT Security, and we should remember that cyber security is not solely an IT issue,”
Back in Palfinger’s HQ in Bergheim, Wörndl-Aichriedler remains sanguine. “The lessons I have learned from this: For better prevention, we need to significantly expand our radar and include the darknet in our observation,” he says. “One must always expect the unexpected. You cannot rely on statistics and probability calculations. Instead, you must assume that one day you will be the victim of such an attack.”
Steps to avoid cyber attacks and mitigate their effect:These should align with industry guidance (SANS Institute, NIST, CIS, etc.)
- Ensure team members have the necessary security awareness training
- Track and manage what systems are in the technical environment(s), including both the corporate IT network as well as build sites which may contain mobile, IoT devices, and construction equipment
- Establish a protected network using a defense in depth strategy
- Keep systems updated
- Understand and manage risks from third party vendors
- Perform threat research and security assessments to ensure existing practices address all attack vectors.
- Plan for attacks. Document, implement, maintain, and trained upon Incident Response, Business Continuity, and Disaster Recovery plans and procedures
- Continuously monitor the environment for anomalies requiring response