Serious Ransomware: Colonial Pipeline

Last Friday, Colonial Pipeline, the operator of the largest petroleum pipeline between Texas and New Jersey, was struck with ransomware. Today, U.S. gasoline prices are the highest since 2016 and pumps are empty on the east coast; a direct consequence of the hack.

If you have followed my posts on ransomware and cybersecurity in general, you know that I rant on the dangerous condition of industrial cybersecurity in the U.S. Maybe Cassandras like me will get some attention now that disregard for cybersecurity has slugged the average taxpayer in the wallet.

When the Space Force was established, I didn’t sleep any sounder, but I know my nights will be better when U.S. cyber defense policies are as coherently and vigorously executed as our conventional defenses.

Colonial Pipeline

Colonial says they will be back in operation by the end of the week. We will see. The average ransomware recovery time is over 15 days, which predicts another week of disruption. Time to recover depends on a number of things. The size of the enterprise matters; the more complex and extended the system, the longer it takes to bring the system back. Recovery also depends on how prepared Colonial’s IT team is for a ransomware attack. I notice the Dow is dropping today, probably due to gas shortage jitters, which suggests that the smart guys on Wall Street are not confident of a quick recovery from Colonial.

Colonial is big and complex. It is not clear whether Colonial’s pipeline supervisory control and data acquisition (SCADA) was penetrated by the hack, but the pipeline was forced to shut down, which suggests the attack went beyond the usual accounting and HR systems.

Here in Whatcom County, we had some experience with a pipeline SCADA failure in 1999 when 200,000 gallons of gasoline flowed into Whatcom Creek and caught fire. A fisherman and two boys playing along the creek died. Property damage was at least $45 million. The direct cause was accidental damage to the pipe from excavation years earlier, but National Transportation Board investigation concluded that the spill could have been prevented if the SCADA had functioned properly. There were clues that the SCADA system had been hacked, but not enough evidence to be certain. (I discuss SCADA vulnerabilities in some detail in my book, Personal Cybersecurity.)

DarkSide

The FBI reports that the attack came from a Russian group called DarkSide. The group is not known to be directly affiliated with the Russian government, but the government turns a blind eye to DarkSide attacks on non-Russian interests. Effectively, DarkSide operates like a 18th century privateer on the high seas marauding foreign shipping with royal protection. The DarkSide group offers ransomware software for use by others. Who else may be involved has not been reported.

Who’s to blame?

Blaming Colonial for the breach may come easy. My personal experience with industrial cybersecurity is not good. Industries with high fences and tight physical security, like energy corporations, are often dismissive of cybersecurity threats, preferring to rely on their raw physical defenses. Colonial may be the exception, but I’m reminded of the recent SolarWinds hack that was the result of a totally avoidable bonehead password mistake. If something similar emerges, Colonial’s IT department will be roasted on a spit.

Nevertheless, I am sympathetic. Colonial Pipeline and many other ransomware victims are being attacked with the aid of a foreign government. Of course they bear some responsibility for their own security, but when a foreign government attacks, they should reasonably expect that government resources will lead the defense.

If a refinery were threatened by incoming ballistic missiles from North Korea, we would look to the Department of Defense to deflect the attack. We would see the missiles as an attack on our nation. Would anyone fault a corporation for building a refinery without an anti-missile defense system? They would be in trouble if they tried!

When the Space Force was established, I didn’t sleep any sounder, but I know my nights will be better when U.S. cyber defense policies are as coherently and vigorously executed as our conventional defenses. Today, responsibility for cyber defense is divided between the Department of Defense, Homeland Security, and other agencies, including the National Institute of Standards and Technology (NIST) in the Department of Commerce.

How we lose

This is the way to lose. Ransomware is just one manifestation of the ways in which nations are attacking on the cyber front. North Korea steals cash. China steals intellectual property on covid-19. Russia disrupts pipelines. These are existential threats. A disconnected defense is suicide by disorganization.

Detecting Bogus Email

I’ve noticed from the flood of complaints in the news, on social media, and talking to friends, that dangerous email is worse than ever. The pandemic has shifted the bad hackers into high gear. I can help stem the flood.

