Operation 999: Ransomware tabletop tests cyber execs’ response

Ransomware tabletop exercises confront participants with an attack scenario, offering them a way to test and improve their organization’s readiness and response capabilities.

During this month’s Infosecurity Europe conference, CSO took part as a media advisor to a blue team, pitched against a red team of attackers in a ransomware tabletop simulation focused on the water industry. The “Operation 999” exercise was devised and run by cybersecurity vendor Semperis, a specialist in protecting Active Directory (AD) and hybrid identity environments.

Each team was made up of seven participants from the public and private sector, including former hackers and incident response execs.

The blue team was led by Steve Hill, former group CISO of Credit Suisse, and included Ritesh Patel, security principal at bp, and Craig Edwards, CISO at risk management consultancy Schillings Partners.

Tabletop scenario: Water utility under ransomware attack

The exercise focused on a ransomware attack that aimed at disrupting a fictional UK water utility’s ability to serve to its one million customers to the extent that it would have no other option but to pay a ransom.

The simulation of the hypothetical attack against “Springfieldshire Water Treatment” consisted of four game phases. Each turn involves an attack-response cycle with Yossi Rachman, Semperis’ director of security research, acting as game master.

In the first phase of the exercise, the red team were invited to target the plant’s outdated SCADA-based industrial control systems. The attackers learned that the operational technology systems were integrated with the IT system, an increasingly prevalent practice today. Further intelligence gathering, including open-source intelligence, allowed them to determine that the plant’s head engineer was celebrating his birthday on the day they launched their attack, timed to hit on Dec. 24 for maximum disruption at a time when many staff would be on annual leave.

Security monitoring detected suspicion activity, with some endpoints showing signs of encryption at the fictional utility. An anomaly was detected on the head engineer’s computer, prompting the blue team to launch an investigation.

In the next phase of the exercise, the red team were informed they had seized control of the SCADA system and presented options for escalating the attack.

The red team went ahead with malicious data encryption. They moved onto sensitive IT systems, escalating their privileges along the way, before extracting sensitive corporate data and emails. The attack team decided against carrying out any operational disruption since they had no desire to be considered or treated like terrorists — they were strictly in for the money, going forward with attempt to extort Springfieldshire Water Treatment for up to £20 million.

Meanwhile, over on the blue team, incident response kicked in as the defenders put together a plan attempting to contain the attack and restore affected systems.

During this phase of the exercise, the blue team receive a call from their legal department advising them to inform the UK’s National Cyber Security Centre and regulators about the attack, warning that failures could result in fines or liability issues. Notifying partners and bringing in the expertise of external incident response specialists becomes a major focus for the defenders at this stage of the game.

Extortion attempts rebuffed

As the exercise moved on, the blue team refuse to pay a ransom after consulting with the authorities, legal teams, and crisis management experts. Instead of upping the ante by threatening to sabotage the water treatment algorithms or chemical pumps, potentially tainting the supply, the attackers decide to leak customer records online until the ransom is paid.

News of the ransomware attack leak onto social media, along with some employee and customer data. Media outlets pick up the story, causing widespread panic fuelled by self-proclaimed “experts.”

In response, the Springfieldshire council leader holds a press conference demanding action and threatening to launch an investigation. The blue team decides to respond by using social media platforms and media outlets to put out statements reassuring the public that although the water treatment firm is under cyberattack their water supply remains safe.

The final stage of the exercise considered resolution and future mitigation. The blue team attempted to develop a plan to make sure that containment was both successful and complete as well as considering steps to ensure long-term resilience against similar attacks.

Although their ransomware request was denied, the red team still management to profit from their attack by enterprisingly shorting stock of the publicly traded Springfieldshire Water Treatment prior to the attack. In the scenario, Springfieldshire Water Treatment is the target of a takeover bid by a rival utility.

War games

The “Operation 999” exercise offered a cybersecurity tabletop simulation designed to allow participants to exercise incident response strategies. The tabletop exercise offered an immersive experience without featuring any hands-on keyboard or analysis of technical data (such as exercise specific log files, or similar).

The scenario was designed to hone cyber incident preparedness, through a similar mechanism to how war games train military forces during peacetime.

All involved in the two-hour exercise were (or at least appeared) highly engaged. Much of the discussion on the blue team involved identifying critical assets key to keeping the utility up and running and delivering a minimal viable service and liaising with stakeholders.

Speaking after the exercise, Semperis’ Rachman acknowledged that although a training exercise can’t fully prepare for the chaos of a real attack it does allow defenders to develop better incident response plans.

“Both teams did brilliantly and were quite creative,” Rachman said. “However, I think the blue team’s assumption that get in touch with all their stakeholders when the attack struck — on Christmas Eve — was quite optimistic.”

The scenario presented in the exercise, though fictional, is far from implausible.

In October 2024, American Water, the largest US water and wastewater utility, detected unauthorised activity in its computer network, disrupting customer service and billing. In the UK, Southern Water suffered a data breach initiated by hacker group Black Basta, who gained access to the company’s server infrastructure and compromised a significant amount of personal data.

A survey commissioned by Semperis of 350 UK and US utility providers found that 62% were targeted in the past year, with 54% suffering permanent system damage.

The vast majority (90%) of organisations activated cyber crisis plans last year, yet most suffered repeated disruption due to outdated playbooks, cross-team silos and tool sprawl.

During a keynote presentation on the history of ransomware at Infosecurity Europe, Mikko Hypponen, chief research officer at WithSecure, charecterised ransomware attackers as relentless, arguing that the threat they pose presents a more challenging risk than fire, accident or natural disaster.

“Nobody’s trying to burn down your factory every day, every week, over and over again until they succeed,” Hypponen said. “However, these guys are trying to break into your network every day, every week, over and over and over again and, if they succeed, they will shut down your company just as well as a fire or a flood.”