Attacking the backups

Posted on 2020-03-13 by Matt Strahan in Business Security


There are a critical systems inside any organisation where the compromise of those systems are almost automatically business threatening. When performing penetration testing we try and think about the “crown jewels” as a bit of a target – if we get access to this the risk is pretty well self evident. Most of these systems are the obvious: financial systems, domain controller, key business process systems, safety systems, and often the web presence nowadays. One such system that is not considered nearly enough is the backup system.

Let’s first look at the obvious: to properly backup data, the backup systems have to have access to that data. This means the backup systems often have the keys to the kingdom, so to speak. If the backup systems are compromised, then all of your data should be considered compromised.

Believe it or not, though, in modern IT environments the backup systems are even more important than just having access to data.

How much data can you lose?

When talking to companies about their security, I will ask questions like “how much data can you lose before it becomes business threatening?” This number isn’t usually measured in gigabytes or terabytes, but time. For example, what would happen if you lose a few seconds of data? When would it become an actual issue? That may be business as usual for a construction firm but be a disaster for a high-frequency share trader. Losing the last hour of data could start getting critical for an online retailer, and losing 4 hours of data would become a huge issue for a law firm.

Really the question isn’t “how much data can you lose” but “how long can your business stay standing without your IT systems?” A downtime of a couple of weeks is crippling for any business.

An organisation who has their business continuity management under control would have examined each system and put together “Recovery Point Objectives” (RPO’s) which defines the amount of data loss in time that would be acceptable when a system fails. It could be seconds, minutes, hours, even days for lower critical systems. The RPOs will then be used to define a sensible backup strategy. If your RPO is in seconds, then a warm backup that constantly syncs data along with high availability would probably be sensible. If the RPO is in days, then regular tape backups may be sufficient.

The business continuity plan will define the strategy, along with a testing strategy that ensures the backups are successful and usable. This is effective at trying to limit random chance and accidents from potentially knocking out your business. It should be able to handle both your day to day “someone spilt coffee on the server” as well as the unusual “your datacentre is on fire”.

The new target

What happens if your backup systems are compromised by a hacker?

Backup systems targeted by an intelligent attacker can potentially make your RPO based backup strategy irrelevant. Suddenly you might not be losing a few hours of data in the event of a system failure, you could be losing weeks or months of data. You could be losing the whole lot. Could your business keep running if you suddenly lose all your data? For many modern organisations, losing every piece of data means losing the business.

Even offline backups are targeted: you can corrupt the offline backups as they’re made. Often test restorations are performed once every 6-12 months. An intelligent attacker could be corrupting your offline backups for a whole year before you even realise. Online backups can potentially be removed all at once.

The targeting of backups in business threatening ways has already happened. In 2014 Australian company Code Spaces was blackmailed by someone who gained access to their AWS console. When the data was deleted, the company effectively ceased to exist.

Over the past year, backup systems have been increasingly targeted with business-wide ransomware that holds the business hostage, like what has recently happened to Toll Group in Australia. Ransomware makers know if the organisation can just restore from backup then they don’t need to pay the ransom. Ransoms are now into the tens of millions of dollars, and without backups organisations are left helpless.

A forgotten part of security

Despite the extreme importance of backup systems, for many organisations backups tend to be a rather easy target for attackers – the backup systems are often unpatched, insecure, and are often accessed through standard systems administration credentials. Companies too often forget about them since they’re often esoteric software and the sysadmins might not even know how to keep them up to date. The organisation ends up just putting them to the side, outside of their patch management and system hardening standards. For a hacker, then, they make a juicy target.

We need to stop considering backup systems as a component of business continuity management, but instead think of it as part of the “crown jewels” of an organisation and as one of the key business critical systems that must at all points be protected. All of your business continuity planning should feed into your security strategy and security compliance planning, guiding how you protect your backups.

Sensible controls to protect your backups could include taking your backups off your domain so that domain admin compromise doesn’t mean your backups are compromised. It could also include using a separate AWS account for backups, so if your main AWS account is compromised you can still restore from backups.

We must protect the backup systems with the same vigilance as payroll and domain controllers and make sure we know if they’re compromised in any way. Forgetting to protect your backup systems could lead to not just an incident, but it could be the end of the organisation.


About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Photo by Daniel Schludi on Unsplash

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn