BSJ Hit by CYBERATTACK
State-run agency hit by ransomware attack; company has spent over $36m so far to recover and protect ICT structure
Published:Saturday | May 11, 2024 | 12:10 AMKimone Francis/Senior Staff Reporter
The Bureau of Standards Jamaica (BSJ) is the latest state-run agency to be hit by a cyberattack that has affected some aspects of the entity’s service delivery.
BSJ, the statutory body established to promote and encourage standardisation in relation to commodities, processes and practices, confirmed that it suffered a ransomware attack in February and is still working to “normalise” its operations.
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.
The attack has so far cost BSJ US$231,900 or J$36.1 million to procure the services of two international companies to recover and secure its information and communications technology (ICT) structure, a document obtained by The Gleaner revealed.
The National Certification Body of Jamaica and the National Compliance and Regulatory Authority, which share campus with BSJ, were also impacted by the attack.
The development follows a similar “cyber incident” at the state-owned oil refinery Petrojam in December and last September’s cyberattack at the Financial Services Commission, the entity that oversees the regulation of Jamaica’s insurance, pension, and securities industries.
The latest attack calls into question the strength of Jamaica’s cyberinfrastructure and highlights significant vulnerabilities that may point to the country being a soft target for ransomware and cyber gangs.
On Wednesday, Dr Velton Gooden, executive director at BSJ, confirmed to The Gleaner that a number of files he described as “working documents” shared between different individuals were encrypted.
Some records from BSJ’s archives have also been impacted.
Phishing attack
The breach reportedly stemmed from a phishing attack that compromised some staff credentials and potentially exposed BSJ’s systems to malware.
However, Gooden said none of BSJ’s core systems was affected and that no data was removed or extracted from its ICT environment.
“We have brought in the experts Dell and Fortinet who are currently working with us to try and restore our systems. We have not lost any data but some files we are not able to read. It was a ramsomeware attack [but] we have not paid any money,” said Gooden.
“The assessment is that we were not profoundly impacted and we are working with the experts to restore those files. So we have to go back to our backup files and retrieve some of those documents which were stored elsewhere. We’re still operational though we have lost some efficiency having to go back and rebuild some of those files but we have not been crippled,” he added.
He noted that BSJ had been doing work to upgrade its system prior to the attack, admitting that while it was more robust than most government entities, it was not yet at international standards.
BSJ paid Dell US$178,729.18 and Fortinet US$89,158.70 for assistance, a breakdown of figures showed in the document obtained by The Gleaner.
Further, in an emailed response to questions sent by the newspaper, BSJ said its experts are working to ascertain the extent of any impact, and in the interim, it has been issuing public advisories with respect to any possible effects on service delivery.
The agency, over the years, has had its role expanded to include the provision of services in relation to conformity assessment (certification, testing and calibration) and metrology.
Its main activities include facilitating the development of standards and other requirements to which particular commodities, services, practices and processes must comply; conducting tests and calibrating instruments; certifying products and management systems providing industrial training and promoting research and education in standardisation.
It is not clear which of these services has been directly impacted by the cyberattack.
However, the accrediting and auditing of BSJ’s labs have been pushed back.
BSJ said it is currently sanitising its digital environment before restoring backup files.
The agency further indicated that it has dealt with similar “cyber incidents” in the past.
“We have been continuously engaging with our system support partner, Fortinet, since January 2023, in the areas of training, systems upgrade, firewall protection and strengthening our security posture. Additionally, the BSJ has been participating in a digital transformation programme with the International Organization for Standardization since September 2023,” BSJ said.
It said the incident has been reported to the Jamaica Cyber Incident Response Team (JaCIRT), the BSJ Standards Council and the Ministry of Industry Investment and Commerce and that advisories were sent to customers and staff.
Godphey Sterling, head of JaCIRT, confirmed on Wednesday that his agency was aware of the incident and had been working with BSJ. He declined to comment further.
In a previous Gleaner interview, Sterling warned of Jamaica being a possible soft target for disrupted cyber gangs that had nefarious operations clamped in Europe. At that time, he spoke to the country’s vulnerable cyberinfrastructure.
Sterling said then that the cyber gangs rake in tens of millions of dollars from local businesses and, possibly, individuals as part of a global ransomware scheme that is projected to cost US$6 trillion by 2026.