Tag Archives: WannaCry ransomware

The Wild West Mentality of Companies Running the U.S. Oil and Gas Infrastructure — and Who Pays for It

The ransomware attack on Colonial Pipeline Co. in May 2021 has hit an industry that largely lacks federal cybersecurity oversight, leading to uneven digital defenses against such hacks.

The temporary shutdown of Colonial’s pipeline, the largest conduit for gasoline and diesel to the East Coast, follows warnings by U.S. officials in recent months of the danger of cyberattacks against privately held infrastructure. It also highlights the need for additional protections to help shield the oil-and-gas companies that power much of the country’s economic activity, cyber experts and lawmakers say. “The pipeline sector is a bit of the Wild West,” said John Cusimano, vice president of cybersecurity at aeSolutions, a consulting firm that works with energy companies and other industrial firms on cybersecurity. Mr. Cusimano called for rules similar to the U.S. Coast Guard’s 2020 regulations for the maritime sector that required companies operating ports and terminals to put together cybersecurity assessments and plans for incidents.

 More than two-thirds of executives at companies that transport or store oil and gas said their organizations are ready to respond to a breach, according to a 2020 survey by the law firm Jones Walker LLP. But many don’t take basic precautions such as encrypting data or conducting dry runs of attacks, said Andy Lee, who chairs the firm’s privacy and security team. “The overconfidence issue is a serious phenomenon,” Mr. Lee said.

Electric utilities are governed by rules enforced by the North American Electric Reliability Corp., a nonprofit that reviews companies’ security measures and has the power to impose million-dollar fines if they don’t meet standards. There is no such regulatory body enforcing standards for oil-and-gas companies, said Tobias Whitney, vice president of energy security solutions at Fortress Information Security. “There aren’t any million-dollar-a-day potential fines associated with oil-and-gas infrastructure at this point,” he said. “There’s no annual audit.”

Excerpt from David Uberti and Catherine Stupp, Colonial Pipeline Hack Sparks Questions About Oversight, WSJ, May 11, 2021

Cyberwar: government hackers

The mysterious hacking group that supplied a critical component of the WannaCry “ransomware” software attack that spread across the globe in mid-May 2017 has been releasing alleged National Security Agency secrets for the past eight months.  Former intelligence officials now fear that the hackers, who go by the name Shadow Brokers, are taking a new tack: exposing the identities of the NSA’s computer-hacking team. That potentially could subject these government experts to charges when traveling abroad.

The Shadow Brokers on April 14, 2017 posted on a Russian computer file-sharing site what they said were NSA files containing previously unknown attack tools and details of an alleged NSA hack affecting Middle Eastern and Panamanian financial institutions.

But something went largely unnoticed outside the intelligence community. Buried in the files’ “metadata”—a hidden area that typically lists a file’s creators and editors—were four names. It isn’t clear whether the names were published intentionally or whether the files were doctored. At least one person named in the metadata worked for the NSA, a person familiar with the matter said.  Additionally, the hacking group in April, 2017 sent several public tweets that seemingly threatened to expose the activities of a fifth person, former NSA employee Jake Williams, who had written a blog post speculating the group has ties to Russia… Security experts who have examined the documents believe they contain legitimate information, including code that can be used in hacks, as well as the names of the files’ creators and editors.

Because nation-state hackers might run afoul of other countries’ laws while discharging their duties, they could, if identified, face charges when outside their country. So, to keep their own people safe, governments for decades have abided by a “gentleman’s agreement” that allows government-backed hackers to operate in anonymity, former intelligence officials say….

Some former intelligence officials suggested the U.S. prompted the outing of state-sponsored hackers when it indicted five Chinese military hackers by name in 2014, and more recently brought charges against two officers with Russia’s Federal Security Service over a 2014 Yahoo Inc. breach.  By exposing cyberagents, the Shadow Brokers appear to be taking a page from the U.S. playbook, said Mr. Williams, who worked for the NSA’s Tailored Access Operations hacking group until 2013. An NSA spokesman said the agency doesn’t comment about “most individuals’ possible current, past or future employment with the agency.”  “We’ve fired first,” Mr. Williams said, referring to the U.S. charging the alleged Chinese hackers by name. “This is us taking flak.”…

The documents revealed jealously guarded tactics and techniques the NSA uses to access computer systems…For example, the files include source code for software designed to give its creators remote access to hacked machines, and to evade detection from antivirus software. If the code was created by the NSA, it now gives security professionals a digital fingerprint they can use to track the NSA’s activities prior to the leak.

That could prove disruptive to NSA activities, forcing the agency to consider pulling its software from others’ networks and taking other steps to erase its tracks. And while the information could help companies determine whether they have been hacked by the NSA, it could also be used to create more malicious software. The Shadow Brokers tools, for example, are now being used to install malicious software such as WannaCry on corporate networks.

Mr. Williams initially thought the Shadow Brokers had access only to a limited set of NSA tools. His assessment changed after three tweets directed at him April 9, 2017 included terms suggesting the group had “a lot of operational data or at least operational insight” into his work at the NSA, he said.  The tweets, which are public, are cryptic. They express displeasure over an article Mr. Williams wrote attempting to link the Shadow Brokers to Russia. They also mention apparent software code names, including “OddJob” and “Windows BITS persistence.”…..OddJob is a reference to software released by the Shadow Brokers five days after the tweets. “Windows BITS persistence” is a term whose meaning isn’t publicly known.

Excerpts from In Modern Cyber War, the Spies Can Become Targets, Too, Wall Street Journal, May 25, 2017