Multiple US energy firms attacked with ransomware in the past 12 months – report
Fuel supply disruption in the US caused by a ransomware attack on the Colonial Pipeline dominated infosec news for the past month. The attack, however, was far from the only targeted at US energy companies, a report shows.
Last month a Colonial Pipeline facility in Alabama was hit by a cyberattack, forcing a shut down of critical systems that provide a 45% fuel supply for the US East Coast.
Colonial pipeline paid the attackers $5 million worth of bitcoin, with over $2.3 million recovered by the authorities. The FBI concluded that the Darkside ransomware gang carried out the attack.
A recent report by Intsights, an external threat intelligence company, shows that this attack was not the first attack by Darkside on critical infrastructure, nor Darkside was the only cartel targeting such companies.
According to the report, in technical terms, other attacks were more severe than the ones endured by the Colonial Pipeline.
For example, an attack on a US natural gas facility directly affected a compressor station forcing the operator to shut down the whole facility for several days.
Analysts at Insight gathered data from underground criminal communities and found that as recently as February 2021, three months before the Colonial Pipeline hack, the Darkside cartel successfully compromised a Brazilian electricity utility.
The cartel offers to buy over 1TB of data with user credentials, network reconnaissance details, backup schedules, phone numbers, and email addresses for customers and employees, including senior management, legal and financial documents, engineering schematics, and utility network switches.
As recently as in December 2020, Darkside affiliates stole data from a US-based oilfield services contractor for oil and gas companies in Texas and Pennsylvania. Threat actors offer to buy tax accounts, health care information, and other company-sensitive material.
Data collected by Intsights indicates over 20 attacks on energy companies globally from May 2020 till May 2021. Half the targets operate in the United States. For example, Asarco, an Arizona mining, smelting, and refining subsidiary of Grupo Mexico, was hit with an attack in May 2021 with copies of employee identity documents circulating online.
Russia-linked REvil/Sodinokibi are suspected to be behind the attack. Although not mentioned in the report, media reports that the same cyber gang was behind the June ransomware attack against meat supplier JBS.
This April, CyberNews published a research where one of our team members tried to infiltrate the same gang revealing their payout structure, cash-out schemes, and target acquisition strategies.
Another Russian-speaking gang, CL0p, is credited with attacking Royal Dutch Shell. The data threat actors stole included copies of business contracts and employee identity documents. Last week, Ukrainian authorities reported that police exposed several CL0p affiliates in Ukraine with over a million dollars found over several searches around the capital city of Kyiv.
RansomEXX, NetWalker, Doppelpaymer, Ragnar Locker, and the now-defunct Maze cartel are mentioned among criminal families that targeted energy companies in the US, Indonesia, Italy, and Japan. Disclosed data varies from information on management performance to critical documents such as operational schemes for energy facilities.
Criminals trade stolen information on closed forums with prices for data ranging from $700 to $24,000. Intsights notes that a threat actor from Turkey offers to buy domain administrator-level access information on several companies. One of the offerings included data from a nuclear energy company in Romania sold for $3,000.
Criminal gold rush
A sharp spike in ransomware attacks against businesses worldwide is already dubbed a gold rush by experts in the field. Multiple factors add to the surge in ransomware attacks. However, two critical elements for success stand out.
A global pandemic that forced billions of workers to use unsecured networks and the success of double extortion tactics, employed by ransomware groups. Criminal gangs insert themselves into critical systems, steal sensitive data, and disrupt victims’ daily operations.
The victim is forced to pay money for stolen data and digital keys that allow continuing operations. For maximum effect, criminals target businesses that have sensitive data and cannot handle halt in operations.
“Ransomware gangs became much more focused and much more targeted, finding their victims in almost every possible industry that showed even the slightest vulnerability, including military, public administration, and, of course, hospitals and emergency services. And if the initial intrusion was successful, cyber-criminals made the most of it,” Ondrej Kubovic, ESETs Security awareness specialist, said during the ESET World 2021 conference this month.
More from CyberNews:
Subscribe to our newsletter