Making sense of ongoing cyberattacks and the villains responsible is overwhelming professionals in government and business alike.
The FBI has told victims that it may not respond to them because of how large the pool of potential victims is growing in the wake of vulnerabilities in the widely used software Apache Log4j.
The FBI on Wednesday directed people who think they may be victims of hackers leveraging the Log4j problem to report such incidents to the agency, even if the FBI and the Cybersecurity and Infrastructure Security Agency do not have the time to respond.
“Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat,” the FBI said in a statement. “As always, we stand ready to assist impacted entities.”
The Log4j chaos is a top priority for the government because of the long list of potential victims and the powerful adversaries leveraging the hack for future attacks. Industries including electric power, water, food, transportation and manufacturing are vulnerable, according to the cybersecurity firm Dragos.
CISA Director Jen Easterly told CNBC on Thursday that the federal government did not know the vulnerability’s origin, but she urged “everyone” to assume they were exposed until they learn otherwise.
Private cybersecurity companies say they have observed hackers backed by hostile nations such as China and Iran exploiting the vulnerability. Others said they saw North Korea and Turkey participating.
The cybersecurity firm Mandiant, among those observing the Iranian and Chinese hackers, said it expects more countries to join the fracas soon if they haven’t already.
The cyberbreaches have put paychecks in jeopardy ahead of the gift-giving holiday season, caused chaos for a school in the middle of exams and hit government entities. The frequency and scope of such attacks may get even worse.
The White House said Thursday that companies need to reset passwords, patch vulnerabilities in their networks and have enough information technology staffers to deal with hackers who “lie in wait” for the right time to attack.
Anne Neuberger, White House deputy national security adviser for cyber and emerging technology, and National Cyber Director John C. Inglis sent a memo urging business leaders to take steps now.
“Unfortunately, malicious cyber actors are not taking a holiday — and they can ruin ours if we’re not prepared and protected,” Ms. Neuberger and Mr. Inglis wrote. “Historically we have seen breaches around national holidays because criminals know that security operations centers are often short-staffed, delaying the discovery of intrusions.”
While the federal government tries to get its arms around Log4j, cyberattackers are disrupting operations at hospitals, government offices, transportation agencies and schools across the country.
A ransomware attack hitting Kronos Private Cloud, human resources software, has disrupted how Ascension All Saints Hospital in Racine, Wisconsin, is paying its employees, according to The Journal Times in Racine.
The cyberattack also knocked down the timekeeping system of New York City’s Metropolitan Transit Authority on Monday, according to the New York Post. The same cyberattack has disrupted the government of Prince George’s County in Maryland, The Washington Post reported.
A spokesperson for UKG, which operates the Kronos Private Cloud, did not answer whether the cyberattack resulted from a Log4j vulnerability. The spokesperson said in an email that the company has informed authorities and is working with cybersecurity experts.
In a statement on its website Thursday afternoon, UKG said “it may take up to several weeks to fully restore system availability.”
A ransomware attack shut down websites for Virginia legislative agencies this week, and Mandiant said it was engaged with the state surrounding the problem.
George Washington University has experienced multiple cybersecurity problems involving the law school and the university’s online time reporting system in the past week. The law school’s dean said in a video message Monday that the MyLaw platform was compromised, which added stress for students taking exams.
A separate incident may have compromised students’ names, campus IDs and school email addresses, according to The GW Hatchet, the school’s student newspaper.
Despite the chaos this month, cybersecurity professionals are not confident that the number of cyberattacks has changed. Some cybersecurity experts, however, have noticed changes in the criminal attackers and their behavior.
Brett Callow, an Emsisoft threat analyst, said he has observed the beginnings of a shift from noisy ransomware operations to silent operations from attackers looking to avoid law enforcement attention.
The cybercrime intelligence firm Intel 471 said Thursday that lesser-known ransomware variants supplanted more notorious attacks that gained attention in the first half of the year as critical American infrastructure was targeted.
The FBI told The Washington Times in June that it was investigating “about a hundred different variants” of ransomware responsible for dozens to hundreds of attacks. The number was up from a handful of variants a year or two earlier.
If the early indications are accurate, the number of ransomware variants wreaking havoc is about to grow.
• Tom Howell Jr. contributed to this report.