Security comment re NCSC report of ongoing cyber attacks against multiple CNI companies

The UK’s National Cyber Security Centre (NCSC) has issued an advisory warning that it is aware of an ongoing attack campaign against multiple companies involved in the Critical National Infrastructure (CNI) supply chain. These attacks have been ongoing since at least March 2017. Here’s a link for ease:


Responding to this, Chris Day – Chief Cybersecurity Officer of Cyxtera has said, “The ongoing threat to the UK’s critical national infrastructure (CNI) supply chain demonstrates the persistence and motivation of nation state threat actors. Organisations must step up their game by defending against tactics prevalent in these attacks, like watering holes and phishing, using both offense and defence-oriented approaches.


“Since watering hole attacks exploit trusted third-party sites, they can be difficult to detect and defend against. Once an adversary gains access, lateral movement in the victim’s network becomes easy. Start by applying a “Zero Trust” approach to your security mindset; meaning, treat all traffic as suspicious. You must be instrumented to mitigate unsafe browsing and block zero-day threats in real-time. Behavioural analytics should be employed so you can identify suspicious activity, regardless of how the attack is carried out.


“Organisation’s must also vigilantly defend against spear-phishing attacks by blocking fraudulent messages and removing websites that support malicious campaigns. In the case of the CNI attacks, adversaries used spear phishing to steal CVs, set up a malicious fileserver, and harvest NTLM hashes to authenticate to servers without having actual passwords. This highlights the need to enforce identity-centric access policies at the network level. Users should only be able to access resources they are authorised to access, when they are authorised to use them.”


“Finally, because the stakes are so high with CNI, organisations should take the extra step to perform adversary simulation. This allows you to model advanced persistent threats from inside your infrastructure and evaluate how your security team will react.”