Companies’ cybersecurity teams have come to recognize a routine: attacks timed to holidays, over the weekend, and at other points when hackers think targets are more vulnerable and more willing to pay a ransom.
The trend in timing has security professionals, legal advisers, and government agencies on alert for upcoming events, including the Labor Day holiday in the U.S. The holiday weekend could attract hackers seeking to take advantage of a shift in staffing or a breakdown in communications, lawyers and cyber threat analysts say.
With attacks on the rise, cyber advisers are urging companies to practice their response to an incident in case some team members are off work or unreachable.
“Decisions that are hard to make in the heat of the moment, you can make in advance if you practice the scenario,” Lisa Plaggemier, interim director of the nonprofit National Cyber Security Alliance, said.
Cyber officials from across the federal government are on guard for potential attacks timed to Labor Day on Sept. 6, Anne Neuberger, deputy national security adviser for cyber and emerging technology, said Thursday at a White House briefing.
While there’s no specific information on threats this weekend, there is a “history” of cyber incidents hitting around holidays, Neuberger said. In addition to intelligence agencies looking out for threats, she added that the White House has called on agencies including the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation to prepare their staff and note any early signs of an incident so that they could respond quickly.
CISA and the FBI issued a cyber warning Aug. 31 advising public and private sector organizations to look out for attacks in the lead-up to Labor Day. The agencies say they’ve observed an increase in “highly impactful” ransomware attacks occurring on holidays and weekends, when offices are normally closed.
“Whether it’s holidays, weekends, or anything else that would find people in a distracted state, cybercriminals are going to take advantage of that,” Plaggemier said.
Lawyers working in cybersecurity have come to expect that long weekends will be weekends with work, according to Erez Liebermann, a former Justice Department official now at Linklaters LLP.
“Last time, it was Fourth of July weekend,” Liebermann said, referring to a ransomware attack that hit software company Kaseya Ltd. and its customers over the holiday weekend this year.
“Maybe this time, it will be Labor Day weekend,” Liebermann said. Liebermann added that he keeps an incident response binder under his laptop so that he has a hard copy of necessary information, including contacts, even if a network is down. That kind of binder should be taken on vacation, he said.
On holiday weekends, security professionals or key executives may be out on vacation, potentially slowing a company’s decision-making around a cyberattack, like whether to pay a ransom to unlock hacked systems.
“It’s put tremendous pressure on companies to be 24/7 in their detection and monitoring of anomalous activity and in their response capabilities,” said Luke Dembosky, a former Justice Department national security official who’s now a partner at Debevoise & Plimpton LLP. “Minutes matter in these attacks.”
Dembosky said he saw the holiday pattern “again and again” during his time investigating cyberattacks at DOJ. That includes the 2014 leak of information from film studio Sony Pictures, which occurred the week of the U.S. Thanksgiving holiday.
“All of us remember which holiday we were at whenever the big attack came in,” Dembosky said.
Anecdotal evidence on trends in hack timing highlights the need for more complete tracking of incidents, according to Brett Callow, threat analyst at cybersecurity company Emsisoft.
Emsisoft has cited data from David Wall, a professor at the University of Leeds, that suggests ransomware attacks are seasonal, with a spike over the summer, perhaps timed to summer vacations. Other examples from Check Point Research, which collects and analyzes cyberattack data, point to a possible preference among hackers to strike on Fridays.
“We can see that attacks are happening, we can identify the trends, but we can only guess why they’re happening,” Emsisoft’s Callow said. “There’s not enough publicly available data to fill in the blanks.”
Another ransomware attack on Colonial Pipeline Co. came in early May, just before Mother’s Day weekend. The cyber advisory from CISA and the FBI noted the coincidence in timing.
“Mother’s Day struck me,” said Melissa Krasnow, a privacy and data security-focused partner at VLP Law Group LLP.
Krasnow said she regularly updates her contact list for law enforcement officials, so that her clients can easily reach out in the event of a cyberattack.
Aside from sharing contacts and coordinating time off, companies also run so-called tabletop exercises to practice their response to a cyberattack. These exercises typically involve security and legal teams, as well as crisis management firms that can handle the reputational aspects of a major incident.
“This should be part of incident response planning,” Krasnow said.
—With assistance from Courtney Rozen