Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses

Hacker Group Behind Colonial Pipeline Attack Claims It Has Three New Victims (cnbc.com) 56

PolygamousRanchKid shares a report from CNBC: The hacker group DarkSide claimed on Wednesday to have attacked three more companies, despite the global outcry over its attack on Colonial Pipeline this week, which has caused shortages of gasoline and panic buying on the East Coast of the U.S. Over the past 24 hours, the group posted the names of three new companies on its site on the dark web, called DarkSide Leaks. The information posted to the site includes summaries of what the hackers appear to have stolen but do not appear to contain raw data. DarkSide is a criminal gang, and its claims should be treated as potentially misleading.

The posting indicates that the hacker collective is not backing down in the face of an FBI investigation and denunciations of the attack from the Biden administration. It also signals that the group intends to carry out more ransom attacks on companies, even after it posted a cryptic message earlier this week indicating regret about the impact of the Colonial Pipeline hack and pledging to introduce "moderation" to "avoid social consequences in the future." One of the companies is based in the United States, one is in Brazil and the third is in Scotland. None of them appear to engage in critical infrastructure. Each company appears to be small enough that a crippling hack would otherwise fly under the radar if the hackers hadn't received worldwide notoriety by crippling gasoline supplies in the United States.
In a separate report from The Associated Press, the East Coast pipeline company was found to have "atrocious" information management practices and "a patchwork of poorly connected and secured systems," according to an outside audit from three years ago. Slashdot reader wiredmikey shares an excerpt from the report: "We found glaring deficiencies and big problems," said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. "I mean an eighth-grader could have hacked into that system." Colonial said it initiated the restart of pipeline operations on Wednesday afternoon and that it would take several days for supply delivery to return to normal.
This discussion has been archived. No new comments can be posted.

Hacker Group Behind Colonial Pipeline Attack Claims It Has Three New Victims

Comments Filter:
  • DarkSide is a criminal gang, and its claims should be treated as potentially misleading

    I appreciate that warning, I always considered pipeline hackers the soul of reliability.

    • I sure trust what DarkSide says more that what the corporations they hack say.

      • I sure trust what DarkSide says more that what the corporations they hack say.

        You should not trust the corporations when they say they are victims of "groups" or "gangs". There is no reason to believe there is a vast criminal conspiracy here rather than just some kid working alone.

        Suki [youtube.com]

    • curious.
      how easy is it to hack if one wakes up in a cage

  • by Anne Thwacks ( 531696 ) on Thursday May 13, 2021 @08:04AM (#61379854)
    "We found glaring deficiencies and big problems," said Robert F. Smallwood

    So they are Windows users.

  • by gweihir ( 88907 ) on Thursday May 13, 2021 @08:18AM (#61379878)

    And I do not mean firings but prison time. Negligence does not get much more gross than this.

    • Good luck with that, the Experian hack demonstrated there are none for corporations.

      Now the hackers? We know they can haz consequences. I think they should have some very Russian accidents. You know, falling out of open windows onto some bullets. Some nerve agent in their food and drink. Some polonium flakes for breakfast. Suffering electric shocks, while falling down an elevator shaft, onto some blunt objects - all repeatedly.

      A few could also have distinctly American accidents. They could get run ove
      • by thomst ( 1640045 )

        Inglix the Mad mused:

        Now the hackers? We know they can haz consequences. I think they should have some very Russian accidents. You know, falling out of open windows onto some bullets. Some nerve agent in their food and drink. Some polonium flakes for breakfast. Suffering electric shocks, while falling down an elevator shaft, onto some blunt objects - all repeatedly.

        Keep an eye in the news around Russia...

        Er - no.

        What this "press release" from Dark Side announces is, "We've been assured by the GRU that we will suffer no consequences at all for continuing our criminal enterprise - as long as we confine our attacks to countries other than Russia ... "

        • Er - no.

          What this "press release" from Dark Side announces is, "We've been assured by the GRU that we will suffer no consequences at all for continuing our criminal enterprise - as long as we confine our attacks to countries other than Russia ... "

          Yes, that's what the Russia has setup for them, and I agree one hundred percent the Russia won't bother them in the slightest. That, however, is not what other countries are offering. Now if you don't think the US murders people who are... problematic, well, you continue to be a sweet summer child. Russia won't be happy, but the USA is usually smart enough to keep fingerprints off since they have to defy a rules to do such unpleasant things already. What is actually worse is that US intelligence has this a

      • Good luck with that, the Experian hack demonstrated there are none for corporations.

        Pretty sure you mean Equifax.

    • by bws111 ( 1216812 )

      Prison time? What law do you imagine was violated that would warrant prison time?

    • So you are for prison time for non-violence offenses?

      • Most of the current US prison population is *already* doing time for non-violent offenses. Violent offenders are in the minority. Most of them are low-level things like drugs, DUI, embezzlement, theft, etc etc. and of course gang activity. And dope.

