From SaaS (Software as a Service) to RaaS (Ransomware as a Service), and from Stuxnet to Triconex controllers attack.
Software as a Service (SaaS) is a software licensing model, in which software is licensed by its developers to persons or entities on a subscription basis.
Ransomware as a service (RaaS) is a ransomware licensing model, in which ransomware is licensed by its developers to persons or entities called "affiliates", that execute ransomware attacks. Developers and affiliates earn a percentage of each ransom payment.
Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access.
Ransomware variants become more sophisticated and destructive, year after year. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives, externally attached storage media devices, and cloud storage services that are mapped to infected computers. These variants encrypt users’ and organizations’ files, and render those files useless until a ransom is paid.
How can a ransomware attack occur?
We can start with a simple attack:
Step 1: A user is tricked into visiting a website or clicking on a malicious link that downloads a file from an external website.
Phishing emails and social engineering tricks can persuade users into visiting a website or even clicking on an attachment that allows the malicious code to take over the first computer.
Spearphishing campaigns using tailored emails that contain malicious links are often used. Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware, to assist in later stages of the attack life cycle with the eventual goal of deploying ransomware.
Stolen or weak Remote Desktop Protocol (RDP) credentials can also be used. Phone calls from social engineers, and fake software promoted via search engine optimization are effective too. Systems with common vulnerabilities are also attacked. Adversaries only need one user to click the wrong URL. Cybersecurity awareness training for all users having authorized access to data is of paramount importance.
Step 2: The ransomware takes advantage of vulnerabilities in the user’s computer and other computers to propagate throughout the organization.
Step 3: The ransomware encrypts files on all computers, then displays messages on their screens demanding payment in exchange for decrypting the files.
It is important to understand that criminal and state-sponsored groups are organized like corporations. They employ experts that are trained in IT and information security, and follow an industry closely. They have marketing departments, HR and customer service.
They identify and communicate with organized crime groups, and persuade them to lease their sophisticated ransomware software on a subscription basis. RaaS providers advertise on the dark web and offer ransomware, step-by-step training, and support throughout each attack.
Raas providers also employ experts known as Initial Access Brokers (IAB) that penetrate networks. Then they can sell access to other criminal groups and foreign intelligence agencies.
Some RaaS affiliates use IABs as service providers, just like corporations use service providers for some tasks. This not only allows each entity to focus on their areas of expertise, but it also diversifies the risk. There are hundreds of IABs selling access to businesses, government entities and critical infrastructure systems across the globe.
Attacking the oil subsector.
1. Colonial Pipeline, US
On May 6, 2021, Colonial Pipeline was hit with a ransomware attack by DarkSide hacker group.
It affected the lives of millions of people, gas stations across Alabama, Florida, Georgia, North and South Carolina, and Virginia, airports and airlines. Colonial Pipeline paid the ransom, and the pipeline was turned back on.
DarkSide is a Ransomware-as-a-Service (RaaS) entity, where developers are in charge of programming the ransomware software and payment site, and affiliates are recruited to hack businesses and encrypt their systems. The DarkSide developers receive a 10-25% cut, and each affiliate receives 75-90% of any ransom payment.
Law enforcement and private sector firms try to take down data leak sites, but DarkSide has stated that they plan to create a storage system in Iran to host the victim's stolen data.
They conduct “double extortion”: They encrypt and lock up the victim’s data, but also they steal data and threaten to make it public on the DarkSide Leaks site if companies don’t pay the ransom.
2. COPEL and Electrobras, Brazil
In February 2021, Companhia Paranaense de Energia (Copel), and Centrais Eletricas Brasileiras (Eletrobras), two major electric utilities companies in Brazil were successfully attacked with ransomware. Eletrobras is the largest power utility company in Latin America, and owns Eletronuclear, a subsidiary involved in the construction and operations of nuclear power plants.
COPEL was attacked by DarkSide, the same group that attacked Colonial Pipeline.
3. 2022 - Cyberattack against Amsterdam-Rotterdam-Antwerp (ARA) storage terminals.
Affected terminals are operated by SEA-Tank, Oiltanking and Evos. The cyberattack considerably disrupted the loading and unloading of refined product cargoes, in the middle of a continental energy crisis after Russia’s invasion of Ukraine and concerns about European energy security.
The ransomware prevented oil tankers from being loaded and unloaded. Tankers and barges had to be diverted to other ports, stifling the flow of heating, diesel, jet fuel, and gasoline in an already stressed supply chain for several days throughout northern Europe.
BlackCat, a ransomware-as-a-service operation that also targets the pharmaceuticals, construction, retail, insurance, and manufacturing industries, according to the Palo Alto Networks threat intelligence division (Unit 42).
4. 2017 - Attack at Saudi Aramco.
The attack had the objective to sabotage the firm’s operations and to trigger an explosion. It targeted Triconex controllers, an industrial control system by Schneider Electric, that keep equipment operating within safe parameters by controlling pressure, temperature and voltage.
XENOTIME is the name of the group behind the cyber attack. The group attacks oil and gas companies and electric utilities in Europe, the USA, Australia and Middle East.
After Stuxnet, the computer worm that was used as a cyber weapon to attack electro-mechanical equipment and nuclear facilities, we have attacks against industrial control systems that can have devastating effects. After the hybrid war in Europe, we must be prepared for more attacks affecting the critical infrastructure in general, and the Oil Subsector in particular.
Our training programs
Cyber Risk GmbH is offering training programs in some difficult areas, like the new NIS 2 Directive of the European Union that changes the compliance requirements of many entities in the Energy sector, Oil Subsector, and programs that assist the Board of Directors and the CEO in understanding cybersecurity challenges.
The Board of Directors and the CEO of entities in the Oil Subsector must understand that they are high value targets. For them, standard security awareness programs are not going to suffice. The way they are being targeted is anything but standard or usual. They are the recipients of the most sophisticated, tailored attacks, including state-sponsored attacks. These are attacks that are often well planned, well crafted, and employ advanced psychological techniques able to sway a target towards a desired (compromising) behavior without raising any alarms.
Countries expand their global intelligence footprint to better support their growing political, economic, and security interests around the world, increasingly challenging existing alliances and partnerships. They employ an array of tools, especially influence campaigns, to advance their interests or undermine the interests of other countries. They turn a power vacuum into an opportunity.
Countries use proxies (state-sponsored groups, organizations, organized crime, etc.) as a way to accomplish national objectives while limiting cost, reducing the risk of direct conflict, and maintaining plausible deniability.
With plausible deniability, even if the target country is able to attribute an attack to an actor, it is unable to provide evidence that a link exists between the actor and the country that sponsors the attack.
You may visit:
Cyber Risk GmbH
Tel: +41 79 505 89 60
We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.