By Gregory Hale
While similarities often abound when a cyber event occurs, that does not make them similar or related, but the problem is “experts” will often attempt to make them appear dramatic so they can seem relevant or on top of their game.
Take the Suncor cyberattack that broke out starting at the end of last week or the MOVEit Transfer ransomware attacks.
Quite a few stories and blog posts had “experts” saying the Suncor attack was similar to the Colonial Pipeline attack in May 2021. Yes, they were two oil industry players, and yes, there may have been a run on gas stations, but the similarities pretty much end there.
- Suncor Energy Hit In Cyberattack
- Lessons Learned: How to Protect Against Cyber-Physical Attacks
- Food-Agriculture ISAC Forms
- Perishable Goods Attacks Continue, Resiliency Is A Must
“Everyone is quick to make the connection to Colonial Pipeline,” said Ron Fabela, field chief technology officer at security provider, XONA. “This is more of a traditional event or ransomware attack that affected their point-of-sale system and their app. This is nowhere near the impact we saw with Colonial where there was this mass hysteria and a run on the gas stations. Suncor is more of an inconvenience and annoyance. What is interesting is this is a multi-day event so there is still impact at gas stations at Petro Canada, but it is not at the national security level impact we saw with Colonial.”
In the Suncor attack, the Canada-based oil giant suffered a cybersecurity incident that affected its ability to complete transactions with customers, officials said. The company said it working with third-party experts to investigate and resolve the situation and has notified appropriate authorities. At this time, the company said it was not aware of any evidence that customer, supplier or employee data suffered compromised or ended up misused as a result of this situation.
The issues began on Friday (June 23), when customers reported problems logging into the app and website for Petro-Canada, a gas station chain owned by Suncor.
Suncor’s operations include oil sands development, production and upgrading; offshore oil and gas; petroleum refining in Canada and the U.S.; and the company’s Petro-Canada retail and wholesale distribution networks (including Canada’s Electric Highway, a coast-to-coast network of fast-charging electric vehicle stations).
In a response to the attack against Suncor, Petro-Canada said in a twitter post “right now, some of our sites can only accept cash and our app and Petro-Points login are unavailable. Car washes may also be unavailable at some locations. What matters most to us is you and your safety. Thanks for your support and understanding as we work to keep you moving. Petro-Canada is a Suncor business and together, we’re responding to a cybersecurity incident. While our sites are open, you may experience disruptions to some services.”
“This is not related to Colonial all,” said Ron Brash, vice president of technical research and integrations at aDolus Technology Inc. “Let’s say Suncor and Colonial really are not apples to apples. Colonial started on the corporate side, but it impacted systems that were OT in nature but there were for the scheduling and reconciliation of volume, because Colonial is essentially a transport company. That is a very different premise than my point system is not working at the pump. I don’t see this as a major incident. I just don’t.”
Not Colonial At All
“With Suncor really what I understand is refining did not have problems, and transport of product from the localized pipelines had no issues,” Brash said. “In Suncor’s case I have heard they are talking about active directory and log in. That is what is making me think it was an enterprise attack and nothing about OT at all. OT affects could only be collateral.
“This attack is very similar to the Honda ransomware a few years back both in effect and symptoms. They reported active directory and credential lockouts, but no OT being directly affected; it was mostly spillover. However, not widely publicized, supporting operations and just in time (JIT) were affected because their contractors couldn’t match crate engines to the invoices/work orders for example – this affected third parties, factories and beyond. That cost them a large amount as well, but it didn’t impact the logistics systems specifically as called out in the Colonial attack nor was it a serious economic and social event,” Brash said. “Not to mention that Suncor isn’t the sole producer and distributor of fuel in Canada unlike other major pipeline players up there.”
Fabela and Brash agreed it was interesting the Suncor attack occurred after the Canadian Center for Cybersecurity put out an advisory saying it is likely the nation’s gas and oil infrastructure will be targeted by threat actors.
But that does not necessarily mean it was a precursor to the event.
“This sounds connected, but it is tough to say it is connected,” Fabela said. “This could simply be opportunistic and financially motivated.”
“It could all be linked to what the Canadian government that said one ransomware group saying oil and gas enterprises could suffer compromise, it could a consequence of that,” Brash said. “In Canada, there has always been this they are always going to attack us kind of mindset. I have seen stuff, but it has been low complexity, but high frequency.”
In the end, people want to react – or overreact – to the incident.
“I call these people disaster enthusiasts,” Fabela said. “They don’t want anything bad to happen, but they are happy when it does.”
The same concept is true when it comes to the MOVEit Transfer ransomware attacks that have been ongoing from the Clop gang where some major companies like Siemens Energy, Schneider Electric, Shell, and British Airways to name a few have fallen victim.
Progress Software Corp. reported on the MOVEit Transfer Zero Day vulnerability tracked as CVE-2023-34362. In addition, there was another issue that could lead to escalated privileges and potential unauthorized access to the environment.
In Progress MOVEit Transfer versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3), a SQL injection vulnerability (CVE-2023-35708) is in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database.
“Yes, the threats are real, and the impacts are real, but the impacts have not been that great,” Fabela said.
He is not entirely sure the data stolen from the organizations have any real merit.
Not Traditional Attacks
“Traditionally what Clop does is they get in and lock out the system and they exfiltrate the data and conduct a double ransomware attack,” Fabela said. “They are moving away from locking up the system and just shaming the companies into paying the ransom, so they don’t release the data. This is like a smash and grab. They found the exploit on the file transfer servers which are designed to be Internet facing. So, at the end of May, they smashed and grabbed as many organizations as they could and they exfiltrated all the data they could and now they have been slowly ratcheting things up and leveraging as much as they could saying they have so many days to respond, or we will put a page up and if don’t pay we will release the data.”
Fabela said he has seen Clop staying at one level and not trying to pivot further into the architecture of victims. That may restrict the type of data stolen by Clop.
“The takeaway I see is from these attacks is our ability to operate through an attack where it doesn’t affect the customer or public confidence is really going to be the key moving forward,” Fabela said. “These attacks are going to happen, and I know that sounds defeatist, but we have to do the concrete things you can do now to prevent or operate during an attack.”