Cyber officials, incident response teams brace for Memorial Day weekend

On the eve of Memorial Day weekend, threat researchers and incident response teams are quietly preparing for the risk of malicious activity when staffing is minimal and millions of workers will be on the road. 

Critical industries have faced a series of threats from criminal ransomware gangs or nation-state actors for much of 2024, and the unofficial summer kickoff weekend is a prime opportunity for malicious attacks. 

“We see attacks and attempted intrusions every day,” Scott Algeier, executive director of the IT-ISAC, said via email.

While there is no specific threat information pointing to a Memorial Day event, “attackers are also aware of the calendar and know that security teams tend to operate with reduced staffing on weekends and holidays,” Algeier said.

The healthcare industry was hit by two major ransomware incidents in recent months, including the attack against Change and the ongoing attack against Ascension hospitals. 

“We’re trying to remind our members and our cybersecurity leadership in the health sector that we’ve got another long weekend coming and especially we’ve seen threat actors take advantage of the timing,” said Errol Weiss, chief security officer of the Health-ISAC.

A 2023 report from Sophos indicates about 90% of ransomware attacks occur outside of normal work hours. The report was based on incident response cases during the first half of 2023.

Major ransomware attacks in recent years have taken place around holiday periods when organizations were either closed or operating with reduced staff. The FBI and Cybersecurity and Infrastructure Security Agency issued guidance in 2022 about criminal ransomware groups targeting companies during nights and weekends. 

Holiday attacks of late include: 

The security landscape remains heavily focused on nation-state threats to critical infrastructure. FBI Director Chris Wray in January warned about ongoing threat activity linked to Volt Typhoon, a hacking group linked to the People’s Republic of China. 

The group has planted webshells in various critical infrastructure targets in order to launch a diversionary attack against the U.S. in the event of a military conflict in the Asia-Pacific region.

National Cyber Director Harry Coker Jr. reiterated concerns about Volt Typhoon during a speech earlier this month at the CyberUK conference. He also warned about state-linked hackers connected to Russia. 

Researchers at GreyNoise Labs said the only significant trend they are seeing is the ongoing targeting of home office routers by various threat groups.

There are also a number of recently disclosed router flaws on the Zero Day Initiative site that could be used for exploitation activity, according to GreyNoise Labs. 

“The GreyNoise Lab team is bracing for any vendor or researcher vulnerability drops on Friday, as that has happened during prior long weekend holiday events, especially in the U.S.,” a company spokesperson said via email.  

Private sector companies and critical infrastructure providers struggled in recent years to find enough qualified staff for security operations during regular work days. A 2023 workforce study from ISC2 showed 67% of respondents faced a security staff shortage. 

“Malicious actors know how to take advantage of people stepping away from their computers, and when the industry is faced with a staffing shortage of the ones who are keeping watch . . . things can look grim,” Jon France, CISO of ISC2 said via email.

Holiday weekends and summer vacations create new obstacles for hunting down threats and mitigating malicious activity. 

“Every organization should be preparing and monitoring for increased abnormalities leading up to and during holiday weekends,” Jeff Wichman, director of incident response at Semperis, said via email.