I don’t have a special talent, only a suspicious character and a bit of technical knowledge.

I may be struck down for this hubris, but I’ve never been tricked by a bogus email, even though I’ve sent and received email almost from the day it was invented. I don’t have a special talent, only a suspicious character and a bit of technical knowledge. I’ve evolved some robust techniques for weeding out the bad emails.

I’m not talking about spam. Spam is unrequested commercial email, which is annoying, but not vicious. I’ll even admit that a few times, I’ve welcomed a spam message that brought me something new. The stuff I’m concerned with today is fraudulent and malicious email that is intended to do harm rather than legitimately sell a product or service you don’t want.

These emails are often called “phishing,” a term that is a little too cute for a farm boy who shoveled chicken droppings every Saturday morning until he left the farm for college.

Email is convenient. I remember when we had only a few choices for communicating: go to see the person, call them on the telephone, or send them a letter. Each method was useful, charming, and pestilential at times, sometimes all at once. I gripe about my overflowing email inbox but clicking away the chaff is a lark compared to a line up at my desk or a phone ringing constantly. Writing letters was, and still is, an art, but it’s called snail mail for a reason. As annoying as it can be, and handy as Slack and other messaging style services are, email is still a communications workhorse.

Mail, telephone, and in-person fraud, harassment, and other scatter-shot deviltry abounded long before email. The worst of us never tire of devising new mischief to soil other peoples’ lives, but the rest of us have developed instincts, habits, customs, and laws that civilize our lives and tamp down the shenanigans that plague us.

Here, I’ll explain how I keep up with the email crooks.

However, instincts, habits, customs, and laws have not kept up with electronic innovation. Here, I’ll explain how I keep up with the email crooks.

I have a series of steps I go through with email. I divide the process into three phases: suspicion, confirmation, and reaction.

Suspicion

Do I expect this email? Do I know the sender?

If it’s Tuesday and I always get an email from my friend Peter on Tuesday, I feel safe reading it. Actually, at least half of my inbox is expected email from known senders. Faking a phone call or handwritten letter is more difficult than faking an email because voices and handwriting are laden with familiar clues to identity, but faking an email from a friend, outside of spy fiction, is still extremely difficult. Trust your intuition, it’s more powerful than you may think. If something feels off, check it out.

However, intuition breaks down as relationships get more remote, especially in impersonal business email, but you have a great advantage: criminals are seldom as fastidious as legitimate email users. They’re in it for easy money and they usually don’t care about the impression they make or attracting return customers.

As a consequence, they don’t pay proofreaders and formatting professionals to ensure that their emails are perfect. Few businesses will send out emails with misspellings or sloppy formatting, but criminals often do. At best, they will copy an existing piece of legitimate email and make a few changes. If you spot misspellings, grammatical errors, misalignment of type, uneven borders, colors that are not quite right, be suspicious.

Why was this email sent? What’s its point? Does the sender want me to do something? Is there money
involved?

Always be suspicious of any transaction you did not initiate. People and businesses are like slugs. They almost always react to stimulus from their friends and customers, but they seldom reach out unless they have something new to sell to you. Whenever there is money involved, be certain you understand exactly what the transaction is and why you are engaged in it.

Confirmation

If suspicion has set off alarm bells, check it out.

Uniform resource identifiers

Every savvy computer user should know a little about the Uniform Resource Identifiers, or URLs. Although URI is technically correct, everyone calls them URLs (Uniform Resource Locators.) Computing and network engineers have been evolving and improving the concept for over thirty years. They are a formal way of unambiguously naming almost anything and a key to computer based communication.

We are all familiar with them, whether we realize it or not. We all know web addresses like https://example.com. And email addresses like mailto://marv@marvinwaschke.com . Librarians know ISBN (International Standard Book Numbers). Even telephone numbers are now examples of naming systems that follow the URL standard.

Well. That’s fine for engineers and librarians, but what about ordinary users? Why should they know about URLs? Because knowing what a legitimate URL looks like often makes a fraud stand out like a black eye.

