14 minute read
Templates
Fuel pipeline shutdown causes gas shortages in several states
The DarkSide group first appeared around August of 2020, both executing its own highly targeted attacks on English-speaking companies and running a ransomware-as-aservice business for less sophisticated cyber criminals.
Advertisement
While not particularly dangerous or advanced as compared to other ransomware gangs, DarkSide made news for its “ethical” posturing. It issued press releases promising to keep ransomware attacks away from vulnerable targets such as hospitals and non-profit agencies, and offered victims “friendly” terms including a professional-sounding live chat. It even offered to send donations to several charities, though these were declined.
It appears that DarkSide was not extending its code of ethics to its clients, according to a public statement made by the group after the FBI named it in the media: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives … Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
“Unfortunately, the cyber-attack against Colonial Pipeline is only a teaser of the future of cyber-attacks. As cyber criminals and foreign adversaries seek opportunities for financial gain and power projection, our national critical infrastructure is an easy target. Industrial environments are operating with infrastructure that commonly maintains obsolete technology that can’t be patched, and staff that frequently are not as cyber savvy as they need to be to keep attackers at bay. This leads to a situation where cyber security risk
levels are below acceptable tolerances, and in some cases organizations are blind to the risk. One additional risk factor of pipelines is that they are highly distributed environments, and the tools that are used to enable asset operators remote connectivity are optimized for easy access and not for security. This provides attackers opportunities to sneak through cyber defenses as we saw in the water utility attack in Oldsmar, Florida earlier this year … Among critical infrastructure sectors, energy is especially at risk. Our researchers have found that the energy sector is one of the most highly impacted by industrial control system (ICS) vulnerabilities, and it experienced a 74% increase in ICS vulnerabilities disclosed during the second half (2H) of 2020 compared to 2H 2018.”
DarkSide claims that it never intended to cause a disruption of this nature or size with its ransomware attacks. Colonial Pipeline completely shut down its operations on May 7 after discovering the ransomware attack, which included halting its fuel deliveries along the Gulf Coast and Eastern Seaboard. Consumers started feeling the pain at the pump on May 10 as a number of gas stations in multiple states ran completely dry of fuel. Colonial Pipeline has implemented manual operations to get gas out but does not expect regular supply to be restored for about a week, during which time the southeastern states will be hit particularly hard by shortages and an expectation of panic buying.
Ransomware attack appears to be for-profit, no strong ties to nation-state threat actors
DarkSide has some known links to Russia; its operators have been seen speaking the language, have email and IP addresses linked to the country, and it includes a number of Russian for-profit organizations among its list of targets that are off-limits due to its supposed ethical code. However, there is
presently no direct evidence that it is affiliated with Russian intelligence and the Biden administration has said that it does not believe there is a link in the fuel pipeline attack.
DarkSide ransomware attacks are known to exfiltrate the data of targets and threaten to post it publicly if the ransom is not paid. That appears to have happened here as investigation sources report that about 100 gigabytes of data was stolen from the fuel pipeline’s IT network during the two-hour period prior to the ransomware lockout, but a threat of a public leak has yet to emerge.
“Current reporting suggests that this is a group that is new, but composed of experienced members. The ransomware itself is not that novel – there is a good technical explanation here. What seems to set this group apart is the research they conduct before compromising a victim – so they know the reporting structure, who in the organization makes decisions and who handles finances. If that is true, it is unlikely that this event is an artifact of the “spray and pray” type of attack and was highly targeted. That diminishes the theory that this gang is just the “dog that caught the car”, as this was an entirely intentional act … While there may be an actual financial motive, the (likely) Russian government may be testing the waters here, using a criminal foil to ascertain whether the US will “draw the line” between what is criminal and what is an act of aggression.”
