Cyber crime strikes gas
We need national cyber insurance, kind of like national flood insurance
The Biden administration has declared a regional emergency over the shutdown of the largest gasoline pipeline on the east coast. Colonial Pipeline was hit with a ransomware attack which compromised its computer network, forcing the shutdown of the pipeline that carries nearly half the gasoline from New England to Texas.
The Alpharetta, Georgia-based company is working with law enforcement and the Department of Energy to restore its systems. That this is troubling would be a very large understatement.
Ransomware has moved from the realm of foreign government spycraft to a cloud-based software-as-a-service enterprise. The tools and methods to infect and encrypt a target’s computer systems, demand a ransom in untraceable crypto-currency, and collect the funds is, as criminal gangs go, as easy as signing up for Amazon Web Services. The AP reports:
However, two people close to the investigation, speaking on condition of anonymity, identified the culprit as DarkSide. It is among ransomware gangs that have “professionalized” a criminal industry that has cost Western nations tens of billions of dollars in losses in the past three years.
Supposedly, DarkSide bills itself as a “Robin Hood,” that won’t target hospitals, nursing homes, educational, or government systems, and donates a portion of its haul to charity. I don’t buy this. Al Capone gave away a lot of cash too, but he was still a ruthless gangster. The gangs that “professionalize” cyber crime are still criminals and the havoc they cause makes everything we buy, or do, more expensive.
It’s nearly impossible for some companies to buy cyber insurance these days. Many insurance companies are literally exiting the market, capping their coverage of ransomware to 10 percent of policy limits, or refusing to cover it at all. A cyber crime policy without ransomware coverage is basically useless. The companies that remain are very cautious about who they will cover.
High profile attacks like the one that crippled the City of Atlanta in 2018 cost taxpayers $2.6 million, when the ransom was just $52,000. Most insurance companies these days require companies hit by ransomware attacks to pay the ransom. The gangs know this, which only encourages them to go after more and more lucrative targets.
Nobody wants to admit that they paid a ransom, but frequently the costs of avoiding payment are many, many times the costs of compliance with the criminals’ demands. Whatever trojan, virus, or other vulnerability exploited to infect the network might have been in place for months before activation. Backups of the data may still have the same virus in place, ready for the criminals to hit again, and the next time they’ll ask for much more money.
It’s in the criminals’ interest to yield the decryption keys when the ransom is paid; it’s the same motivation for kidnappers to deliver the kidnapped. If the deal isn’t honored, nobody is going to pay the ransom.
The latest round of ransomware gangs are more focused on the business end of things. Government players and top-line hackers have generally exited the practice, preferring to swap between “white” and “black” hat activities. The hackers advising insurance carriers may even be the same ones who helped develop the ransomware tools and exploits in the first place.
These people tend to sell themselves to the highest bidder, and whoever has the coolest toys for them to play with. They gather together at conferences like DEFCON in Las Vegas where there is little evidence to tell between “good guys” and “bad guys.” I can tell you one thing about DEFCON: don’t even think about bringing your “real” smartphone, laptop, or even RFID-enabled credit cards. By the time you leave, your data will be stripped clean.
Companies, local and state governments, court houses, health care providers, even car makers like Kia Motors, have suffered debilitating ransomware attacks that have impacted services. My Kia app wouldn’t connect to the car during the two days the service was down. Imagine if Tesla Motors got hit?
Now that a gas pipeline has been shut down, many other companies involved in infrastructure should examine their security posture. Companies with SCADA (Supervisory Control and Data Acquisition) systems need to audit themselves down to the chips in their devices, and look for IoT vulnerabilities before they are next. Typically, power company SCADA systems at power plants, distribution switches and operations centers are very well protected and “air gapped” from any other network. But nothing can be taken for granted.
This latest cyber attack demonstrates how a small ransomware attack can have enormous consequences (watch gas prices the eastern half of the U.S. soar if the problem is not corrected in the next 72 hours).
With the ransomware “tech” now so easily accessible and operated like a business, the number of companies susceptible to these attacks will multiply. It’s time for law enforcement, and the vaunted super secret cyber capabilities of the U.S. intelligence community to go on the offense (more than they are), to shut this down.
The Biden administration would be well served by multiplying its efforts to keep American businesses, and our vital infrastructure that the White House is always harping on, safe. Maybe some of that trillion dollars Biden is proposing can go to a national cyber insurance fund, kind of like national flood insurance. Because after this, it’s going to be really hard for private companies to get cyber insurance, and even harder to stop the gangs from making more attacks.
If you haven’t subscribed to the Racket yet, click the button below to do so while it’s still free. And remember, with the Racket you get MORE than what you pay for!
You can also find us on Twitter and Facebook. Join the discussion online with our Racketeers Facebook group.
The Racketeers are Jay, Steve, and David. Click each name to contact us on Twitter!
As always, we appreciate shares. If you see something here that you like, please send it to your friends and tell them that all the cool kids read the Racket!
The National Institute of Standards and Technology is doing the yeoman's work here:
https://www.nist.gov/cybersecurity
In addition to NIST taking a role in pushing best practices and standards, there's also a role for the FBI and intelligence community to play in helping secure American businesses and infrastructure by being more transparent about known vulnerabilities that the covert world is aware of and actively exploiting, and switching from a default offensive posture (where discovered flaws are kept secret to be used against adversaries) to a defensive posture (where flaws are disclosed to the relevant parties to secure infrastructure).
"On Monday, Symantec revealed that it had traced how a hacker group it calls Buckeye—also known as APT3 or Gothic Panda and widely believed to be a contractor of the Chinese Ministry of Security Services—used NSA hacking tools apparently intercepted from the networks of NSA targets and repurposed those tools to use against other victims, including US allies. Most notably, Symantec says, the Chinese group's hacking had planted an NSA backdoor on the network of its victims using a zero-day vulnerability in Microsoft's Server Message Block (SMB) software, also seemingly learned by studying the NSA's hacking tools."
"That newly revealed hijacking of the NSA's intrusion techniques doesn't just dredge up longstanding questions about how and when the NSA should secretly exploit software vulnerabilities to use for spying rather than help software companies to fix them. It also adds another chapter to the strange story of this particular zero-day's journey: Created by the NSA, intercepted by China, later stolen and leaked by another mysterious hacker group known as the Shadow Brokers, and ultimately used by North Korea and Russia in two of the most damaging and costly cyberattacks in history."
https://www.wired.com/story/nsa-zero-day-symantec-buckeye-china/
This is perhaps where an entirely separate network and connected devices, not touching the internet at all, is required for vital infrastructure. Good practices will still be needed, but physical separation is still a useful (if expensive) strategy.