Ransomware disrupts pipeline operations in the Eastern US. Other ransomware attacks reported by US municipal and Tribal governments. UK-US advisory on SVR TTPs. SolarWinds update.
Dave Bittner: Colonial Pipeline shuts down some systems after a ransomware attack, disrupting refined petroleum product delivery in the eastern U.S. We'll check in with Sergio Caltagirone from Dragos for his analysis. Other the ransomware attacks hit city and tribal governments. A joint U.K.-U.S. alert on SVR tactics is issued, and the SVR may have changed its methods accordingly. SolarWinds revised downward its estimate of the number of customers affected by its compromise. Rick Howard previews his "CSO Perspectives" podcast on risk metrics; and four guilty pleas in a bulletproof hosting RICO case.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 10, 2021.
Dave Bittner: Colonial Pipeline disclosed Saturday that it has been the victim of a ransomware attack. The company said that, "On May 7, Colonial Pipeline Company learned it was the victim of a cybersecurity attack and has since determined that the incident involved ransomware. Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring." The incident began with the attackers stealing almost 100 gigabytes of data last Thursday, and then, Bloomberg reports, locked Colonial Pipeline computers and issued their ransom demand, at which point Colonial began taking systems offline in a precautionary attempt to contain the effects of the attack. The affected systems appear to have been business systems, not control systems. Later in the show, we'll hear from Sergio Caltagirone from Dragos for his insights.
Dave Bittner: Recorded Future tells Bloomberg that the ransomware strain involved appears to be DarkSide. Dragos tweeted that they've seen DarkSide in OT networks before, so in this respect at least, the incident has precedents. DarkSide is a Russian gang, and while Russian criminal groups are regarded as closely connected to Moscow's intelligence and security services, NBC reports that for now, most are treating the incident as a financially motivated caper, not state-directed sabotage. Some, like CrowdStrike co-founder and Silverado Policy Accelerator executive chairman Dmitri Alperovitch, regard this as a distinction without a difference. NBC quotes him as saying, quote, "whether they work for the state or not is increasingly irrelevant, given Russia's obvious policy of harboring and tolerating cybercrime," end quote.
Dave Bittner: Colonial Pipeline describes itself as the largest refined products pipeline in the United States, transporting more than 100 million gallons of fuel daily to meet the energy needs of consumers from Houston, Texas, to the New York Harbor. Its deliveries include gasoline, diesel, and jet fuel. The incident represents a major disruption of the U.S. energy sector, WIRED notes, although it's not the first cyberattack the sector has sustained. Infrastructure targets are increasingly attractive to ransomware operators. Reuters reports that oil futures have risen in anticipation of shortages.
Dave Bittner: In an effort to ameliorate the expected shortages, the Federal Motor Carrier Administration has issued an emergency waiver of certain provisions of parts 390 through 399 of Title 49 Code of Federal Regulations, effectively permitting drivers in 17 states and the District of Columbia to work extra or more flexible hours while they're hauling refined petroleum products that would ordinarily have been moved through Colonial's pipelines. The expectation is that road transportation will take up some - although not, of course, all - of the slack left by the pipeline disruption. The emergency directive is, for now, expected to remain in effect through June 9.
Dave Bittner: POLITICO says the incident is seen as a major challenge to the U.S. administration. The New York Times reports a Saturday evening White House statement to the effect that President Biden had been briefed on the incident and that the government was working to, quote, "assess the implications of this incident, avoid disruption to supply and help the company restore pipeline operations as quickly as possible," end quote. The statement also said the government was working with other organizations in the fuel sector to increase their protection against such attacks. Investigation is still in its early stages, and it's unclear how the attackers got into Colonial's systems. But the Times recounts a priori speculation that they might have exploited the now well-known and now patched compromises of the SolarWinds Orion platform and Microsoft Exchange Server.