In another post, I’ve detailed reading URLs. Check out how here.

Recent hacker tricks

Lately, I’ve noticed that hackers have gotten very fancy with the characters in their URLs. I could indulge in a technical discussion of fonts versus character sets at this point, but I will simply say, look carefully at the characters in URLs. If I see an accent, squiggle, superscript, or an extra curlicue anywhere, I assume I am under criminal attack. Legitimate URLs and text avoid this. Hackers love it.

Circle back

Legitimate businesses have no problem confirming their enquiries. For example, if you get a question about your account with XYZ company, call their publicly listed number— not the one a hacker gives you— and ask for an explanation. You may be bounced from desk to desk and have to wait on hold, but eventually you will get an answer. Either a confirmation of a legitimate issue, or a statement that you can ignore the bogus email.

If XYZ is a company I would continue to deal with, the answer will be prompt, courteous, and helpful. If the process is difficult or the responses are impolite, I would look for an alternate for my future business. However, I always wade through to the end before accepting a hack. Personally, I will tolerate drek to deal with a situation, but I will take steps to avoid future drek.

Reaction

Two main routes can be used to report cybercrimes. I use both.

I am stubborn. I won’t knuckle under to cybercrime. When I am subjected to cyber assault, I report it and do my best to stop it. Frankly, with the state of cyber crime laws and enforcement, I don’t expect to see immediate results. I seldom anticipate that the criminal who assaulted me or my equipment will be punished, but I want to see cyber laws and enforcement strengthened. I hope international organizations will be formed or strengthened to punish or neutralize off-shore criminals. Nothing will change if crimes go unreported.

Two main routes can be used to report cybercrimes. I use both.

You can report crimes to law enforcement. I went into the details of reporting to local and federal law enforcement here. The Federal Trade Commission has a site for reporting identity theft and aids in recovery. They also have a site for reporting fraud.

Another way to report cybercrime is to report it to the organization that is affected. For example, if I received an email about Microsoft Office from m1crosoft.com (notice the “one” instead of an “i”), I would forward the message to phish@office365.microsoft.com . Many companies, especially tech-oriented companies, have facilities for reporting fraudulent emails. I use Google to find the proper procedure. American Express, as another example, requests fraudulent mail be forwarded to spoof@americanexpress.com.

Tedious, but worth it.

Our local, state, and federal governments and these companies all want to shut down the criminals. But they can’t unless we refuse to tolerate this form of crime and report it. Tedious, but worth it.

Reporting Cybercrime

This week I received the nastiest email I have ever personally received. For the sake of brevity, I will assume the spammer was male, although there was nothing in the spam that indicated the gender. He claimed to have infected my computer with malware and to have used my computer’s camera to record a compromising video of me. He threatened to send the video to my family and friends if I did not post him two thousand dollars in Bitcoin.

This was not mere spam (unsolicited commercial email). It was extortion. A felony in every state in the US. Spam is one thing, this is another.

To begin with, I knew that the video as described was impossible, the malware was unlikely, and a number of statements in the email were wrong.

First Response

My first reaction was to scan my computers for malware, just in case. I doubted that malware had been installed, but I am set up to run malware scans easily, so I did. I ran both Windows Defender and MalwareBytes scans on my two Surface tablets. Why I choose MalwareBytes and Windows Defender is a subject for another blog. I did not bother to run scans on my desktop and Linux machines—they have no video recording facilities. I let scheduled daily scans take care of them. My Android phone was not likely to have been involved in the threat, so I skipped scanning it, although I would have scanned it, if I had the slightest suspicion that it might be infected.

Basic computer hygiene

The scans, as I expected, came up clean. If malware had been detected, the urgency of the situation would have increased. Why was I so sure my machines were not infected? Because I follow basic computer hygiene rules:

  • I don’t open questionable network links in emails.
  • I don’t open email attachments unless I am certain of their origin.
  • I don’t visit dodgy click bait sites.
  • I don’t download anything until I am sure the source is legit.
  • My passwords are strong and not duplicated.

Follow those rules and you are unlikely to get malware. Scan regularly and you are even safer.