      • by gweihir ( 88907 )

        If they endanger critical infrastructure willfully or grossly negligent, yes. Because if that escalates there will be violence, and not only a bit of it.

    • And I do not mean firings but prison time.

      "Firing" as in "range" - just make sure the pipeline isn't behind 'em.

      • I agree, the hackers should be lined up.

        Not what you meant?
        • I read not long ago where somebody was killed by a Mexican gang with a phillips screwdriver.

          What a slow agonizing way to die. Perhaps these guys could be candidates for that sort of treatment.

        • by gweihir ( 88907 )

          I meant the hacks on the other side. But you know that.

    • Since they are privately held, I'm not aware of any law that makes them guilty of a crime.

      They however can be sued and forced to be sold to another company that handles a critical and dangerous commodity in a more responsible way.
  • by DaveV1.0 ( 203135 ) on Thursday May 13, 2021 @08:32AM (#61379914) Journal
    From the summary:

    "We found glaring deficiencies and big problems," said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit

    But they only started looking for a cyber security chief two months ago. They knew they had a problem and waited four years to begin addressing it. That is criminal negligence and failure to perform fiduciary duties. At the very least, the CEO, president, and CIO should be fired.

    The company targeted in the biggest pipeline hack in history began searching for a cyber-security chief two months ago. [slashdot.org]

  • When are these DarkSide undergarment stains going to be identified, and who's going to take them out?
  • is drone strikes/special forces attacks for the perpetrators, and jail time for the executives.

    Any less is of course, not enough.

  • not backing down in the face of an FBI investigation and denunciations of the attack from the Biden administration

    Denunciations?? OMG, what is next? Reprimands? Harsh scolding?

    I think I see why these attacks are continuing.

    • A severe finger wagging with a "this time I'm serious" chaser ought to do it.
    • not backing down in the face of an FBI investigation and denunciations of the attack from the Biden administration

      Denunciations?? OMG, what is next? Reprimands? Harsh scolding?

      I think I see why these attacks are continuing.

      Putin stated that he has no idea who or where the hackers are, but instead of denunciations, how about we make it Putin's problem?

      Letting Putin get away with saying he has no control over this is a cop out, it fosters a climate of lawlessness and tacit approval.

      We should put pressure on Russia with specific strings attached, saying in effect: these sanctions will be lifted once these criminals are brought to justice. (For a reasonable suggestion, let's say that the hackers should be brought before the Inte [icj-cij.org]

    • Fine, they'll send a strongly-worded letter. That will teach them a lesson!
  • by Java Pimp ( 98454 ) on Thursday May 13, 2021 @09:11AM (#61379990) Homepage

    Do not hire Smallwood to do a security audit of your company.

    That article doesn't say what Colonial did to improve their infrastructure after the audit. It just says Smallwood doesn't consider confidentiality important.

    Colonial gets hacked, Smallwood pipes up, "oh yeah, we audited them three years ago and their security sucked."

    It doesn't say, 1, what was fixed since the audit? 2, what attack vector was used to compromise the infrastructure? 3, was that attack vector identified by the audit three years ago? 4, was the attack vector missed by the audit by Smallwood? 5, was the attack vector something introduced since the audit?

    We are currently looking for an external auditor for my company. If after the audit we perform the steps necessary to correct any deficiencies and get hacked down the road anyway, I'd see a lawsuit if the auditor were to breach our confidentiality in this way.

    • Agreed.

      Unless the client goes to the media and says, "we did everything Smallwood recommended but they missed all sorts of things", Smallwood should not say a damn thing.

      They're throwing up a big billboard announcing that they're happy to embarrass anyone who hires them. Seems like a bold PR strategy.

    • Worse than that.

      How far the company, Colonial Pipeline, went to address the vulnerabilities isn’t clear. Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%. While it did not specify an amount, it said it has spent tens of millions of dollars.

      “We are constantly assessing and improving our security practices — both physical and digital,” the privately held Georgia company said in response to questions from the AP about the audit’s findings. It did not name the firms who did cybersecurity work but one firm, Rausch Advisory Services, located in Atlanta near Colonial’s headquarters, acknowledged being among them. Colonial’s chief information officer sits on Rausch’s advisory board.

      That doesn't sound very independent. Plus there are three other firms with a disconnect between whatever they said and did and the current results.

      Smallwood said he was reluctant to go public about the Colonial audit for fear of alienating future clients “but the gravity of the situation demands that the public know just how fragile some of these systems within our infrastructure are.”

      Kind of like a whistle-blower without the anonymity, like Snowden. Same bridge-burning too.

    • > I'd see a lawsuit if the auditor were to breach our confidentiality in this way.
      Arguably, the lawsuit would be even more justified if you did not correct any deficiencies. At least in the case where you did fix deficiencies they were telling only !outdated! confidential company secrets.

  • by slack_justyb ( 862874 ) on Thursday May 13, 2021 @09:13AM (#61379992)

    A lot of the critical systems of our country are horribly maintained and poorly secured. For many governments and private companies they look at technology like you'd buy a toaster. Pull it out of the box, use it, and then once it finally is no longer usable, you just go buy a new one.