Dave Bittner: For what it's worth, the goons responsible for the attack say they are apolitical and that in the future they'll choose their targets more carefully. Vice reports that the DarkSide gang seems concerned to head off the assumption that they're working for Moscow. They wrote in a statement, quote, "we are apolitical, we do not participate in geopolitics." The hoods tweeted, our goal is to make money, and not creating problems for society. They go on to say, "from today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future," end quote,
Dave Bittner: So honest crooks, not spies or saboteurs, says them. The rhetorical genre, especially the promise to avoid social consequences in the future, is what might be called unlikely insistence. It's sweet of them to be so concerned, albeit belatedly, about the externalities of their business, but we hope they'll forgive any skepticism their communique meets.
Dave Bittner: Ransomware has, of course, hit elsewhere. In unrelated incidents, both the city of Tulsa and the government of the Three Affiliated Tribes disclosed that they'd sustained ransomware attacks. Native News Online reports that on April 28, the government of the Three Affiliated Tribes - that is the Mandan, Hidatsa and Arikara Nation - has told its staff that it was affected by ransomware. More recently, the city of Tulsa, Okla., was hit by ransomware that took down some of its networks and websites. The Record by Recorded Future says that the city is currently in the process of restoring its systems, only a small percentage of which appear to have been affected.
Dave Bittner: A joint advisory issued Friday by the U.K.'s National Cyber Security Centre and three U.S. agencies - CISA, the FBI and NSA - describes the tactics, techniques and procedures Russia's SVR foreign intelligence service used in the SolarWinds compromise and elsewhere. The advisory is specific and unambiguous in attributing the attacks to the SVR. Its big point is that the SVR uses publicly available exploits for scanning and exploitation of vulnerable systems. A list of exploits the SVR is known to have used is provided with the qualification that the list can't be regarded as exhaustive. In its choice of targets, the SVR has recently shown a willingness to compromise trusted software supply chains. It also scanned for vulnerable instances of Microsoft Exchange Server, activity hitherto associated, for the most part, with Chinese intelligence operations. BleepingComputer notes that a foreseeable reaction to the U.S. and U.K. advisories has indeed been observed. The SVR is changing both its targeting and its TTPs.
Dave Bittner: SolarWinds has significantly reduced the number of customers it believes were affected by the compromise of the company's Orion platform in 2020. Where estimates had once run as high as 18,000, SolarWinds reported in an SEC filing that fewer than 100 customers appear to have been affected. The company explains the changed estimate like this - quote, "it's important to note that this group of up to 18,000 downloads includes two significant groups that could not have been affected by SUNBURST due to the inability of the malicious code to contact the threat actor's command-and-control server - one, those customers who did not install the downloaded version, and two, those customers who did install the affected version but only did so on a server without access to the internet. Among a third group of customers, those whose affected servers accessed the internet, we believe, based on sample DNS data, only a very small proportion saw any activity with the command-and-control server deployed by the threat actor. This statistical analysis of the same DNS data leads to our belief that fewer than 100 customers had servers that communicated with the threat actor. This information is consistent with estimates provided by U.S. government entities and other researchers and consistent with the presumption the attack was highly targeted," end quote.
Dave Bittner: Finally, four gentlemen have taken guilty pleas to U.S. federal RICO charges - that is, charges under the Racketeering Influenced and Corrupt Organizations Act - involving their operation of a bulletproof hosting service that provided infrastructure for cybercriminal gangs. The malware hosted by their service included Zeus, SpyEye, Citadel and the Blackhole Exploit Kit. The U.S. Department of Justice says that the four - two Russian citizens and their Lithuanian and Estonian employees - face up to 20 years imprisonment. They are scheduled for sentencing throughout the summer.
Dave Bittner: We checked in with Sergio Caltagirone from Dragos for his insights. Here's my conversation with Sergio.
