Cybersecurity news headlines for May 2021
In May’s edition of cybersecurity news headlines, we discuss one of the most serious cyber incidents to take place in recent history, the Colonial Pipeline cyberattack. In addition to this incident, there’s also Air India’s disclosure that 4.5 million passenger data was stolen during a cyberattack, and FTC’s report on the rising number of victims of cryptocurrency scams.
Without further ado, here are the biggest cybersecurity news stories from May 2021.
Colonial Pipeline cyberattack
In one of the worst cyberattacks in recent history, Colonial Pipeline, an American oil pipeline system, was targeted in a ransomware attack. Colonial Pipeline is one of the largest pipeline operators in the US, supplying fuel (gasoline, diesel, home heating oil, jet fuel, etc.) to almost 45% of the East Coast. On May 7, the company learned of a ransomware attack and was forced to shut down the pipeline to prevent the infection from affecting the pipeline’s operational controls. The shutdown lasted 6 days and had serious consequences that affected millions of people. How exactly the attackers were able to gain access to Colonial’s system is unclear, but once they were in, they were free to steal and encrypt data.
“On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems. Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have already launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies,” Colonial Pipeline said in a statement released soon after the incident became public.
The attack has since been attributed to a hacking group known DarkSide. While they are operating from an Eastern European country, likely Russia, it is not believed that the group is state-sponsored. In addition to encrypting data, DarkSide stole nearly 100GB of data from the company, a common tactic ransomware gangs have recently started using to force victims to pay the ransom. If Colonial Pipeline refused to pay the ransom, the data would be released on the Internet. However, only a few hours after the attack, the company agreed to pay the 75 Bitcoins ($4.4 million at the time of the incident) ransom. However, the decryption tool that Colonial Pipeline received after paying the ransom was working too slow, which resulted in the company still having to use its own backup to restore systems. Paying the ransom proved to be a controversial decision but Colonial Pipeline CEO defended the move as “the right thing to do for the country”.
The cyberattack had widespread consequences, as numerous states, including Alabama, Florida, North Carolina, South Carolina, and Georgia, reported fuel shortages. Filling stations were affected by the fuel shortages, which caused panic buying. Furthermore, average fuel prices reached their highest since 2014. As a consequence, President Joe Biden declared a state of emergency, which allowed much larger amounts of fuel to be transported by road. After six days of shutdown, Colonial Pipeline started restarting its operations on May 12, though normal operations returned only on May 15.
Due to the nature of the attack, it received a lot of attention, perhaps much more than the malware operators were expecting. Furthermore, because the attack had both economic and social consequences, the group, which operates DarkSide as a ransomware-as-a-service (RaaS), felt it was necessary to distance itself from the situation.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives,” DarkSide said in a statement released on May 10. “Our goal is to make money, and not creating problems for society. We [will] introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
According to reports, the group behind DarkSide has made over $90 million barely a year since it started operation. However, DarkSide affiliates claim to not have received some of the payments promised to them. The hacking group, however, is saying that they have lost control of the infrastructure and a considerable amount of Bitcoin in their possession, the Bitcoin that they apparently owe their affiliates. Perhaps because they made enough money or perhaps because of the increased scrutiny, but DarkSide has announced that they are stopping operations altogether.
“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” the group said on the Russian OSINT Telegram channel. They also said they will release decryption tools for victims who did not pay.
And it’s not just the DarkSide ransomware group that has received unwanted attention, other ransomware groups are also attempting to retreat from the spotlight. The notorious REvil group has announced that they will not target government, healthcare, educational, and charity organizations. Targets will also need to be approved by the REvil group before the ransomware is deployed by groups who use it as RaaS.
Data of 4.5 million Air India passengers revealed to have been stolen during SITA cyberattack
India’s flag carrier airline Air India has disclosed a data breach impacting 4.5 million passengers. According to a statement released by Air India, the stolen data spans almost 10 years and involves the personal information of passengers, including full names, dates of birth, contact information, passport information, ticket information, Star Alliance and Aird India frequent flyer data, and credit card data excluding the CVV/CVC numbers. Frequent flyer passwords were also not among the data that has been stolen.
The data breach stems from a cyberattack Passenger Service System provider SITA suffered back in February 2021. Since Air India is a customer of SITA, the data of its passengers was also stolen during the attack. Around 4.5 million Air India customer data, registered between August 26, 2011, and February 3, 2021, is believed to have been stolen. While the SITA cyberattack took place in February this year, the airline was not aware of the severity of the incident and only recently learned that their passenger data was stolen.
“While we had received the first notification in this regard from our data processor on 25.02.2021, we would like to clarify that the identity of the affected data subjects was only provided to us by our data processor on 25.03.2021 & 5.04.2021. The present communication is an effort to apprise of accurate state of facts as on date and to supplement our general announcement of 19th March 2021 initially made via our website,” Air India’s breach notification reads.
Air India is currently still investigating the incident. It has secured the compromised servers, and external specialists have been contacted. Frequent flyer passengers should have also had their passwords reset, and credit card issuers have been notified. Nonetheless, because the breach involved card information, victims should contact their banks to get their cards reissued, as well as monitor transactions for anything suspicious.