I did not feel threatened, but I was annoyed. I like technology and the computer networks, and I do everything I can to see that criminals who abuse computers are stopped.

Local law enforcement

Although I felt safe, I was not done. My next step was to call the local police. I knew calling was unlikely to get results because few local law enforcement agencies have staff trained for dealing with cybercrime. However, I have great respect for local law enforcement, in this case, the Ferndale Police Department. I checked the Police Department website for advice. They suggest calling 911 for any reason to speak with an officer. That’s not good advice everywhere. Some 911 dispatch units want only emergencies. But I called 911, saying upfront that it was not an emergency and explained what had happened. 911 was glad to take my call. We live in a nice place. A Ferndale police officer called me a short time later. He explained, as I expected, that there was little Ferndale or Whatcom County could do, but he mentioned the FBI. That was what I expected.

The FBI

I am familiar with the FBI IC3 site. The name stands for Internet Crime Complaint Center. It is a central clearing house for cybercrime reports. Most cybercrime crosses state and national boundaries. This is one reason state and local law enforcement are ineffectual against cybercrime. In my case, I had done some research and found clues pointing to Thailand as the origin for the email, although I am far from certain. Successfully detecting and prosecuting a foreign extortionist from a single email is unlikely, but these guys never make only one threat. I could tell from the email that it was a template that was sent to many potential victims. They do it over and over again, and each threat is a data point that the feds can use to triangulate on the criminal and eventually catch him and his gang.

Filling out the EC3 report took less that ten minutes.

When reporting email crime, the most important evidence is the email header. Users don’t ordinarily see full headers. Email systems are a “store and forward” relay system. The email you send does not hop from your computer to the computer of the recipient. Often, email goes through several computers (servers), each forwarding to the next until the email finds its way to a server that you connect with. Each of these hops is recorded in the email header. You can get to it from your email client like Outlook or Gmail. The exact method depends on the client, but look around for something that says, “Show Detail” or “Full Header” or “Show original”. Click there and you will get something that looks like this:

Delivered-To:xxxxx@gmail.com Received:by 2002:a67:30c2:0:0:0:0:0 with
SMTP id w185csp3264948vsw; Mon, 8 Apr 2019 00:55:42 -0700 (PDT)
X-Google-Smtp-Source:
APXvYqzG1OlfaefurTjEEX80PMgA3k53DcELE8674Psd+hb9+Rb3Y1QsBpv2ljr
zP3M5Xwk= X-Received: by 2002:ab0:1d82:: with SMTP id
l2mr15233348uak.120.1554710142365; Mon, 08 Apr 2019 00:55:42
(PDT) Authentication-Results: mx.google.com;

And a lot of other similar stuff. I copy and pasted the full header and email into the EC3 form.

The FBI investigators can use the header information to identify the origin of the email, even though the criminal usually tries to hide it. Also make sure the body of the email is included. In my case, the criminal included a Bitcoin address. Although Bitcoin transfers are vaunted to be anonymous, some arrests are made based on Bitcoin information. Flaws in software implementations don’t always favor the crooks.

What happens next?

What is likely to happen to my complaint? If mine is the only complaint against this guy, probably nothing. But if enough complaints come in, each complaint builds the profile of the criminal and eventually the pieces may fall into place and they will nab him. The US has an extradition treaty with Thailand, so the crook is not safe there.

A citizen’s duty

Most important, resources will never be allocated to crack down on cyber crime if citizens remain silent when crime occurs. That applies on every level. I wanted it on record with the Ferndale Police that had occurred in Ferndale just as much as I wanted it on record with the FBI. Ferndale is a wonderful place with friendly people everywhere, but we are still vulnerable to these sleezoids and I want the FPD to know.

As citizens, we have a duty to our community to report crime when it occurs. Law enforcement can do nothing to prevent unreported crime.

If you have more questions about cybercrime, visit “Computers & Troubles” at the Ferndale Public Library from 3pm to 4pm the first and third Wednesday of every month and talk to me about it. I’m there to help you with all your computer problems. My grandson Chris usually is there to help. (We plan to take June, July, and August off. I hope the problems do also.)