Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

Ransomware’s Unintended Consequences

The information security industry finds itself, as of this writing, in the midst of a ransomware pandemic. While Business Email Compromise (BEC) likely remains more financially successful overall, much of this success is due to far wider scope and selection of victims. Ransomware, while potentially less costly in a direct fashion, adds additional concerns such as operational disruption, data loss, and costly network rebuilds that amplify expenses beyond mere ransom demands. When combined with the Read more

By Joe, ago

Mind the (Air) Gap

Following the ransomware incident impacting Colonial Pipeline operations in May 2021, many parties asked how such a disruption, impacting one of the main arteries delivering refined petroleum products to the Eastern and Southeastern United States, could occur. Based on information available, the intrusion did not directly impact Industrial Control Systems (ICS) within Colonial’s environment. Instead, the company itself initiated a controlled shutdown of operations as a precautionary matter to prevent critical ICS-related and product tracking Read more

By Joe, ago

Understanding or Publicizing the Adversary?

In April 2021 the Babuk ransomware gang, already a concerning entity, gained additional notoriety for compromising the Washington, DC police department. As part of this incident, the criminals threatened to release confidential files relating to police operations to spur payment. The group in question earlier gained attention for the combination of a failed ransomware decryptor followed by a primitive public relations campaign to advertise a “fix” for their malicious software. This “flair” for public communication Read more

By Joe, ago

Water, Water Everywhere – But Nary a Hacker to Blame

Note: On 21 March 2023, website GCN reported that the “hack” was actually an employee error. More worringly, statements from the city manager at the time indicate this was known from the outset, yet still resulted in several investigations from local and federal law enforcement. Interestingly, this story has not been picked up or reported by any other outlet. Nonetheless, if true, this would represent a nearly unfathomable act of “hyping” events for indeterminate reason. Read more

By Joe, ago

Why Do We Fight?

One of the penultimate, and more poignant, episodes of the television series Band of Brothers was “Why We Fight.” The episode highlighted how, although the members of the unit followed through the series faced multiple trials and setbacks, the discovery of concentration camps emphasized the necessity for continuing the struggle against the Nazi regime. Within the realm of Cyber Threat Intelligence (CTI), we rarely face so stark and dire circumstances with respect to our work. Read more

By Joe, ago

Terrorism or Information Operation?

On 09 December 2020, details emerged concerning network infrastructure I’d previously identified as suspicious on 07 December: Further research and investigation showed that the domains in question – which were relocated from “.org” to “.us” infrastructure – were hosting “kill lists” comprising politicians, civil servants, and employees of Dominion Voting Systems, including information such as home addresses. As seen in the following image, the intent of this page is not left to one’s imagination, thanks Read more

By Joe, ago

There But for the Grace of God Go I

08 December 2020 will be remembered as a significant day in information security history. On that day, information security giant and, through its Mandiant division, pioneer FireEye disclosed that they were compromised by a likely state-sponsored entity. (Specific attribution is lacking at this time, although there are rumors APT29/Cozy Bear may be responsible – more to come on this in the future.) Within the insular (and at times catty and vindictive) security community, there were Read more

By Joe, ago

The Enigmatic Energetic Bear

“Energetic Bear” (also known as Dragonfly, Crouching Yeti, etc. etc.) has been in the news lately given a recent series of intrusions targeting local government and critical infrastructure entities in the United States. While the group has gained attention recently, its activities go back at least a decade with the widespread Havex campaign. Despite the group’s longevity and consistent targeting of critical infrastructure, including the electric and oil and gas sectors, the group has not Read more

By Joe, ago

Willful Ignorance and Misunderstanding of Threat Intelligence

Few arguments are more frustrating to deal with than those which include compelling, accurate observations to plaster over selective examples and willful misrepresentation. Such is the case with a recent video posted by Ralph Langner concerning ICS-specific cyber threat intelligence (CTI). Langner makes some astute observations concerning the industrial threat landscape that are worth repeating and recognizing, but then uses these items in conjunction with selective representation of publicly available observations to push a specific, Read more

By Joe, ago

Trickbot and the Context of Cyber Warfare

TrickBot was in the news quite a bit in early October 2020. Starting with reports of TrickBot disruption in late September 2020 subsequently linked to United States Cyber Command (USCC), events ramped up with an independent coordinated infrastructure take-down organized by Microsoft coming shortly thereafter. There are many avenues of analysis into this event and very interesting questions raised, including items such as election security concerns and public-private coordination (or in this instance, lack thereof). Read more

By Joe, ago