The ransomware attack is still under investigation by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Following the incident, CISA executive assistant director Eric Goldstein told reporters that ransomware is an ongoing threat to organizations of all sizes in all industries and encouraged everyone to strengthen security postures. The attack on the fuel pipeline almost immediately followed an announcement of a proposed federal “ransomware task force” that would bring together various federal agencies in partnership with private tech and security firms to address the growing threat.
Ransomware attack disrupting fuel supplies
Though the government is strongly indicating that the attack on the fuel pipeline is not statebacked, the timing is particularly disruptive. It comes just ahead of the usual summer season of peak demand, one that is expected to be particularly high as Americans plan vacations and travel after a year of coronavirus restrictions. The Colonial Pipeline transports some 2.5 million barrels of gasoline each day to mostly eastern and southern coastal states, serving both private and commercial customers. It is also relied upon by airports in these states which includes some of the largest hubs in the country, such as HartsfieldJackson International Airport in Atlanta and Nashville International Airport in Tennessee. Some of these airports have resorted to trucking or even flying in fuel from other sources in order to remain fully operational during the supply shortage.
The ransomware attack impacts fuel supplies to nearly every state on the coast of the US from east Texas up to New Jersey; Tennessee also relies on a branch of the fuel pipeline that comes in from neighboring Georgia. Florida is the lone exception among these coastal states as it draws gasoline directly from Gulf Coast refineries via tanker ship rather than from the fuel pipeline. The Houston area of Texas may be impacted, but the rest of the state (including the Dallas-Fort Worth International Airport) is supplied by fuel from different sources. Experts are anticipating that there may be significant gas price spikes if the issue drags out for longer than a week.
1 billion records breached
Photo Credit
Envato It was another busy month in the cyber security sector, as we discovered 143 incidents that resulted in 1,098,897,134 breached records. Ransomware was again one of the biggest contributors to that total, accounting for almost one in three data breaches.
Cyber attacks
• Aneurin Bevan health board suffers cyberattack (unknown) • Drinks giant C&C Group subsidiary shuts down IT systems following security incident (unknown) • Colchester Institute suffers cyber security attack (unknown) • Facebook users’ phone numbers leaked on hacking forum (533 million) • California’s La Clinica de la Raza discloses malware attack (unknown) • Manquen Vance notifies those affected by email breach (unknown) • Squirrel Hill Health Center discloses malware attack (unknown) • Italian municipalities Brescia and Rho hit by cyber-attack (unknown) • US Ivy League school Brown University hit by cyber criminals (unknown) • Singapore’s National Trades Union
Congress’ Employment and Employability
Institute breached (30,000) • Administrative Advantage notifies patients of Remedy Medical Group after email hack (unknown) • California’s El Monte City Hall investigating unauthorized access (unknown) • La Ville de Vallauris Golfe-Juan impacted by cyber-attack (unknown) • Atlantic Media says someone gained unauthorized access to its servers (unknown) • Hacking group’s site Swarmshop targeted by fellow criminal hackers (12,344) • Cyber criminals dump data from Canada’s
Durham Region (unknown) • Data from COVID-19 test centres in
Hamburg, Berlin, Leipzig and Schwerte
breached (14,000) • Scraped Clubhouse user records leaked for free on a popular hacker forum (1.3 million) • LinkedIn profiles has been put for sale on a popular hacker forum (500 million) • Retail broking firm Upstox discloses security incident (unknown) • CareFirst BlueCross BlueShield Community
