2021 Week 19 Security Roundup
Summary
The Colonial pipeline hack dominated the news cycle this week. This is probably the largest infrastructure hack in the history of the world. It is probable that this event will be in the news for weeks to come.
News
Colonial Pipeline Ransomware Hack
This may end up being the largest infrastructure attack in U.S. history. From the various reports, it looks like the threat actor that launched the attack is Darkside. Darkside is a group thought to be Russian as they avoid Russian companies and others in Russian speaking former Eastern Block countries. They released a statement Monday saying that it was an affiliated group and they were vowing to reign in their partners in the future to avoid causing social and political strife. In the past, the Darkside group has held themselves as social justice warriors taking down corrupt corporations and has been known to donate 10% of their ransoms to charities.
While none have indicated the Russian government is behind the attack, almost all experts agree that Russia's hands-off approach to hackers that do not hack Russian entities has made it a kind of safe haven for hacking groups. At Monday's press conference, the Biden administration has indicated they are looking at changing their predecessors (and his former bosses), turning a blind eye to Russia. This might be coming the in form of sanctions if changes are not implemented.
An aspect that should be mentioned is that the FBI and industry groups have asked that none pay ransoms in cases like this. The primary reason is payment just encourages ransomware in the future. Additionally, there have been several instances over the last year where the bad actors were either unable or unwilling to decode the files even after successful payment. It appears, according to the Washington Post, that Colonial has decided to not pay (as of 5/12) but the next day several reports indicated that they did pay $5 million.
On Friday it was reported that the servers for Darkside were taken down by unknown actors. Darkside said their Blog, Payment server, and DOS servers were all taken from their control. Additionally, it was reported by them that an undisclosed amount of cryptocurrency was withdrawn from the server hosting ransom payments. Some have speculated that the United States 780th Military Intelligence Brigade was responsible, but this is in no way confirmed.
I am going to give my 2 cents as someone who studies risks. This and the gas shortages in Texas a few weeks ago should be making it into tabletop exercises in the coming months. Organizations need to have plans in place for key employees to be able to get to work when there is a lack of gasoline and diesel. Additionally, work from home options should be explored so that when it makes sense, employees can do their work remotely.
Companies PR page:
Tulsa Oklahoma Ransomware Attack
The City of Tulsa suffered a ransomware attack. This did not seem to affect public-facing, 911, police, fire, or other emergency services but some administrative services of the TPD were affected. Additionally, a city spokesperson said no customer information was compromised. As part of the steps taken to keep things functioning officers were not taking reports on traffic crashes where there were no injuries, but instead having people fill out the forms themselves.
Legislative actions
Federal
President Biden signed an executive order that requires breach notification in certain instances. It also requires the hardening of federal government systems and networks.
Comments
Post a Comment