CyberWire Daily - Ransomware disrupts pipeline operations in the Eastern US. Other ransomware attacks reported by US municipal and Tribal governments. UK-US advisory on SVR TTPs. SolarWinds update.
Episode Date: May 10, 2021Colonial Pipeline shuts down some systems after a ransomware attack, disrupting refined petroleum product delivery in the Eastern US. We’ll check in with Sergio Caltagirone from Dragos for his analy...sis. Other ransomware attacks hit city and Tribal governments. Joint UK-US alert on SVR tactics issued, and the SVR may have changed its methods accordingly. SolarWinds revised downward its estimate of the number of customers affected by its compromise. Rick Howard previews his CSO Perspectives podcasts on risk metrics. Four guilty pleas in “bulletproof hosting” RICO case. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/89 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Colonial Pipeline shuts down some systems after a ransomware attack,
disrupting refined petroleum product delivery in
the eastern U.S. We'll check in with Sergio Caltagirani from Dragos for his analysis.
Other ransomware attacks hit city and tribal governments. A joint U.K.-U.S. alert on SVR
tactics is issued, and the SVR may have changed its methods accordingly. SolarWinds revised
downward its estimate of the number of customers affected by its compromise.
Rick Howard previews his CSO Perspectives podcast on risk metrics.
And four guilty pleas in a bulletproof hosting RICO case.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 10th, 2021.
Colonial Pipeline disclosed Saturday that it has been the victim of a ransomware attack. The company said that on May 7th, Colonial Pipeline Company learned it was the victim of a cybersecurity attack and has since determined that the incident involved ransomware.
Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat.
proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the
process of restoring. The incident began with the attackers stealing almost 100 gigabytes of data
last Thursday, and then, Bloomberg reports, locked Colonial Pipeline computers and issued their
ransom demand, at which point Colonial began taking systems offline in a precautionary attempt to contain the effects of the attack.
The affected systems appear to have been business systems, not control systems.
Later in the show, we'll hear from Sergio Caltagirani from Dragos for his insights.
Recorded Future tells Bloomberg that the ransomware strain involved appears to be DarkSide.
Dragos tweeted that they've seen DarkSide in OT networks before,
so in this respect, at least, the incident has precedence.
DarkSide is a Russian gang, and while Russian criminal groups are regarded as closely connected
to Moscow's intelligence and security services,
are regarded as closely connected to Moscow's intelligence and security services.
NBC reports that for now most are treating the incident as a financially motivated caper,
not state-directed sabotage.
Some, like CrowdStrike co-founder and Silverado Policy Accelerator executive chairman Dmitry Alperovitch, regard this as a distinction without a difference.
NBC quotes him as saying,
Whether they work for the state or not is increasingly irrelevant,
given Russia's obvious policy of harboring and tolerating cybercrime.
Colonial Pipeline describes itself as
the largest refined products pipeline in the United States,
transporting more than 100 million gallons of fuel daily
to meet the energy needs of
consumers from Houston, Texas to the New York Harbor. Its deliveries include gasoline, diesel,
and jet fuel. The incident represents a major disruption of the U.S. energy sector, Wired notes,
although it's not the first cyber attack the sector has sustained. Infrastructure targets
are increasingly attractive
to ransomware operators. Reuters reports that oil futures have risen in anticipation of shortages.
In an effort to ameliorate the expected shortages, the Federal Motor Carrier Administration has
issued an emergency waiver of certain provisions of Parts 390 through 399 of Title 49 Code of Federal Regulations,
effectively permitting drivers in 17 states and the District of Columbia to work extra or more
flexible hours while they're hauling refined petroleum products that would ordinarily have
been moved through Colonial's pipelines. The expectation is that road transportation will
take up some, although
not of course all, of the slack left by the pipeline disruption. The emergency directive
is, for now, expected to remain in effect through June 9th.
Politico says the incident is seen as a major challenge to the U.S. administration.
The New York Times reports a Saturday evening White House statement to the
effect that President Biden had been briefed on the incident and that the government was working
to, quote, assess the implications of this incident, avoid disruption to supply, and help
the company restore pipeline operations as quickly as possible, end quote. The statement also said
the government was working with other organizations in the fuel sector to increase their protection against such attacks.
Investigation is still in its early stages,
and it's unclear how the attackers got into Colonial Systems,
but The Times recounts a priori speculation that they might have exploited the now well-known
and now patched compromises of the SolarWinds Orion platform and Microsoft Exchange server.
For what it's worth, the goons responsible for the attack say they're apolitical
and that in the future they'll choose their targets more carefully.
Vice reports that the dark side gang seems concerned to head off the assumption that they're working for Moscow.
They wrote in a statement, quote,
The Hoods tweeted,
They go on to say,
From today, we introduce moderation and check each company that our partners want to encrypt
to avoid social consequences in the future.
So, honest crooks, not spies or saboteurs, says them.
The rhetorical genre, especially the promise to avoid social consequences in the future,
is what might be called unlikely insistence.
It's sweet of them to be so concerned, albeit belatedly, about the externalities of their business,
but we hope they'll forgive any skepticism their communique meets.