“The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate continued support and trust of our passengers,” the airline has apologized.
Among other airlines affected by the SITA cyberattack are Finnair, Japan Airlines, Lufthansa, Malaysia Airlines, Jeju Air, Cathay Pacific, and Singapore Airlines.
Losses from cryptocurrency scams reach an all-time high
A worrying report released by the Federal Trade Commission (FTC) reveals that losses from cryptocurrency scams have skyrocketed, with over $80 million lost to scammers since October 2020. In the span of almost 8 months, the FTC has received reports from nearly 7,000 people, with a median loss of $1,900. According to the FTC, the number is twelve times higher than that of the same period a year earlier. The numbers, while quite worrying, are not entirely surprising. Investing in cryptocurrency has become quite popular, which also means that scammers have more opportunities to take advantage of new investors who don’t necessarily know what they’re doing.
The cryptocurrency bubble and promises of huge profits have attracted a lot of new investors who do not yet know where to find reliable information and who to trust. Forums are full of misinformation and outright scams inviting people to invest in new cryptocurrency or use unknown services. Scammers in those forums may appear friendly and eager to share their tips on how to best profit from cryptocurrency. However, it’s not uncommon for those people to turn out to be scammers looking to take advantage of new investors.
“Online, people may appear to be friendly and willing to share their “tips.” But that can also be part of the ruse to get people to invest in their scheme. In fact, some of these schemes are based on referral chains, and work by bringing in people who then recruit new “investors”,” the FTC report explains.
Some cryptocurrency scams can be quite elaborate, with legitimate-looking official websites, fake testimonials, advertising on social media and forums, and most importantly, promises of huge profit. Victims may be lured to these scams via forum posts or by scammers who give out “tips” for how to invest. They get lured in by the flashy promises and testimonials, only to later realize that they have essentially given away their money to scammers.
A popular crypto scam is the “giveaway scam”. Scammers impersonate a celebrity or a well-known investor/business person and invite users to participate in giveaways that promise to double the amounts of cryptocurrency users send. These impersonators usually promote their scams on social media sites like Twitter, as well as video platforms like YouTube. It appears that scammers like to impersonate Tesla CEO Elon Musk in particular, as his posts on Twitter always have replies from fake Elon Musk accounts inviting users to participate in giveaway scams. According to the FTC, victims have reportedly sent Elon Musk impersonators (aka cybercriminals) more than $2 million in cryptocurrency in the past six months alone.
In one famous incident last year, cybercriminals were able to briefly take over official Twitter accounts of various celebrities and companies to tweet out giveaway scams. While the criminals responsible were caught soon after, numerous people still sent thousands of dollars to scammers in hopes of getting double the amount back.
The so-called romance scams have also shifted their focus to cryptocurrency. Scammers use dating websites/apps to target vulnerable people and scam them out of thousands of dollars once a relationship is formed. While traditional romance scams involve scammers coming up with tragic life stories to convince victims to send them money, cryptocurrency romance scams invite victims to invest. The FTC reports that 20% of the reported losses from romance scams were sent in cryptocurrencies.
“About 20% of the money people reported losing through romance scams since October 2020 was sent in cryptocurrency, and many of these reports were from people who said they thought they were investing,” the FTC report explains.
Interestingly enough, people ages 20 to 49 were over five times more likely to report losses from cryptocurrency scams, according to the FTC. But while people over 50 years old were less likely to report losing money in cryptocurrency scams, their individual losses were higher, with an average of $3,250 reported losses.
The FTC gives some great advice about cryptocurrency and investing in it.
- Promises of guaranteed huge returns or claims that your cryptocurrency will be multiplied are always scams.
- The cryptocurrency itself is the investment. You make money if you’re lucky enough to sell it for more than you paid. Period. Don’t trust people who say they know a better way.
- If a caller, love interest, organization, or anyone else insists on cryptocurrency, you can bet it’s a scam.
- Collin Eaton and Dustin Volz. U.S. Pipeline Cyberattack Forces Closure. The Wall Street Journal.
- William Turton, Michael Riley, and Jennifer Jacobs. Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom. Bloomberg.
- Air India. Notification to Passengers.
- Manish Singh. Air India passenger data breach reveals SITA hack worse than first thought. TechCrunch.
- Emma Fletcher. Cryptocurrency buzz drives record investment scam losses. FTC Data Spotlight.
WiperSoft.com is not sponsored, affiliated, linked to or owned by malware developers or distributors that are referred to in this article. The article does NOT endorse or promote malicious programs. The intention behind it is to present useful information that will help users to detect and eliminate malware from their computer by using WiperSoft and/or the manual removal guide.
The article should only be used for educational purposes. If you follow the instructions provided in the article, you agree to be bound by this disclaimer. We do not guarantee that the article will aid you in completely removing the malware from your PC. Malicious programs are constantly developing, which is why it is not always easy or possible to clean the computer by using only the manual removal guide.