Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: Canada gas pipeline could have suffered an explosion caused by a cyber attack. Also: Financial services firm NCR hit with a ransomware attack, hurting thousands of small American eateries.
This Week’s Top Story
A possible Colonial Pipeline 2.0? Security incident causes concern for Canada’s critical infrastructure
The New York Times reported, based on leaked U.S. intelligence documents, that a Canadian gas pipeline suffered a security incident that could have caused an explosion at the company’s gas site. The threat actors responsible are a pro-Russian hacking group known as Zarya, who were in communication with Russia’s Federal Security Service (FSB), the primary successor to the KGB, about the incident’s potential for physical damage, as shown in these leaked U.S. intel documents.
Canadian Prime Minister Justin Trudeau confirmed that the unnamed Canadian gas pipeline was attacked, but made it clear that there was no physical damage to any of Canada’s energy infrastructure as a result. The cyber attack took place on February 25, 2023 and caused sufficient damage to company profits, with the specific intention of economically hurting the company. Regarding the possibility of physical damage, Zarya did have access to the infrastructure of the gas pipeline operator, and they were awaiting further instruction from Russian intelligence on how to proceed.
This incident is alarming, in part for two reasons. First: This attack by Zarya demonstrates the capabilities of pro-Russian threat actors being able to penetrate the critical infrastructure systems of Western countries. Second: The communications between Zarya and Russian intelligence demonstrate that pro-Russian hacking groups could be operating and taking direction from the Russian government, which means that this incident could have been carried out by a nation-state adversary’s motivations.
Here are the stories we’re paying attention to this week…
Financial services firm NCR hit by ransomware attack, disrupting Aloha and Back Office products (CPO Magazine)
A payment processing system used by over 100,000 restaurants and bars has been temporarily disrupted as its parent company, NCR, has been hit with a ransomware attack. Those most impacted are independent eateries and small local chains across the U.S.
Developer platform GitLab today announced a new AI-driven security feature that uses a large language model to explain potential vulnerabilities to developers, with plans to expand this to automatically resolve these vulnerabilities using AI in the future.
After a brief hiatus, the Alloy Taurus APT (aka Gallium or Operation Soft Cell) is back on the scene, with a new Linux variant of its PingPull malware. They are a Chinese nation-state-affiliated threat actor, around since at least 2012 but only in the spotlight since 2019. They focus on espionage, and tend to target major telecommunications providers.
#RSAC: Election protection is CISA's top priority for next 18 months (InfoSecurity Magazine)
For CISA, the protection of the looming 2024 election is now a top priority in an effort to protect democracy: “This is our top priority over the next year and a half,” says Eric Goldstein, executive assistant director for cybersecurity at CISA.
The U.S. government’s Cyber National Command Force (CNCF) is sending its experts abroad in so-called “hunt forward” operations to aid partner countries in combating cybercrime, and has launched 47 operations in 20 countries over the last three years.