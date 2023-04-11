Comment on this story Comment Gift Article Share

Hackers claimed to have breached a Canadian pipeline. Their assertions lie somewhere between dangerous and doubtful.

A Russian government-connected hacktivist group’s claims that it got into the networks of a Canadian gas pipeline company, brought to light in recently leaked classified U.S. government documents, sounds potentially alarming echoes of the 2021 Colonial Pipeline hack and raises concerns about Russia’s capabilities to disrupt critical infrastructure.

At the same time, there are plenty of reasons to doubt the impressiveness of the claim, even if the hackers’ claims are accurate, and to question whether the hackers could have done much with their access.

“A pro-Russia hacking group is receiving instructions from a presumed Federal Security Service (FSB) officer to maintain network access to Canadian gas infrastructure and wait for further instruction,” the February intelligence assessment reads, referring to a group known as Zarya. “The FSB officers anticipated a successful operation would cause an explosion at the gas distribution station. … If Zarya succeeded, it would mark the first time the IC [intelligence community] has observed a pro-Russia hacking group execute a disruptive attack against Western industrial control systems.”

Several critical infrastructure sectors, such as energy and manufacturing, rely on industrial control systems to keep facilities operational and safe. Zarya, though, is not a well-known group of hackers, nor do they have a track record of conducting anything more than “nuisance” attacks, said Allan Liska, senior security architect at cybersecurity firm Recorded Future.

The White House, National Security Council and Department of Homeland Security all declined to comment on the pipeline claims. National Security Council spokesman John Kirby on Monday added another layer of doubt about the tranche of documents, however, when he said, “We know that some of them have been doctored.” But many of the documents don’t appear to have been altered.

The view of Zarya and the vulnerabilities

Within the fluid and opaque Russian hacktivist community, Zarya is known for its connections to a group known as Cyber Spetsnaz, said Liska. That group, in turn, is said to be an offshoot of Killnet. All of them are best known for conducting distributed denial-of-service attacks that flood websites with fake traffic to knock them offline — some of the least-sophisticated and least-damaging kind of cyberattacks.

“They make a lot of bold claims, but we haven’t seen any actual proof of those claims,” Liska said of Zarya. They may have been responsible for knocking a Latvian government agency’s website down, he said, in what was perhaps their top prior achievement.

An administrator of Zarya is a hacker known as Hashi, according to Telegram messages. Hashi got his start as a teenager working with CyberSec — a company that employs “black hat” hackers who used to break into computers with malicious intent, according to cyber experts familiar with his activities who spoke on the condition of anonymity because of the matter’s sensitivity. Hashi and his friends had been hacking former Soviet-bloc targets, one expert said.

Another CyberSec hacker, Vladislav Horohorin or “BadB,” had served time in the United States for selling stolen credit- and debit-card information as an early member of the CarderPlanet forum, the expert said.

When the Ukraine war broke out, Horohorin took Ukraine’s side and Hashi took Russia’s, and Horohorin “doxed” Hashi — revealing personal identifying information about him on the Telegram app channel, the expert said.

Bryson Bort, founder of the cyber firm SCYTHE, said he wouldn’t be surprised if Zarya got inside the pipeline systems, given how vulnerable they are.

“Welcome to every day in industrial control systems ever,” Bort said. “I don’t think the capabilities are that complicated.”

In 2021, a ransomware gang got into the business networks of Colonial Pipeline, a major fuel supplier on the East Coast of the United States. Colonial decided to halt operations for five days as it recovered, sparking a fuel panic. It was one of several incidents that have prompted the Biden administration and Congress to advance stricter controls on critical infrastructure.

“If I’m part of the Canadian infrastructure, I’m on high alert, because you never want to take somebody who has access to my dashboard slightly,” Liska said. “If I’m everyone else, I feel like this is a ‘Mister Magoo’ situation,” he said, referring to the extremely nearsighted cartoon character. “They stumbled into something really interesting and potentially dangerous. It is not their normal M.O.”

The view from Canada

The Canadian Security Intelligence Service and Canada’s departments of public safety and natural resources referred questions to the Communications Security Establishment, Canada’s cryptologic agency.

