The BlackCat ransomware gang claims to have hit the Natural gas pipeline company Creos Luxembourg S.A. last week, a natural gas pipeline and electricity supplier.
Creos’ owner, Encevo, confirmed the network attack, which occurred on the 23-24th of July, exfiltrated “a certain amount of data” from their network. Encevo is an energy supplier in five EU countries. They have a dedicated web page for updates on the attack and as of Monday Aug. 1st, it still says “the Encevo Group does not yet have all the information necessary to personally inform each person concerned.”
This is an interesting event and could have much broader implications. It appears the group was unable to compromise (or chose not to) the target OT environment. Instead, based on the types of documents and external portals, placed their focused on the corporate side. If this was ultimately unsuccessful, it suggests that segmentation and hardening did its job and stopped a more detrimental event from unfolding.
Another point of interest is the DarkSide/BlackCat group was originally shutdown due to the spotlight created by the Colonial Pipeline ransomware attack in May 2021. This successful campaign against critical infrastructure drew the ire of law enforcement and intelligence agencies and put them on notice around the world. This reoccurrence will most likely spur another search to find this group, burn down its network and incarcerate the perpetrators.
Considering the Modus Operandi of DarkSide/BlackMatter/BlackCat and their penchant for not staying gone for long enough, we certainly haven’t seen the last of this group. They unfortunately are living up to the name ‘BlackCat’ considering how many ‘lives’ the group appears to have and their ability bounce back.
What is interesting is that they are shifting targets in an effort (assumedly) to maintain some standard cadence of their attack flow. That could be an indicator that they have felt the pain of going for too large of (or hardened) targets in previous operations. If this is the case, we can expect to see more less-secured or smaller entities in Europe being focused upon. An aspect of this is that with less mature and secured enterprises and entities being focused, there is less of a chance for either speedy detection (or any detection at all).
The Gas Pipeline attack (and any energy sector attack, really) poses a more macabre tone-if we take the previous statement as a ground truth, that would seem to indicate that major critical infrastructure aspects of Europe are in the ‘weaker’ end of the spectrum of targets. Critical Infrastructure being tipped over in the same capacity as clothing chains arguably demonstrates that key backbones of society are incredibly soft for how important they are.
A final thought – the ‘rolodex’ of customer information being query able is a sinister new wrinkle that brings the embarrassment and fear home to the customer. With the customer being the primary driver of revenue, they have effectively removed their ability to ‘cover up’ or ignore the situation and rested it solely in the hands of the people impacted. This creates a dangerous situation for the business because as users wake up and spread the information, they could then move to social media outlets to amplify their concerns which could (for Creos) drive closer legislative scrutiny, governmental intervention, or even massive public support shift via feet/wallets. The information claimed is also serious considering that they are indicating the theft of passports and contracts. This is beyond standard customer information, such as the bills, emails, and NPI).
After a major breach, there tends to be a strong psychological effect on the victim, whether it be an individual, small company, organization, etc. In attempting to get a company like Creos Luxembourg to pay the ransomware fines for stolen data, BlackCat has proven they know how to put down the pressure. Their searchable data extortion platform is basically a ticking time bomb. The longer that Creos is listed on that platform, the more visitors will come to their listing, attract more attention, demand for the release of their sensitive information, and be the first to get in line for whatever nefarious activities they wish to perform. In doing this, BlackCat knows how hard it will be for Creos to resist giving in to ransomware, but regardless, they should never do it.
Although much damage has been done to the company’s reputation since the breach occurred, it will be even worse if Creos allows the cybercriminals to take further advantage of them. Groups like BlackCat understand only one thing: strength. If Creos Luxembourg, Encevo, and other affected parties refuse to stand up to cybercriminals such as these, they are submitting to chaos. Obviously, as BlackCat continues to wreak data-extortion havoc, they do not feel very threatened by international law enforcement or the organizations pledging to protect our data. The problem is that they should be scared, but we are not making them be.
So far, there is no reported interruption in the services provided by Encevo and Creos, but if their customer portals were breached, it is likely that their industrial control systems are also vulnerable. Attacks on industrial control systems are devastating because they have the ability to deny an entire population a crucial resource. This is why groups such as BlackCat find it so effective to use ransomware. Not only does it test the organization’s ability to resist going without what they desperately need, but it is also a psychological burden on the people whose data is being released (including contracts, financial information, emails, password credentials, etc.).
With such a breach, there is a lot on people’s minds, but so far there is little for them to do except change their passwords. Whether this will be effective enough to protect people from further damage is currently up for debate, but overall, organizations need to learn that if one part of their infrastructure is sick, the infection can spread.