(not) Secure digest: Colonial Pipeline, 18+ passwords and hacked government services

The May digest traditionally collected “classic” and non-trivial information security incidents for a month. The current selection is nowhere more serious: there is a wave of attacks on KII, record losses from telephone scammers and hackers without fear and reproach, guarding their reputation from the special services. We read:

A drop of tar

What happened: In the United States, there has been a series of attacks on water systems. In Pennsylvania suffered two utilities at once: hackers tried to dump high concentration of cleaning chemicals into the water supply system. A similar incident happened in Oldsmare, Florida – An attacker nearly poisoned the water in a sodium hydroxide treatment system.

How it was: In Pennsylvania, hackers managed to install a web shell on two utility networks, which, among other things, made it possible to gain remote access to water treatment systems. Fortunately for consumers (these are residents of 2,300 private houses and several commercial companies), the attack was detected and stopped before the criminals could use the bookmark.

Florida went further: a hacker used remote access and managed to increase the level of cleaning chemicals in the water supply 11 times – from 100 to 1,100 parts per million. Fortunately, while the attacker was selflessly moving the cursor across the screen of a remote PC, the system operator noticed this on his monitor. He noticed that the settings were changed and changed them to the correct ones in time. In the aftermath of this incident, authorities ordered utilities to provide annual cybersecurity plans. But the regulations affected only large enterprises. Organizational processes in small firms – just like those that were attacked in May – remained unchanged.

The sediment remained

What happened: You’ve definitely heard about this – hackers attacked Colonial Pipeline, which pumps petroleum products throughout the United States from factories on the shores of the Gulf of Mexico. The oil pipeline was blocked for almost a week, and fuel prices soared, as in the most acute crisis.

How it was: The DarkSide group claimed the blame for the incident and infected the Colonial Pipeline infrastructure with a ransomware virus. The failure of IT systems as a result of the attack led to the suspension of the normal operation of both trunk pipelines passing through almost the entire territory of the United States and local terminals through which the shipment of aviation, diesel fuel and gasoline was carried out. The problems could not be dealt with promptly, so an emergency regime was declared in 16 US states and the District of Columbia.

As a result, according to Bloomberg, Colonial Pipeline preferred pay hackers $ 5 million, despite official statements that no negotiations with criminals are underway and the issue of ransom is not being considered. The ransom amount is typical for big game hunters. According to Bleeping Computer, a previous victim of DarkSide, the chemical company Brenntag paid the extortionists $ 4.4 million.

But this is not the end of the story. The Colonial Pipeline incident caused such a stir that hackers soon regretted the attack – DarkSide lost control of its servers. American security officials are suspected of acts of retaliation, but the information has not been officially confirmed. The hackers tried to play it safe and made statements that their actions were not politically motivated and were motivated only by the desire for profit. It didn’t help – and a criminal organization announced about self-dissolution.

Other RaaS-groupings (Ransomware-as-a-Service), just in case, also lay low. For example, the well-known REvil community has suspended widespread advertising of its developments and from now on intends to cooperate “with a narrow circle of trusted partners”, and a couple of hacker forums banned all ransomware ads. Rumor has it that these circles in the water are all from the same incident: hacker communities are afraid of the close attention of special services and do not want, like DarkSide, to get on the radar.


What happened: Another story where the attacker suddenly “flew in”: a potential victim of scammers in India uncovered their location and spotted personalities on the Web.

How it was: It all started with a phishing email notifying that an order was allegedly placed in the name of the victim from Amazon. To refuse it, it was suggested to call the call center. Here the victim was waiting for “verification”: a special code was sent to her, which in reality serves to change the password. At this stage, criminals usually already hosted her Amazon account to find linked cards and other personal data. And to prevent the victim from falling out, they powdered her brains with stories about the latest orders. The orders are real, so the victims believed and without question followed the last instruction of the fake tech support – to install TeamViewer. And of course, completely lose control of your gadget.

But the blogger with the speaking nickname Scambaiter turned out to be not a bastard (kamon, dude makes content for information security!). After receiving the letter, he decided to turn the attack inside out. And right during the conversation with the scammers, he calculated their IP address of the scammers and even the exact location of their webcam. Then the blogger remotely connected to their PC, found the identity card of one of the “attackers” and broke his data on social networks. And then for a long time having fun by showing the intruders an image from their own camera and offering to “speak frankly.”

Screenshot of the video SHOWING A SCAMMER HIS OWN WEBCAM ON MY COMPUTER!  from the Scambaiter Youtube channel
Screenshot of the video SHOWING A SCAMMER HIS OWN WEBCAM ON MY COMPUTER! from the Scambaiter Youtube channel

The employees of the fraudulent call center did not believe what was happening and took turns approaching the camera to make sure that this was not a joke, and when they realized, they clearly experienced a shock. Whether this blogging investigation will result in real sentences is unclear. But the scammers are clearly thinking about changing their profession.