    About two weeks ago there was a poster on Reddit indicating that they had found eight open PASSWORDLESS VNC connections to SCADA systems [imgur.com] hooked up to the Internet that controlled some oil fields. They also indicated that this wasn't the first oil field [imgur.com] they found doing this. Worse yet, they found the locations from a simple Shodan search for 5800/5900. They x'ed out the IPs but you can literally take this much, search port 5800/5900 on Shodan and confirm these sitting out there.

    XXX:XXX.XXX.155:5800 (Texas)
    XXX:XXX.XXX.106:5800 (San Diego)
    XXX:XXX.XXX.183:5800 (Colorado)
    XXX:XXX.XXX.184:5800 (Colorado)
    XXX:XXX.XXX.185:5800 (Colorado)
    XXX:XXX.XXX.112:5900 (Chicago)
    XXX:XXX.XXX.142:5900 (Chicago)

    Fortunately they reported all of this to CISA [cisa.gov] but yeah folks. This is the level our power plants, our oil fields, our telecommunications, and other critical parts of our society are operating at. And this, this isn't surprising, this is run of the mill 3rd party installation. Another post of the same user showed food grade dry goods pumps by an Israeli company and indicated that having an open VNC was standard practice for them. And Governments/Companies buy this crap because it's boxed up for them to just flat price install/support and then they don't have to think about it. Until all of it bites them in the ass. And then they're sitting there with "it's not our fault, we 3rd party, [infosecuri...gazine.com] blah blah blah.... [marketwatch.com]"

    I mean, all of this is not something [slashdot.org] that is brand new. [slashdot.org] IT departments, intellectuals, specialist in this domain have since the turn of the century been indicating that the vast majority of our critical infrastructure is not being cared for/is not being treated how sane people who understand technology would treat these systems. And what's worse is that the well written systems that have stood the test of time [logicmag.io] are the same systems that Governments and Companies:

    That said, even the most robust systems need proper maintenance in order to fix bugs, add features, and interface with new computing technologies. Despite the essential functions they perform, many COBOL systems have not been well cared for. If they had come close to faltering in the current crisis, it wouldn’t have been because of the technology itself. Instead, it would have been due to the austerity logic to which so many state and local governments have succumbed.

    Every time a new pet project is brought into a company or government, the first one on the chopping block is the people supporting the system with the least amount of problems. Every time some new shiny is found, maintenance of the tried and true is lobbed into the trashcan. And it's this thinking that has lead to the wide deployment of packaged systems for roles that they were never intended for and maintained by remote 3rd parties that barely invest one percent of the time actually required to ensure these systems stay secure and operational. And the thing is, if the

    • The toaster analogy is very correct for all tech devices. There are two parts to that though. People expect the technology to work like a toaster. You plug it in, push the button and make toast every morning, that's it. You don't worry about updating your toaster. You don't have to use a password to make it work. The 3rd party also tries to sell their highly complex systems as if they are toasters, just plug them in, push the button.
  • the government gets smart enough to hunt them down and kick their doors in swat style and drag their asses to jail or if they are in a foreign country sneak in a covert assassin to just kill em and sneak out without being caught, that and use operating systems other than MS Windows to handle the high tech part because i would be willing to bet the computer systems that were hacked were ms-windows, switch to a hardened Linux or NetBSD or OpenBSD
    • Windows isn't the problem. Poor security policies are the problem.
      End users who use Windows in enterprise situations would be as bad about maintaining their Linux devices, and Linux doesn't offer a magic anti-phishing net, nor will can it coach you against social engineering attacks.

      What we need is better computer literacy, not blame-the-OS fanaticism.
      • make negligent people culpable, if an employee can not confirm the identity of a caller or internet connection then block em or hang up the phone, or hand it off to security to further investigate, same with negligent IT they should be held culpable to the hack if it is found that their lazy methods if system's admin allowed it to happen
    • Itâ(TM)s easier than that. We did not have a navy at the time who could stop the Barbary Pirates so we put a bounty on them. The challenge would be to come up with an identification method for the perps that we trusted that did not include a severed head. Then the bounty Hunter gets paid
    • It cannot be covert, it has to be publically viewed on the internet as a message to other wanna be extortionists. Don't call these people hackers that dirties the name, they are criminal extortionists.
  • ... and its claims should be treated as potentially misleading. I think this should be added to nearly all quotes from organizations.

    ___ is an advocacy group for __ and its claims should be treated as potentially misleading.

  • If we made paying off these crooks illegal, there'd be a lot less incentive to actually do the attacks.
  • Just imagine the network security you can put into place for the same cost that your company is forking over in ransom.

    You reap what you sow I guess.

    If you want to go cheap and / or ignore your network security, well. . . . . . it probably costs you more in the long run than it would have to do it right.

  • Whatever you do don't mention MICROS~1 Windows :s

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...