Cyber-attack: the tier ones targeted by hackers – and how to protect your firm

Cyber Attack Online with Hacker Accessing Stolen Data

Cyber attacks can have a significant effect, both internally and on prospects of winning work. Ian Weinfass investigates what can be done to minimise this disruption and looks at why openness and transparency is being urged in this often-secretive element of business risk

On 4 May, Royal Bam group director of cyber security Ian Hill got a call at midnight from a member of his team, telling him Bam Construct’s systems were under attack.

Hackers had found what he describes as “a very obscure” vulnerability in the company’s website that let them access the firm’s corporate network. From there, they used tools to encrypt the firm’s files – stopping the company from accessing them. Then the hackers started sending messages, demanding payment for the firm to gain access to its own files.

This type of attack, known as a ransomware attack, is a common tactic for cyber criminals looking to exploit security flaws and extort money.

Within a four-month period this year, major contractors Bouygues UK, Bam and Interserve all fell victim to malicious actors targeting their systems. They were the first public high-profile cases of modern cyber attacks on major construction firms but, given the prevalence of technology in the industry, it is unlikely they will be the last.

Hill himself had arrived at Bam a couple of years earlier as part of the Dutch multinational’s efforts to shore up its online defence. He had previously worked at telecom business KCOM and immediately noticed the difference with construction.

“These were very serious professionals. They knew what they were doing. They were deploying some very sophisticated hacking tools. The Netwalker [ransomware tool] was custom modified specifically to target Bam”

Ian Hill, Bam Construct

“Coming to the construction industry was a bit like coming to The Wild West, compared to where I’d been,” he says. “From a heavily regulated IT company within KCOM – where there were 2,000 employees, 1,500 [of whom were] in IT – it was a different world. At KCOM, if they didn’t make 30 per cent margin in a year, they thought that was disastrous.”

The telecommunications industry was, as Hill puts it, under “constant attack”, which would prove to be good experience for his move to construction.

Fortunately for Bam Construct, Hill had recently been rolling out new defence systems for the company designed to flag suspicious activity – the kind of tools that can identify such a ransomware attack. The programme he installed, Varonis, flagged that an attack was happening on 3 May this year, which prompted his colleague’s call in the early hours of 4 May.

“These [attackers] were very serious professionals,” Hill says. “They knew what they were doing. They were deploying some very sophisticated hacking tools with particular versions. The Netwalker [ransomware tool] was custom modified specifically to target Bam.”

Despite the attack demanding money from the contractor on the surface, the way it was actually carried out – with a different method of payment being created for each encrypted file – would have made it fairly difficult for them to have paid a large ransom and for the attackers to collect the money themselves. This made Hill suspicious about the real motive behind the attack: “This wasn’t so much about the money, it was about causing as much disruption as possible.”

The company was able to contain the threat within 24 hours but kept some systems, including its website, offline for more than a week in order to check and analyse the impact on them. A spokesman says there was a minor effect on payment systems, but the company lost no money and investigations found no evidence of data loss; the threat was contained and the contractor has since strengthened its cyber defences.

What was the motive?

But why was a £950m-turnover construction company subjected to an attack that was designed to cause maximum disruption rather than extort it for cash?

Two days after the attack on Bam Construct started, the UK’s National Cyber Security Centre and US Department of Homeland Security jointly issued a statement warning that companies involved in national responses to COVID-19 were being increasingly targeted by cyber criminals. The statement did not name construction companies as being specifically at risk but, a month earlier, Bam Construct had worked on turning the Harrogate Convention Centre into a Nightingale hospital.

On 12 May, Interserve – which had delivered Birmingham’s Nightingale hospital in April - released a statement revealing that it had been hit by a cyber attack earlier in the month. At the time, it said it was working with law enforcement to remedy the situation and had informed the Information Commissioner of the incident – a step that must be taken if it is believed that data may have been compromised. The firm declined to be interviewed for this feature owing to the incident being “part of an ongoing criminal investigation”.