Health Plan District of Columbia discloses breach (unknown) • ParkMobile breach exposes license plate data and mobile numbers of its users (21 million) • Two New Jersey school districts report cyber-attacks (unknown) • Gay dating site Manhunt hacked, thousands of accounts stolen (6 million) • Italian winery Asti DOCG targeted by criminal hackers (unknown) • Celsius email system breach leads to phishing attack on customers (unknown) • Switzerland: Schaffhausen hospitals suffer major IT failures (unknown) • France’s Grésivaudan clinic victim of a cyber-attack (unknown) • French calibration services firm Trescal facing cyber-attack (unknown) • Codecov discloses 2.5-month-long supply chain attack (unknown) • Geico admits fraudsters stole customers’ driver’s license numbers for months (unknown) • Elliman’s property management arm suffers data breach (unknown) • Canac hardware stores victims of a cyberattack (unknown) • Cyber-attack targets Santa Clara Valley
Transportation Authority (unknown) • Data compromised in cyber-attack on
Japan’s Cabinet Office (231) • Malware attack on Radixx Res disrupts 20 airlines’ ticket reservation systems (unknown) • Passwordstate hacked to deploy malware on customer systems (29,000) • Champagne group Laurent Perrier has been victim of cyber-attack (unknown) • A cyber-attack affected the Spanish city council of Xixona (unknown) • Synchronised cyber-attack affects Spanish government (unknown) • Germany’s Grocer Tegut is the target of a cyber-attack (unknown) • Pharmaceutical company Mipharm SPA victim of a hacker attack (unknown) • Nissan Securities reveals disruption following unauthorized access (unknown) • Cyber-attack disrupts Fiji’s government online services (unknown) • DigitalOcean says customer billing data accessed in data breach (unknown) • Fourth time’s a charm – OGUsers hacking forum hacked again (unknown) • Hackers target Italian pharmaceutical company Zambon (unknown) • Thrifty Drug Stores Inc. discloses security incident (unknown) • St. John’s Well Child and Family Center discovers data compromise (unknown) • France’s Invicta Group at a standstill since
Monday after a cyber-attack (unknown) • Cyber spies target military organizations with new Nebulae backdoor (unknown) • Toronto hit by ‘potential cyber breach’ from
Accellion file transfer software (unknown) • Data breach discovered at Achievement
Center of LECOM Health (unknown)
Ransomware
• University of Portsmouth closes campus due to ransomware attack (unknown) • UK rail network Merseyrail likely hit by
Lockbit ransomware(unknown) • University of Maryland, Baltimore latest to confirm Accellion breach (unknown) • Hackers hit Italian menswear brand Boggi
Milano with ransomware (unknown) • Missouri’s Affton School District discloses ransomware attack (400) • The largest supplier of car parts based in Cluj-Napoca blackmailed by hackers (unknown) • Canadian retailer Home Hardware hit by ransomware (unknown) • J&B Importers falls victim to a ransomware attack (unknown) • TriHealth says employees and staff were affected by ransomware (unknown) • National College of Ireland hit by ransomware attack (unknown) • Technological University of Dublin victim of ransomware attack (unknown) • Ransomware attack forces Haverhill
Schools to cancel classes (unknown) • Thousands of schools potentially affected by
Axios Italia cyber-attack (unknown) • City of Lawrence hit with significant ransomware attack (unknown) • Saint-Gaudens hospital latest French hospital to suffer cyber-attack (unknown) • Austria’s Nah&Frisch Wieser Türnitz hit by ransomware attack (unknown) • Dutch transport company Bakker Logistiek hit by ransomware (unknown) • Czech city of Olomouc paralyzed by a cyberattack (unknown) • French city Isle-sur-la-Sorgue victim of ransomware (unknown) • Realty firm Ansal Housing fears data loss following multiple ransomware attacks (unknown) • Italy’s Gino Group car dealership notifies customers of ransomware attack (unknown) • Italian healthcare facility USL Umbria2 attacked with ransomware (unknown) • French City of Morières-lès-Avignon hit by ransomware (unknown) • The town hall of Douai suffers ransomware attack (unknown) • Hardware company Würth France involved in suspected ransomware attack (unknown)
