Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, April 14th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes David Shipley of Beauceron Security will be here to analyze some of the recent news. But first a look at headlines from the past seven days:
Was a Canadian gas pipeline recently hacked by a pro-Russian hacktivist? The group is quoted in a leaked Pentagon document claiming they breached and damaged the operational technology (OT) network of the unnamed utility. Did Prime Minister Justin Trudeau this week confirm it? David and I will parse the signals.
We’ll also look at whether governments are doing enough to stop the sale of commercial spyware after an Israeli firm was accused by Microsoft and Citizen Lab of creating malware that can to hack iPhones. Reports say it may have been used by governments against political opposition figures and journalists.
Also under discussion will be the latest Windows security updates, and identity management.
Elsewhere in the news, Pro-Russian hacktivists may be increasingly targeting Canada for its support of Ukraine. While Ukraine’s president visited here this week the website of Prime Minister Justin Trudeau was temporarily blocked on Tuesday by a denial of service attack. And it was sporadically offline Wednesday and Thursday. Hydro Quebec’s website was temporarily blocked on Thursday. Pro-Russian groups have taken credit for both attacks.
Speaking of denial of service attacks, Cloudflare warned cloud computing providers that the virtual private servers they offer are increasingly being compromised to launch high-performance DDoS attacks. These providers have to get smarter about patching their servers and protecting management consoles.
North Korea’s skilled Lazarus Group has a number of malware campaigns going against various targets. One of them was aimed at companies handling cryptocurrency. But researchers at Kaspersky said this week that particular campaign has been shifting to defence contractors and diplomats in various countries. One tactic is sending a malicious job application; another is getting victims to download a corrupt version of a PDF reader to activate a malicious PDF file. All organizations need to regularly remind employees of how to carefully screen email messages.
Web server administrators are being warned to tighten their security after the discovery of a new piece of malware. Researchers at Cado Security call it Legion. It goes after vulnerable Apache web servers, particularly those running content management systems. The goal is to steal passwords for email, AWS, databases and payment systems.
Fortinet has fixed a vulnerability in its FortiPresence traffic analytics platform. If unpatched an attacker could access Redis and MongoDB databases.
Hyundai is notifying car owners and people who booked test drives in Italy and France of a data breach. A hacker copied email addresses, physical addresses and telephone numbers.
An estimated 1 million WordPress websites have been infected by a hacking campaign that’s been going on since 2017. That’s according to researchers at Securi. How are they compromised? Through vulnerable WordPress plugins and themes. How can this be avoided? By WordPress administrators being careful to choose and update the plugins and themes they use.
Finally, the FBI warned people not to use free public charging stations in malls and airports. That’s because hackers have found ways to hijack public chargers and inject malware into mobile devices.
(The following is an edited transcript of one of the four topics we discussed. To get the full conversation play the podcast)
Howard: Joining me now from Fredericton, New Brunswick is David Shipley.
Let’s start with the alleged cyber attack on a Canadian natural gas pipeline provider. This came out of recent leaked Pentagon confidential documents. The authenticity of all of the documents hasn’t been confirmed, but one was a communication between a Pro-Russian hacktivist group called Zarya and a Russian intelligence officer. The group claimed it had hacked an unnamed Canadian gas pipeline, and provided what they said were screenshots of IT control panels. Asked about this on Tuesday, Prime Minister Justin Trudeau said this: “I can confirm in regards to reports of cyber attacks against Canadian energy infrastructure that there was no physical damage to any energy infrastructure following cyber attacks.” He didn’t say there has never been physical damage from a cyber attack, only that there “was no damage.” That could be interpreted as confirming there was a breach of security controls by this particular group recently. I asked the Prime Minister’s Office for clarification. As of the recording of this podcast have received no answer. David, what do you make of this?
David Shipley: I think you’re right to focus carefully and to parse carefully the Prime Minister’s response. He didn’t say a cyber attack didn’t happen. He said there was no physical damage caused by it. There was no explosion — which makes sense because had there been physical damage or an explosion we probably would have heard about that. But if we take the Prime Minister’s comment at face value, he’s acknowledging a major pipeline operator did have a compromise of its security. This sadly does not come as a shock to me, and it shouldn’t to listeners. We’ve seen lots of examples of energy companies hit. Whether it was the Colonial Pipeline in the United States in 2021, multiple oil transport and storage facilities in Germany and the Netherlands in February, 2022, and in 2017 there was the most spectacularly extreme close call in Saudi Arabia with an oil refinery facility targeted by Russians using the Triton malware — and their aim was actually cause destruction. And they nearly succeeded.
What I suspect is the attackers [in Canada] were in the IT network, just like they were in the Colonial Pipeline. I have extreme skepticism that they were in the operational technology or the ICS (industrial control system) SCADA (supervisory control and data acquisition) network and could actually pull off a destructive attack given the complexity of these environments and the redundant physical controls. Is it possible? Sure. Probable? No. And that’s more to do with the complexity of the systems and good fortune than security. It’s hard to do, and we’ve been lucky.