A spokeswoman for the National Crime Agency, which is looking into the Interserve attack, says an investigation is ongoing and no arrests have been made.

The NEC Nightingale project. Photo: Interserve – Interserve and Bam were targeted in the same week that the government issued an announcement warning businesses across the UK that there was an ongoing significant cyber attack against companies involved in the fight against coronavirus

A spokesman for the Eastern Region Special Operations Unit Cyber Crime Unit, which is investigating the attack on Bam, says “enquiries have so far not indicated any link to the work the targeted organisation was involved with”. He adds that UK investigators are liaising with law enforcement in the United States – the country they believe servers used for the attack were located.

But Hill says: “Interserve and Bam were targeted in exactly the same week […] we are both major developers of the Nightingale hospitals, and it was the very same week that the government issued an announcement warning businesses across the UK that there was an ongoing significant cyber attack against the companies involved in the country's fight against coronavirus. Coincidence? It could be, but I don't particularly believe in coincidences.”

It is not just in times of national crisis that firms need to be on guard against threats, however.

On 30 January, Bouygues UK and its parent company Bouygues Construction were targeted by a ransomware attack. The contractor shut down its IT systems to stop the online virus spreading. A note in the company’s latest financial results says the firm improved its IT security ahead of its systems coming back online. “There was a very low impact on the operational and commercial activity of the business. The relevant insurance policies were activated and the attack has been referred to the appropriate regulatory authorities,” it adds. Bouygues UK declined to be interviewed for this feature.

A barrier to winning bids

There is never a good time to be targeted by cyber criminals but, during an economic crisis, it can be even worse.

Cyber security expert James Gosnold points out that having your systems go down can turn a bad financial time into something more fatal. “With what companies have been through lately, another prolonged period out of business while they try to restore their data or just pay a ransom to get back online right away, might be the difference between going out of business or not,” he says.

The National Cyber Security Centre (NCSC) does not endorse the payment of ransom demands, though paying them is not illegal in the UK. The centre warns that there is no guarantee the hackers will actually restore systems they have taken offline or remove their malware, and, even if they do, they may target the same company again in the future. Nevertheless, it has been reported that some major firms in other sectors have paid to regain access to their encrypted data.

“Cyber security is an issue of increasing importance in the infrastructure sector and is now regarded as an essential requirement by railway operators and contractors”

Lee-John Allen, Crossrail

If internal disruption to finances is not enough of a cyber threat, it may also be the case that companies who cannot demonstrate high enough competency in the area could lose out when it comes to winning contracts from clients.

Gosnold now works for technology firm CloudKubed, but was previously a senior specialist at the Department for Work and Pensions.

He says competence in the field is an increasing part of public sector procurement. “If it’s someone you’re buying paperclips from, it isn’t so important, but if it’s something that is operationally critical, they are going to get a hard assessment [of a firm’s capabilities],” he tells Construction News.

This practice is not limited to the DWP.

A document circulated by chief police officers in July, seen by CN, notes: “Police forces and law enforcement agencies should consider the data security aspects of the broader supply chain when procuring both products and services.”

The warning follows a 2019 cyber attack on laboratory testing firm Eurofins – an attack that left UK police forensic capabilities severely disrupted. It is a point that contractors hoping to deliver new-build police stations may want to keep in mind.

Assurances from Crossrail

A heavily redacted report from engineering consultant Jacobs on Crossrail’s progress warned in May that some elements of the project were not performing well enough in terms of cyber security.

It said: “[Crossrail] has recognised that some of [REDACTED] are not well acquainted with cyber security regulations and that they are not equipped with the resources or the understanding to deliver the cyber security assurance that is required. The [REDACTED] need to engage with suitably experienced specialists to help produce and collate their cyber security assurance evidence.”

The major London rail scheme includes complex signalling systems, a source of some of the project’s delays. The assurance programme for signing off the whole project’s safety certification involves the approval of 200,000 documents. A Crossrail spokesman says it cannot be more specific about who Jacobs’ note was referring to but says “we are working with all tier one contractors on cyber security”.