• Belgian city of Floreffe victim of a suspected ransomware infection (unknown) • Czech consumer electronics firm Asbis hit by ransomware (unknown) • Turin Territorial Housing Agency infected with ransomware (unknown) • Swiss firm Griesser AG victim of ransomware attack (unknown) • Houston Rockets hit by Babuk ransomware (unknown) • Maritime services provider Bourbon Group hit by a cyber-attack (unknown) • Brazil’s National Library website falls victim to a ransomware attack and goes offline (unknown) • Phone House Spain hit by Babuk ransomware (3 million) • Malta’s Nationalist Party affected by ransomware (unknown) • State institution in Slovakia target of ransomware attacks (unknown) • Hackers post files from Broward School
District following ransomware attack (26,000) • Bavarian city of Kammelta hit by ransomware (unknown) • University of Castilla-La Mancha (UCLM) suffers a ransomware attack (unknown) • Hackers target Japan’s Hoya Corp with ransomware (unknown) • Cegos Group victim of ransomware attack (unknown) • Illinois Attorney General’s Office in suspected ransomware attack (unknown) • Germany’s Madsack publishing group hit by ransomware (unknown) • Ransomware attack on Norway’s Nordlo knocked out systems in several care institutions (unknown) • Queensland hospitals and aged care
facilities crippled by ransomware (unknown) • New York’s Guilderland Central School
District hit with ransomware (unknown) • Oregon’s Centennial schools shuttered after hackers breach systems (unknown) • France’s Bourg-Saint-Maurice town hall is the target of a cyber-attack (unknown) • Italy’s Banca di Credito Cooperativo suffers cyber-attack (unknown) • Presque Isle police data leaked by threat actors (unknown) • Baclesse cuts its Internet connection to prevent the spread of a computer worm (unknown) • Cyber-attack against the company involved with the 1915 Çanakkale bridge and motorway project (20,000)
Data breaches
• Social worker shared confidential details of someone in care on Facebook (unknown) • Furious Football Index investors have their identities revealed by DCMS email gaffe (500) • HMRC outlines late-filing penalty notices data breach (18,496) • New Zealand’s Allied Press hit by data breach (unknown) • Woolfson Eye Institute says employee laptop was stolen (unknown) • Education nonprofit Edraak ignored a student data leak for two months (20,000) • Signify Health notifies covered entities’ patients of possible access to their PHI (unknown) • Q Link Wireless exposes data of its customer base (2 million) • Certis exposes personal data from e-mails (62,000) • Chattanooga Library card owners revealed
in data breach (5,000) • Privacy breach at Algoma Public Health (unknown) • Swinburne University confirms that staff and students affected in data breach (5,300) • Chesterfield County Public Schools mistakenly releases names of students, staff with COVID (1,000) • Wake Forest University Counseling Center sends errant email to hundreds (860) • Reverb discloses data breach exposing musicians’ personal info (5.6 million) • Wyoming Department of Health leaking data online (164,021) • Maine government website displayed mental health patients’ confidential information (unknown) • Israel: Private patient cases of deceased psychologist found on the street (unknown) • Contact tracing data breach exposes health information of Pennsylvanians (72,000)
Financial information
• Arup staff hit by cyber hacker attack at payroll provider (unknown) • Hacker grabs users’ payment details from
Cardpool.com (330,000) • University of Colorado data breach affects social security numbers and financial information (310,000) • AmeriFirst warns customers of December data breach (unknown) • Tennessee-based First Horizon discloses data security breach (unknown) • Breached online ordering platforms expose hundreds of restaurants (340,000) • Hotbit cryptocurrency exchange down after hackers targeted wallets (500,000)
Malicious insiders and miscellaneous incidents
• VA staffer used medical records to stalk and harass female vet (unknown) • Winnipeg Regional Health Authority contacted those affected by data breach (58) • Privacy breach at Canada’s RDRHC
Diagnostic Imaging department (3,224) • Montefiore Medical Center discloses another insider-wrongdoing breach (unknown) • Software developer charged with damaging the computer system of a Cleveland company (unknown) • A hard disk with data people stolen from the
Amsterdam tax office (30,000) • Peak Vista Community Health patient information on stolen computers (unknown) • Calgary Police officer charged with privacy breaches (unknown)