For me the most interesting part of this story is the leak of the confidential documents, both how they were leaked and why. Why did this start on Discord if there’s more of these documents? [According to news reports the stolen documents were first posted on a private group on the Discord platform. Later they were discovered on other sites.] Why were these the first to get all the attention if the Russians did not directly leak this information? Did they influence someone [in the Discord group] to do it, or is this just an absolute bonus bonanza for them? At the end of the day, it’s a huge win for the Russians here. It makes the United States look bad. It. It makes them look inept at protecting highly classified signals intelligence. It erodes trust among all nations allied with the U.S. And some of this information has already been clearly altered to benefit Russian narratives, particularly around the number of its casualties in Ukraine. Assuming the leaks are legit and — and you point out there’s some skepticism — various media outlets have confirmed that some of the documents are accurate. If part of the documents that are accurate is the Canadian one it’s pretty damn strong evidence of the relationship between Russian agencies like the FSB with these hacking groups. It’s stunning to think that these attackers are bragging it up to the FSB [of compromising the Canadian gas pipeline controls], and the FSB seems to egg them. I see this as a massive shot across the bow. This is a warning we can get hurt.
UPDATE: At a press conference Thursday Canadian officials said the government had “a confirmed report where a cyber threat actor had the potential to cause physical damage to Canadian critical infrastructure.”
Howard: I’ll get to the source of those documents in a second. One thing I want to point out is one of the news stories in the United States from the leaked documents quoted the director of incident response for a U.S. industrial cybersecurity firm called Dragos who said that hackers have compromised Canadian oil and gas facilities in the past, although they didn’t say if that was the IT or the OT side. So perhaps that’s what Prime Minister Trudeau was referring to.
David: It could be. I think we did have a near miss with this leak of this information so maybe these are one and the same stories, or these facilities have been hacked in the past as well. I have a ton of respect for Leslie Carhart [of Dragos]. They have probably forgotten more about OT, ICS, SCADA than I will have ever learned in my lifetime, and Leslie’s analysis on this issue has been solid. And it’s where I draw such a strong conclusion that this was likely an IT and not an OT hack. I also agree with Dr. Stephanie Carvin one of the top national security experts in Canada and a former national security analyst with her take that the Zarya kids were likely bragging [to the FSB] more than what they could actually do.
Howard: This insider attack involved the leak of hundreds of copied documents which were initially posted on a members-only group on the Discord messaging site before being widely distributed. The Washington Post on Wednesday published an interview with a group member who says the leaker allegedly worked on an unnamed American military base. He was described as having a dark view of the U.S. government, speaking particularly of law enforcement and the intelligence community as a sinister force that sought to suppress its citizens and keep them in the dark. And this leaker allegedly ranted about government overreach.
David: The story from the Washington Post blew my mind when I read it. If this story is right — and I don’t have any reason to doubt any of the reporting — this is the biggest United States intelligence failure since Snowden. And from what I’ve read the motivation here is bragging rights in a Discord chat room … I would still like to see as this investigation pursues what influences may have nudged this individual to do this? I’d like to see more analysis if the Russians had any kind of win on this or if this is just simply watching an own goal. When I think about the scale of the documents we’re talking about, the first 30 have been pretty controversial around the world. What could be in the other several hundred? What shoe is going to drop next?
Howard: Public Safety Canada encourages and hosts meetings between critical infrastructure providers, including energy companies about cyber and physical security. The government encourages firms to do tabletop exercises. In fact starting since January and going through June there are virtual tabletop exercises on cyber and physical security that the government has encouraged. In the fall there’s going to be a large-scale cyber-physical exercise program that includes hands-on keyboard workshops as well as discussions on cyber and physical security. Plus on April 27th there will be another of regularly-scheduled informational security symposiums for companies with industrial control systems. I mention this because a year ago or so I interviewed a Canadian expert on internet-connected industrial control systems and I asked him if Canadian industrial firms are prepared for cyber attacks. And all he would answer is companies here understand the threat. Either he didn’t want to speak on behalf of all firms on their readiness, or what he meant was they know what to do. It’s up to them to do it.
David: I think in general industrial internet-connected critical infrastructure firms are doing the best they can with the resources that their firms choose to provide them. Those resources of course are influenced by the degree to which those companies have to spend on security by government regulations. In Canada our regulations are still woefully out of date. The only good news is that our largest energy transmission providers often link to the United States and their regulations have been updated and are better. So we have investments happening because of that. Our laws are a long way from being finalized and updated. All of the activities that you note are good, but we need more. We need the Communication Security Establishment — which has got the kind of mandate of both the Cyber Security and Infrastructure Security Agency (CISA) and the NSA in the United States — to duplicate what CISA does, which is ethical planned penetration tests with these firms. Note I didn’t say involuntarily. A CISA report recently published in February showed how successful they were (with a pen test) and most importantly, they didn’t name and shame the industrial company that they had hacked. But they shared how successful they were, how they could have been more successful had they simply had more time, and the basic things that could have been done to make their lives harder. That’s what we [in Canada] need across all of these large industrial critical players.
Howard: Coincidentally or not, as the president of Ukraine visited Canada this week there has been an increase in reported denial of service attacks on websites here. These include the website of Prime Minister Trudeau, the Senate, Hydro Quebec and several port authorities. Pro-Russian hacktivists have taken credit for some of these attacks.
David: DDos attacks are are a script-kidie’s joy. It’s the graffiti of the web. It’s blocking traffic temporarily. It’s an annoyance, but it’s also a sign that we’re starting to rise to the level that we are worth annoying — which we should take as a good warning to get ready for worse.