In a statement, Crossrail chief information security officer Lee-John Allen adds: “Cyber security is an issue of increasing importance in the infrastructure sector and is now regarded as an essential requirement by railway operators and contractors. This has seen organisations across the sector further develop their cyber security capability and the protection of digital systems, incorporating this into the procurement process.”

He says that the project takes an active role with the supply chain on cyber security and that the project is working with tier ones as “they demonstrate full compliance with security requirements and deliver the assurance and safety case requirements needed for the Elizabeth line”.

Readiness for the future

Bam’s Hill is one of very few professionals within construction to speak openly about his direct experience at a firm being the target of a cyber attack, and to explain the steps he took to head it off.

He believes it is important for the industry that those affected are not secretive, but share information about attacks so that the risk of disruption for the industry as a whole can be reduced.

“I think we need to get together more as an industry to share information about cyber security,” he says, adding that he would like to set up a forum where contractors can share information. “A lot of us are in joint ventures with each other; the threat is not from each other, it’s from out there. I think the more we can share information together about the cyber threat, the stronger we will be as an industry as it will support the tenders we do and the joint ventures we’re involved in,” he says.

“We could have another attack tomorrow; this is the nature of the world we live in. But at least there are things that we can be doing as an industry, and within the context of the money available, to at least reduce the risk.”

How to avoid being a victim

Internet technology cyber security concept of protect computer virus attack.

Learn about the risks, and keep learning

There is a wealth of means available online for companies to learn about defending their systems from cyber attacks, some of which can be shown through accreditation. Those available include National Cyber Security Centre-backed cyber essentials accreditations, including ISO 27001 – a gold standard for information security management.

However, CloudKubed head of security James Gosnold warns: “Security isn’t a start-and-stop activity. A lot of organisations put the work in to get audited and approved but then they go and do something else for 10 months. Having a programme of continued improvement is key.”

Update software

Cyber criminals look for weaknesses in software and apps to access sensitive data, while providers work to overcome the weaknesses to protect that data.

“Something like 90 per cent of breaches come from unpatched systems, not having the latest Windows operating system and so on,” Gosnold says. “So updating software alone will do you a lot of favours.”

Make sure staff don’t click scam links

Gosnold adds: “90 per cent of successful breaches over the last year have been from phishing links.” These are emails pretending to be from companies or individuals that include links to download malicious software instead of linking to where they appear to go. On an unpatched system, this can cause even greater damage.

Plan for the worst

“Assume breach,” Gosnold says. “What would you do if you came in tomorrow and your computer systems didn’t work? Do you have manual processes to fall back on so the business can keep going?”

The NCSC has produced a tool called the Exercise in a Box, which is designed to help businesses find out how resilient they are to cyber attacks and to practise their responses. More information can be found here: https://www.ncsc.gov.uk/information/exercise-in-a-box.

Outsource capabilities

Bam’s Ian Hill says that the telecoms company he worked for had three 24/7 security operations centres to help tackle any threats. “We don't have that capability in the construction industry, but what we do have is the ability through technology to do more automation of this stuff,” he says.

He used a specialist firm to pick up some of the workload and help investigate the implications of the attack in May. The firm brought in more technology and sniffed around “to find out what else was going on” within Bam Construct’s systems and its contract has since been extended. Hill says other companies might consider a similar approach.

Install specialist software

The attack on Bam Construct was identified by a defence tool called Varonis that had been installed on the firm’s systems just a few months before. Using artificial intelligence, it monitors systems and data for suspicious activity, and can also stop malicious software itself. “We were in the process of rolling out the automation capability, which would have actually stopped the ransomware dead in its tracks,” Hill says.

“But we hadn't got to that point in the project. We got to the point where it was alerting, but actually, if the attack had happened three months later, it would have been stopped dead in its tracks by the automation capability.”