Sergio Caltagirone: This is a major event. It is a company which provides 40% of the gas production or distribution to the East Coast of the United States. Without this pipeline, you would see gas shortages, you would see prices rising for consumers, obviously, impacts on gas-heavy businesses and operations that rely on large amounts of gasoline. And so, you know, from that perspective, there probably hasn't been a larger cyber impact to the country's, like, fundamental infrastructure before as this one.
Dave Bittner: What about from a national security point of view? I mean, we've seen the president has responded. He says that he's been briefed throughout. But, you know, it strikes me that hitting a pipeline of this size - well, they have our attention.
Sergio Caltagirone: Oh, yes, and maybe to great detriment to them. You know, this is an area where, you know, cybercriminals who are in it for the money, which this group claims to be - you know, I don't really trust too much that criminals say, honestly. So, you know, we - but if we take them at their word and that this is only a monetary operation for them, then, clearly, they're not doing well because this is bringing a lot more attention to them than is safe for them to continue operations. So from that perspective, I think it is, you know - I think, you know, while it's a negative, there's also a positive aspect to that which will - it brings a lot more attention not only to the problem but to this group in particular, which I hope results in policies and actions that allow us to start making inroads against this ransomware threat which has been plaguing us, you know, for five, seven years now. And, you know, really, we need to stop, you know, the headlines of another company, another company, another company, another organization getting hit all the time. It just - we need to find an end to this madness.
Dave Bittner: Do you think this is going to be an inflection point? Is this a bit of a wake-up call that, you know, we might see more effort, more funds, more resources from the federal government to shore up these bits of critical infrastructure?
Sergio Caltagirone: Dave, I have a huge amount of respect for the federal government, having, obviously, served there myself, and not only the federal government of the U.S., but, you know, large national governments worldwide who take this problem very seriously. And I know the U.S. government and other governments worldwide certainly do. But I'm also a realist to some extent and recognize that, you know, what we're trying to accomplish in cybersecurity, you know, takes a long time. And I do believe that this is not an inflection point. I believe we've already been at several inflection points before. I believe that we all recognize what the problems are, and the governments worldwide have done that. I feel like what needs to change is not inflection any longer, not introspection, not recognition of the problem. What needs to happen are direct action inside organizations, both public, quasi-public, private - organizations that we all rely on on a daily basis. And there are organizations that are doing great. There really are. You just don't hear about them because we only hear about the things that go badly. And the challenge, though, is that this is very, very uneven, that certain industries, certain sectors, are getting a lot of attention. Like, electric generation gets a ton of attention. Nobody wants to see an electric plant go down, right? But how many people talk about, you know, midstream or downstream natural gas or gasoline, you know, products? Not many. You don't hear about that that often. And yet it is a critical part of your infrastructure.
Dave Bittner: All right. Well, Sergio Caltagirone from Dragos, thanks so much for taking time for us today.
Sergio Caltagirone: Thank you, Dave, for having me, as always.
Dave Bittner: And it is always my pleasure to welcome back to the show Rick Howard, the CyberWire's chief analyst and chief security officer. Rick, great to have you back.
Rick Howard: Hey, Dave.
Dave Bittner: So on this week's "CSO Perspectives" podcast, you are starting a three-part series on new CISO responsibilities. So I am intrigued by this, but I have to admit I'm not sure what you mean by new responsibilities, as if CISOs need more responsibilities.
Rick Howard: (Laughter).
Dave Bittner: So what do you have in store for us this week, Rick?
Rick Howard: Well, you know, Dave, it's no secret that I'm what you might call a gray hair, OK? I've been doing this stuff for about 25 years. And...
Dave Bittner: Yeah.
Rick Howard: ...When I started back in the day, a CISO's job mostly centered around their deployed security stack - you know, firewalls and antivirus - and if they had any resources, they may even be running a SOC. But today, if you just listen to any of your daily podcast shows, the things that we are talking about involve a whole lot more, like you were saying, lots of responsibilities - you know, things like IoT and identity and supply chain, just to name a few of them. And for this series, we're trying to determine if the responsibility to secure those non-traditional, critical business functions have been formally moved under the CISO's official list of duties, or are they - and I'm using air quotes here - "extra duties as assigned"? Because there seems to be a lot of them.