Ransomware has, of course, hit elsewhere.
In unrelated incidents, both the city of Tulsa
and the government of the three affiliated tribes
disclosed that they'd sustained ransomware attacks.
Native News Online reports that on April 28th, the government of the three affiliated tribes,
that is the Mandan, Hidatsa, and Arikara Nation, has told its staff that it was affected by
ransomware. More recently, the city of Tulsa, Oklahoma, was hit by ransomware that took down
some of its networks and websites. The record by Recorded Future says that the city is currently in the process of restoring its systems,
only a small percentage of which appear to have been affected.
A joint advisory issued Friday by the UK's National Cyber Security Centre
and three US agencies, CISA, FBI and NSA,
describes the tactics, techniques and procedures Russia's SVR
Foreign Intelligence Service used in the SolarWinds Compromise and elsewhere. The advisory
is specific and unambiguous in attributing the attacks to the SVR. Its big point is that the SVR
uses publicly available exploits for scanning and exploitation of vulnerable systems. A list of exploits the SVR is known to have used is provided,
with the qualification that the list can't be regarded as exhaustive.
In its choice of targets, the SVR has recently shown a willingness
to compromise trusted software supply chains.
It also scanned, for vulnerable instances of Microsoft Exchange Server,
activity hitherto associated, for the the most part with Chinese intelligence operations.
Bleeping Computer notes that a foreseeable reaction to the U.S. and U.K. advisories
has indeed been observed.
The SVR is changing both its targeting and its TTPs.
SolarWinds has significantly reduced the number of customers it believes were affected by the compromise
of the company's Orion platform in 2020.
Where estimates had once run as high as 18,000,
SolarWinds reported in an SEC filing that fewer than 100 customers appear to have been affected.
The company explains the changed estimate like this,
appear to have been affected.
The company explains the changed estimate like this,
quote,
It's important to note that this group of up to 18,000 downloads includes two significant groups
that could not have been affected by Sunburst
due to the inability of the malicious code
to contact the threat actor's command and control server.
One, those customers who did not install the downloaded version,
and two, those customers who did not install the downloaded version, and two, those customers who did install the affected version,
but only did so on a server without access to the Internet.
Among a third group of customers, those whose affected servers accessed the Internet,
we believe, based on sample DNS data,
only a very small proportion saw any activity with the command-and-control server deployed by the threat actor.
This statistical analysis of the same DNS data leads to our belief
that fewer than 100 customers had servers that communicated with the threat actor.
This information is consistent with estimates provided by U.S. government entities
and other researchers, and consistent with the presumption the attack was highly targeted."
Finally, four gentlemen have taken guilty pleas
to U.S. federal RICO charges,
that is, charges under the Racketeering Influenced
and Corrupt Organizations Act,
involving their operation of a bulletproof hosting service
that provided infrastructure for cybercriminal gangs.
The malware hosted by their service included
Zeus, SpyEye, Citadel,
and the Black Hole Exploit Kit.
The U.S. Department of Justice says
that the four, two Russian citizens
and their Lithuanian and Estonian employees,
face up to 20 years' imprisonment.
They're scheduled for sentencing
throughout the summer.
Scheduled for sentencing throughout the summer.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
We checked in with Sergio Contadroni from Dragos for his insights.
Here's my conversation with Sergio.
This is a major event. It is a company which provides 40% of the a larger cyber impact to the country's fundamental infrastructure before as this one.
What about from a national security point of view? I mean, we've seen the president has responded.
He says that he's been briefed throughout, but it strikes me that hitting a pipeline of this size,
will they have our attention? Oh, yes. And maybe to great detriment to them.
Well, they have our attention.
Oh, yes, and maybe to great detriment to them.
You know, this is an area where, you know, cyber criminals who are in it for the money, which this group claims to be, for them, then clearly they're not doing well because this is bringing a lot more attention to them than is safe for them to continue operations.
negative, there's also a positive aspect to that, which will, it brings a lot more attention,
not only to the problem, but to this group in particular, which I hope results in policies and actions that allow us to start making inroads against this ransomware threat, which
has been plaguing us, you know, for five, seven years now.
And, you know, really we need to stop, you know, the headlines of
another company, another company, another company, another organization getting hit all the time. It
just, we need to find an end to this madness. Do you think this is going to be an inflection
point? Is this a bit of a wake-up call that we might see more effort, more funds, more resources
from the federal government to shore up
these bits of critical infrastructure? Dave, I have a huge amount of respect for the federal
government, having obviously served there myself, and not only the federal government in the U.S.,
but large national governments worldwide who take this problem very seriously. And I know
the U.S. government and other governments worldwide certainly do.
But I'm also a realist to some extent and recognize that, you know,
what we're trying to accomplish in cybersecurity, you know, takes a long time.
And I do believe that this is not an inflection point.
I believe we've already been at several inflection points before.
I believe that we all recognize what the problems are, and the governments worldwide have done that. I feel like what needs to change
is not inflection any longer, not introspection, not recognition of the problem. What needs to
happen are direct action inside organizations, both public, quasi-public, private organizations that we all rely on on a daily basis.
