A highlight from Cyber Security Today Week In Review for May 14, 2021
A controversial new worldwide data sharing policy with facebook comes into effect tomorrow last week. What's at promised. It wouldn't cut users off if they didn't agree to the new terms time for some discussion with me. This week is dina davis of arkhipov. Hi there hi. How are you doing today. I'm doing great in. It's nice and sunny outside and with any luck this afternoon. Get out for a walk. Yeah my daughter. Made it into the pool for the first time. Yesterday mom i was wearing a bulky. Vast. 'cause i was so cold standing outside with it being only thirteen degrees but she was a happy little fish in the twenty three degree water. It's great the colonial pipeline attack. It's been on everybody's mind this week. Which is why. We're giving it scrutiny. Right off the top start off with some background so on friday may seventeenth colonial pipeline disclosed. That they had taken key. It systems offline because of a security incident and it turns out. there's a group called dark side who has attacked them and they are a ransomware group. The big deal about this one is that it has impacts hugely in the united states right. Its colonial supplies. The gas for a very large portion of the united states and taking down their. It systems also meant that their operational systems went down to so leaves. People very worried about getting gas. I've seen some crazy. Video is on at of people actually filling up plastic bags with gas case like to store it which seems just nuts but it's caused quite the chaos and as we were recording. This podcast news came out that colonial actually paid five million dollars in ransom to the game behind this. They did and the crazy part is it. Looks like they did get the decryption software from dark side but it was so to us that they've still had to go to restoring from their backups. So as almost useless paying for it because it took too long for that software to work which is even more crazy rate but it also means the impact of the attack just spreads out more one thing. Cincinnati may point to is the lack of readiness a critical infrastructure firms. It isn't clear because we don't know how the attack started but more importantly it seems that the operation all network of the company which runs the pipeline was not hit cricked so the company says it close pipeline temporarily as a precaution after the. It system was hit. Colonial told the associated press that the it network is strictly segregated from the pipeline control systems. I hope it is a canadian expert. I spoke to said that canadians shouldn't be smoke. That the attack happened south of the border because it could have happened here. Do you have a sense of the readiness of canadian. Critical infrastructure providers to withstand cyberattacks. I don't really but you know this is wake up. Call for everyone in the world right as if solar wins and other things weren't enough either but this could happen to any of us in any company can have a bad day. But are you actually ready for this. If it happens to you when it happens to you and so. I think there's a lot of seaso's in and ceo's this week maybe in the energy sector going. Oh boy. could this happen to us. Do we need to go and look at things. What's going on the interesting thing. I thought was stealing. Data from a critical infrastructure supplier could be as damaging as actually damaging its operations so for example in in colonials case it says it temporarily closed pipeline an abundance of caution well that caused gasoline shortages. And so my point is if an attacker you can get companies to do that. It's as effective as compromising the pipeline. It absolutely is any way that an attacker can put pressure on you to pay. Hay is good for the attacker rate. So if it's that you are forced to turn off the service that you are providing such as gasoline or energy you know people clamoring to get that back which will put much more pressure on to the company in trying to figure out what to do and clearly. This company felt the pressure and they paid the ransom until one lesson is. You've got to be prepared for a cyber attack because it may succeed on on on the one hand you're going to be spending money on technology and the idea is to block the attack but this is a matter of of reducing risk. You're not going to be able to block every attack and companies have to be prepared. Yup absolutely and you know a data theft alone can be costly because it. It may include confidential business information on acquisitions on product pricing. Accompany may shrug about that. But what baby. Solar navy personal information of employees. Right and so. That's very dangerous because employees sure. Don't want their gates of birth their social insurance numbers maybe their bank accounts numbers if the company's making a direct deposits for salaries and that may be worth paying a ransom for so. I think this incident is just more of an incentive for firms in critical infrastructure to tighten their cyber security. It absolutely is the other interesting thing is the threat actor. Here is of a newer threat. Actor called dark side and they are a growing group of ransomware as a service providers. And what's interesting is dark. Side has two main goals to accomplish when they infiltrate a victim organization so they move laterally through the network and infiltrate sensitive data. Like you're talking about the one at grab as much of it as possible because they to find a lever. They need a lever for you to pay. Whether that's a denial of service attack. Basically mickey you shut down your pipeline or stealing your data and threatening you that they will publish if you don't pay and then once they've got your data they're gonna go and encrypt everything on the systems that they can find. The one thing we know about dark side is their signature is that they actually go and do a lot of research about the person attack before they do it. I'm kind of their hallmark. So usually they will go after these places get all that information posts that and then really pushed for them to pay the money in this case. We haven't seen them put a post up about colonial. We haven't seen them put a post up with colonial data in it yet. Maybe that's because colonial paid five million dollars early could eight exactly and maybe they don't wanna draw any more attention to themselves. This was maybe a bigger hit in a more attention than they anticipated. They published an advertisement for their service in november of twenty twenty which is quite interesting actually so it was a russian speaking actor called dark sup that advertised it in russian language forums in so the interesting piece about it is that the affiliate affiliates are the people who actually will use their software to run the attack. They actually have an interview process like you have to be accredited like in a new credited criminal. Guess that you actually know what you're doing with this ransomware stuff. The affiliates retain about seventy five percent of the ransom if it's less than five hundred thousand but up to ninety percent if the ransom is over five million dollars so dark side always takes a cut but you know the affiliates get quite the cut here as well but the very most interesting part of this is that The actor dark up has stated that the affiliates are prohibited from targeting hospitals schools universities nonprofit organizations and public sector entities. Now you might think. Oh it's because they have a good heart. No i think it's actually because they don't want to be attacked. They don't want to have the authorities come after them. They're also interestingly prohibited from targeting organizations in the commonwealth of independent states so like russia and kazakhstan and belarus georgia. And that kind of stuff so that that's also interesting right so my guess is here. They're trying to lay low after this one because they did not expect something this high profile to hit them. nor did they want it Yeah we i mean it was interesting that dark side issued a statement this week seemingly in response to fbi allegations that it's linked to the russian government. Here's what it said quote. We are apolitical. We do not participate in geopolitics. Do not need to tie us with a defined government. Our goal is to make money and not creating problems for a society from today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future Yeah they they didn't like it. They didn't like that. There are affiliate went after colonial. I it sort of sounds like that. Sounds like they were urust causing long lineups. That american gas stations and attracting the attention. Not only of the fbi but also the president of the united states I talked to greg.