Dave Bittner: I was just going to say that. I was going to use that exact same phrase.
Rick Howard: (Laughter).
Dave Bittner: Yeah. Yeah.
Rick Howard: Yeah, so, you know...
Dave Bittner: Listen. We've got a few more things. Yeah.
Rick Howard: Yeah. And the leaders - so the leadership has not told the CISO to do it, but we all know that we better do it or the probability of material impact to our organization might be high. And so...
Dave Bittner: Right.
Rick Howard: ...This week's show is about OT, or operational technology, and industrial control systems, or ICS. And I guess it's pretty timely with the...
Dave Bittner: Yeah.
Rick Howard: ...Colonial Pipeline attacks that we all learned about over the weekend.
Dave Bittner: That's right. Absolutely. So that is on the CyberWire Pro side of things. And you're currently on Season 5 of the podcast, but you're also releasing episodes from Season 1 to the general public. What's happening over there?
Rick Howard: Yeah, we've been talking about this for the past few weeks. We wanted the public to get a taste of what they were missing from our Pro offering before they had to plop down their hard-earned money on a subscription. And so far, we've released episodes on SASE, machine learning and one of my favorites, recommended cybersecurity novels, all right? So I'm having fun with all that. But this week's episode, we're talking about risk metrics.
Dave Bittner: Well, that sounds good. You know, I like to talk to folks over here on the daily podcast. And honestly, there seems to be a lot of confusion about how to even do that or if it's even possible to get a handle on risk metrics.
Rick Howard: Yeah, I know what you mean. I've struggled with this for my entire career. But it wasn't until I read a book by a guy by the name of Dr. Philip Tetlock many years ago called "Superforecasting." And then I realized there must be a better way.
Dave Bittner: Yeah, I've heard you talk - I think you and I have talked about that book together before. So why was that book so compelling to you?
Rick Howard: So Dr. Tetlock worked for DARPA, and he was watching CNN one day. And you know how the news shows bring in all these pundits to talk about what's going on in the news. And he got really upset because they brought this one guy on who forecasted something right once in his career but has been wrong ever since, right?
Dave Bittner: (Laughter).
Rick Howard: And so he thought there should be, like, a Chiron, when, like, you're rolling on the bottom of the screen that says, this guy got 1 out of 10 correct in the last five years. So...
Dave Bittner: Right. Right.
Rick Howard: ...Being a DARPA scientist, he does this experiment. He puts three groups together, a bunch of academians (ph), the intelligence community and a group he lovingly refers to as the soccer moms. Now, these weren't really soccer moms. They were just kind of older people that had time to solve problems. And he gave them really hard problems to forecast, like, will President Putin get assassinated in the next three years? And he gave them 500 of these things and graded them over time. And I think I may have, you know, buried the lede, but the soccer mom won the competition by, like, 46%.
Dave Bittner: Wow (laughter).
Rick Howard: And there's lots of reasons for it, and the book is fascinating. I recommend it, mostly because the soccer moms didn't have a bias. They didn't care who - you know, what outcome there was.
Dave Bittner: Ah. Interesting.
Rick Howard: Right.
Dave Bittner: Interesting. I can't help thinking of that old phrase about how even a broken clock is right twice a day.
Rick Howard: (Laughter) That's exactly right. But it did show that there's this group of people that Tetlock calls superforecasters who are really good at this by just examining the evidence. And so the point is that superforecasters know how to forecast risk or really hard problems. And cybersecurity risk is a really hard problem. So in this episode, we talk about how to do just that.
Dave Bittner: All right, well, we will all check that out. Rick Howard, thanks for joining us.
Rick Howard: Thanks, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, HAH! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.