And there are organizations that are doing great.
There really are.
You just don't hear about them because we only hear about the things that go badly.
And the challenge, though, is that this is very, very uneven.
That certain industries, certain sectors are getting a lot of attention,
like electric generation gets a ton of attention. Nobody wants to see an electric plant go down,
right? But how many people talk about, you know, midstream or downstream natural gas or gasoline,
you know, products? Not many. You don't hear about that that often. And yet it is a critical
part of your infrastructure.
All right. Well, Sergio Caltagirone from Dragos, thanks so much for taking time for us today.
Thank you, Dave, for having me as always.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And it is always my pleasure to welcome back to the show Rick Howard,
the CyberWire's Chief Analyst and Chief Security Officer.
Rick, great to have you back.
Hey, Dave.
So on this week's CSO Perspectives podcast,
you are starting a three-part series on new CISO responsibilities.
So I am intrigued by this, but I have to admit, I'm not sure what you mean by new responsibility,
as if CISOs need more responsibilities. So what do you have in store for us this week, Rick?
Well, you know, Dave, it's no secret that I'm what you might call a gray hair. Okay, I've been doing this stuff for about 25 years.
And when I started back in the day,
a CISO's job mostly centered around their deployed security stack,
you know, firewalls and antivirus.
And if they had any resources, they may even be running a SOC.
But today, if you just listen to any of your daily podcast shows,
the things that we are talking about involve a
whole lot more, like you were saying, lots of responsibilities. You know, things like IoT and
identity and supply chain, just to name a few of them. And for this series, we're trying to
determine if the responsibility to secure those non-traditional critical business functions
have been formally moved under the CISO's official list of duties, or are they,
and I'm using air quotes here, extra duties as assigned, because there seems to be a lot of them.
I was just going to say that. I was going to use that exact same phrase. Yeah, yeah.
Listen, we've got a few more things. Yeah, and the leadership is not told the CISO to do it,
but we all know that we better do it or the probability of material impact to our organization might be high.
And so this week shows about OT or operational technology and industrial control systems or ICS.
And I guess it's pretty timely with the colonial pipeline attacks that we all learned about over the weekend.
That's right.
Absolutely.
So that is on the CyberWire Pro side of things. And you're currently on season five of the weekend. That's right. Absolutely. So that is on the CyberWire Pro side of things. And
you're currently on season five of the podcast, but you're also releasing episodes from season one
to the general public. What's happening over there? Yeah, we've been talking about this for
the past few weeks. We wanted the public to get a taste of what they were missing from our Pro
offering before they had to plop down their hard-earned money on a subscription. And so far, we've released episodes on SASE, machine learning, and one of my favorites,
recommended cybersecurity novels, all right?
So I'm having fun with all that.
But this week's episode, we're talking about risk metrics.
Well, that sounds good.
You know, I like to talk to folks over here on the Daily Podcast. And honestly, there seems to be a lot of confusion about how to even do that or if it's even possible
to get a handle on risk metrics. Yeah, I know what you mean. I've struggled with this for my
entire career, but it wasn't until I read a book by a guy by the name of Dr. Philip Tetlock many
years ago called Super Forecasting. And then I realized there must be a better way. Yeah,
I've heard you talk. I think you and I have talked about that book together before.
So why was that book so compelling to you?
So Dr. Tetlock worked for DARPA, and he was watching CNN one day. And you know how the
news shows bring in all these pundits to talk about what's going on in the news.
And he got really upset because they brought this one guy on
who forecasted something right once in his career,
but has been wrong ever since, right?
And so he thought there should be like a chyron
rolling on the bottom of the screen that says,
this guy got one out of 10 correct in the last five years.
So being a DARPA scientist, he does this experiment.
He puts three groups together, a bunch of academians, the intelligence community,
and a group he lovingly refers to as the soccer moms.
Now, these weren't really soccer moms.
They were just kind of older people that had time to solve problems.
And he gave them really hard problems to forecast,
like will President Putin get assassinated in the next
three years? And he gave them 500 of these things and graded them over time. And I think I may have,
you know, buried the lead, but the soccer mom won the competition by like 46%.
Wow. And there's lots of reasons for it. And the book is fascinating. I recommend it.
Mostly because the soccer moms didn't have a bias. They didn't care who, you know, what outcome there was. Oh, interesting. Interesting.
I can't help thinking of that old phrase about how even a broken clock is right twice a day.
That's exactly right. But it did show that there's this group of people that Tetlock calls
super forecasters who are really good at this by just examining the
evidence. And so the point is that superforecasters know how to forecast risk for really hard
problems. And cybersecurity risk is a really hard problem. So in this episode, we talk about how to
do just that. All right. Well, we will all check that out. Rick Howard, thanks for joining us.
Thanks, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha! Thank you. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick
Volecki, Gina Johnson, Bennett
Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick
Howard, Peter Kilpie, and I'm
Dave Bittner. Thanks for
listening. We'll see you back
here tomorrow. Thank you. Also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.