Laura Payton, an agency spokeswoman, did not comment on whether there has been an attack on gas infrastructure or whether steps have been taken to avert such an incident, saying the agency does not comment on “allegedly leaked intelligence.”

“Generally, we do not comment on specific cybersecurity incidents, nor do we confirm businesses or critical infrastructure partners that we work with,” she said. “However, we continue to provide advice and guidance to Canadians and Canadian organizations, if and when requested.”

The Communications Security Establishment said in its most recent cyberthreat assessment report that “while we maintain that state-sponsored cyberthreat actors will very likely refrain from intentionally disrupting or destroying Canadian critical infrastructure in the absence of direct hostilities, these actors are developing the ability to disrupt the critical systems of Canada and our allies.”

Canadian security agencies have long warned that the country’s critical infrastructure is a target for cyberattacks from foreign actors, including Russia and Russian-backed entities.

In a bulletin last year, the Canadian Center for Cyber Security urged companies to “bolster their awareness of and protection against Russian state-sponsored cyberthreats.”

Shawn Tupper, the deputy minister for public safety, told a parliamentary committee probing foreign interference in Canada last month that he pays “an inordinate amount of attention” to threats from foreign actors against critical infrastructure.

“The disruption of the grids or of our pipelines would cause a massive disruption in our communities,” he told lawmakers, “so we pay a lot of attention to that.”

Enbridge, a Calgary-based energy giant that is the nation’s largest natural gas utility, said Monday that it “was not attacked or compromised.”

“We have a robust defense program in place to protect Enbridge's customer information and assets from potential threats,” the company said in a statement, “and are in constant communication with Canadian and U.S. security agencies as part of that defense.”

The view of the leaks

The leaks have caused consternation among U.S. officials because of their exposure of spying practices, our colleagues Shane Harris and Dan Lamothe reported. The documents appeared on Discord, a chat forum that’s popular with gamers — not the first time that forums popular among gamers and leaked documents have overlapped.

Online sleuths have been looking for clues about the identity of the leaker.

First in The Cybersecurity 202: FTC gets security clearance process moving for some staff

The Federal Trade Commission has identified some staff members who should receive top secret security clearances, according to an April 6 letter seen by The Cybersecurity 202. The move would allow them to access documents and receive briefings on classified threat intelligence of cybersecurity risks.

The letter, written by FTC Chair Lina Khan to Sen. Ron Wyden (D-Ore.), says the consumer protection agency “has identified appropriate candidates” to hold such a clearance, and that FTC staff have been directed to work with the Office of the Director of National Intelligence (ODNI) and the CIA to obtain them for certain agency members.

The letter did not elaborate on which staff were selected to receive the clearance. FTC spokesperson Doug Farrar declined to comment when asked about the details of the clearances.

Wyden in October called on the FTC and ODNI to grant additional security clearances to agency staff to further involve the FTC in cybersecurity-related consumer protection efforts.

The letter said that just four agency staff have top secret clearance. It added that FTC leadership, as well as staff in the agency’s division of privacy and identity protection, also do not hold a clearance of that level.

“The U.S. government cannot protect Americans’ privacy and U.S. national security from the serious threat posed by sophisticated foreign hackers if the FTC does not have a seat at the table,” Wyden said in the letter.

An incident at a Florida water treatment plant may not have been caused by an outside hacker after all

The FBI was unable to confirm that a hacker actually targeted the water levels of an Oldsmar, Fla., water treatment plant in February 2021, Christian Vasquez reports for CyberScoop.

The incident, which pushed federal regulators to focus their attention on protecting U.S. critical infrastructure and water facilities, saw sodium hydroxide levels in the water treatment facility raised to dangerous levels until a plant employee interfered to reverse the change.

“Through the course of the investigation the FBI was not able to confirm that this incident was initiated by a targeted cyber intrusion of Oldsmar,” the FBI said in a statement to CyberScoop.

The FBI’s remarks came after former Oldsmar city manager Al Braithwaite downplayed the incident at an event, Vasquez writes.

“The FBI concluded there was nothing, no evidence of any access from the outside, and that it was likely the same employee that was purported to be a hero for catching it, was actually banging on his keyboard,” Braithwaite said at the event.