Three years under fire

What happened: Revealed a series of targeted attacks on the Russian federal executive authorities (federal executive authorities).

How it was: Experts attribute the first attempts to penetrate the federal executive authorities’ systems to 2017. But the criminals were most active last year. Nikolai Murashov, deputy director of the NKTsKI, believes that foreign special services were involved in the incident. This is evidenced by the level of training of hackers, the tools they used and the information they were interested in.

The attackers targeted data from private network segments and confidential information from the correspondence of key employees. They tried to extract information from mail, file servers, electronic document management servers and workstations of managers of different levels. To hack the infrastructure of government agencies, a standard scheme was used – phishing mailings to employees, the use of web vulnerabilities and hacking of the IT infrastructure of contractors. At the same time, the content of fraudulent emails, as well as knowledge of the vulnerabilities and operating features of the infrastructure of the attacked organizations, speaks of a thorough study of each stage of the operation. To download the data, the hackers used the cloud storages of Yandex and Mail.ru Group. They successfully disguised their network activity as the work of legal applications Yandex Disk and Disk-O. According to the experts who analyzed the applied malicious code, they had never seen any analogues to it before.

How many secrets hackers managed to pull out of state networks in three years is not reported. But apparently the scale of the attack will still make itself felt.

Government services for hackers

What happened: In social networks, messages about hacking of user accounts of the State Services portal have become more frequent. In anticipation of testing the electronic voting system, several such incidents thundered at once. For example, hackers used State services for confirming loans in MFOs issued to the owner of the hacked account. Otherwise – issued an application for an electronic SIM card from a virtual operator, in the third – they managed to change the victim’s password.

How it was: One of the victims stated that the offender received access to the management of the account on the State Services with a fake permission, which was allegedly issued to the PD processing center of the United Russia party. This is evidenced by the entry in the section “Permits issued”, but the woman is sure that she did not issue any similar permits.

After the hack, the victim and the attacker took turns changing the password to the site and the contact phone number for 40 minutes, and also wrote messages to the portal’s technical support chat. The real owner of the account turned out to be more stubborn. The attacker eventually left the chat and stopped trying to “hijack” her account.

Other victims became aware of the hack after the fact: they received notifications about the change of their contact phone number and password. And if one victim, albeit not very quickly, still managed to regain control with the help of a digital signature, the second could not even be helped by technical support. Now they will not only have to defend their digital rights, but also challenge transactions (in particular, several applications for large loans at once). A possible reason for hacking in each case could be the compromise of the login-password pair, incl. used on third-party resources.

UPD: In “United Russia” confirmed attack on their infrastructure – according to the secretary of the general council of the party Andrei Turchak, on the eve of the intra-party primaries, hackers hacked into the preliminary voting site, which allowed them to penetrate the data centers of Rostelecom and focus further attacks on users of State services. Rostelecom did not comment on the situation, but the fact of the attack was confirmed by the Ministry of Digital Security. Information about the incident was transferred to the Ministry of Internal Affairs.


What happened: British family suspected in one of the most serious cybercrimes – the distribution of child pornography. And all because of the negligent attitude to passwords.

How it was: From the IP address used by an ordinary London family, four photos with prohibited content were uploaded to the Web. To investigate the incident, the police confiscated almost all computer equipment from the apartment – including the working laptop of the head of the family, for which they had to report to the employer. Law enforcers have not even forgotten old cell phones that no one has used for years. An exception was made only for the tablets of children, which they need for school activities.

And the cause of the incident, apparently, was the factory password on the Vodafone router. Having received the equipment from the provider, the owners did not change the preset settings – no one warned them that for general security it was necessary to set a new password. As a result, an outsider got access to the home network, who, it is assumed, used the point of access to the Network to upload child porn. But this fact, unlike the default password, has yet to be proven.

Mountains of gold

What happened: Immediately twice in a month, Russian pensioners broke records in the amounts that they gave to telephone scammers. First, a pensioner from St. Petersburg raised the bar. lured 11 million rubles, then the metropolitan lady, “caught“Almost 400 million.

How it was: In St. Petersburg, the deception began in the classics – with a call from the “bank security service”. The criminals managed to get into trust so seriously that the victim collected money for them wherever possible. The Petersburg woman first transferred to the fraudsters everything that was in the bank account, then took several loans for a total of 730 thousand rubles, and to top it off, she sold the apartment altogether. The proceeds, of course, went to the extortionists.

The Muscovite also initially bought into the call from the fake Security Council. But after she transferred 14 million rubles to the criminals, she admitted that she had another 380 million in another bank. The scammers were not at a loss and switched the woman to a “FSB representative”: he was supposed to help secure funds, no matter what bank they were in, and save the unfortunate woman from a “targeted attack”. After the money evaporated as a result of the rescue operation, both victims went to the police. But judging by the latest report from FinCERT, the chances of getting back their savings from women are slim.

Similar Posts

Leave a Reply