Suncor Energy Major Cybersecurity Incident/Outage

[Hack&Lube]

https://calgary.ctvnews.ca/calgary-b...dent-1.6455796

Open source intelligence (ie: Reddit) seems to indicate that managers are telling staff they expect up to a month of systems being down. This sounds like quite a serious incident, possibly from a state-oriented actor such as Russia.

It sounds like even retail/downstream in Petro Canada Gas Stations (I thought the network was sold or did they back off) has been affected which is quite serious. 3rd party suppliers/vendors for which Suncor is a client also claimed they were affected but it may have just been their access to Suncor systems and integrations.

Does anybody have any more information on what is going on there? Mainly looking for indicators of compromise and more guidance on things to be vigilant on for local and adjacent companies here in Calgary.

[LanceUppercut]

It's been going on since Thursday is what I know.

[Old Yeller]

A buddy who works at Suncor said it was a well planned and coordinated attack... he thinks they may be down for months, I assume he's talking about his specific department and not in reference to key infrastructure, but I don't imagine it being a lot of fun over there right now.

[Hack&Lube]

Quote:

Originally Posted by Old Yeller

A buddy who works at Suncor said it was a well planned and coordinated attack... he thinks they may be down for months, I assume he's talking about his specific department and not in reference to key infrastructure, but I don't imagine it being a lot of fun over there right now.

That sounds like a state-based or affiliated attacker. If key systems are down, I wonder how much oilfield like SCADA and IoT are or did they have proper network zoning and isolation. They must have for a company of that scale and size? Or did bureaucracy prevent from from moving faster to modernize and adapt?

[DoubleK]

It's pretty bad.

Sounds like they are nuking everyone's accounts and rebuilding from scratch.

[Fuzz]

How do they not have a disaster recovery plan? Rebuild from scratch? That's the plan?

[woob]

They may have determined some of their backups got hit as well?

[OldDutch]

I wonder if this is ransomware or sabotage based.

If ransomware at least maybe you can pay for the key.

Sabotage by Russia would be worse. No key to be had I would presume and your going off DR backups. Which I am not confident any company that large has a great plan around.

Not great

[OldDutch]

Another complication is bringing systems back up. How do you know the backups are clean or you get locked out again and again. This thing could have been sleeping for months baked into multiple backups.

[Mathgod]

What's worse is, with the emergence of increasily-sophisticated AI, we can probably expect these kinds of attacks to grow both in frequency and severity over time. I don't know what the long-term solution is to stave off these attacks, or if there will ever be one. Scary times.

[RoadGame]

fwiw my local Petro-can could only accept cash and the car wash was offline (which the clerk attributed to this issue). You could still pump gas though.

So, thanks Putin, but I'll just keep driving my dirty, dirty car.

[woob]

There's some good podcasts on these kinds of things, that I've recently started listening to. The one on NotPetya was really informing and kind of opens your eyes to how severe an attack could be; banking systems offline, transit affected, etc. etc.

https://darknetdiaries.com/

[Leondros]

The LockBit group has been targeting Calgary companies over the past couple of months. These guys are typically in systems well before they initiate anything giving them time to learn the systems and live in the back-ups. I wonder if its the same shop...

https://www.cisa.gov/news-events/cyb...ries/aa23-075a

[DoubleK]

Quote:

Originally Posted by Hack&Lube

Does anybody have any more information on what is going on there? Mainly looking for indicators of compromise and more guidance on things to be vigilant on for local and adjacent companies here in Calgary.

Hearing an executive clicked on a phishing link.

[Sr. Mints]

I suspect there are a ton of these that go unreported.

The last place I worked at was hit by a ransomeware attack. Swept under the rug for fear of impacting donor dollars, negative PR, etc. Everything lost, no recovery plan. From my end, my dept. was relatively unscathed cause I'd set up a basic google drive so I could telecommute easier.

[Russic]

I know somebody in the network security space, and their life is mostly consumed by fear of this happening all the time. A hacker with resources and time can almost always find a way in, and on top of that there are companies with 10s of thousands of employees and only one of them needs to click a bad link to set off a real sh*t-storm.

As for Suncor, it's hard to find a good time for layoffs... but this was a bad time for layoffs. Not to say that's related to this, but it makes for a morale swamp.

[LanceUppercut]

I've heard remote access is still down today, but I have not heard about anything about in office access to systems. Anyone know if Suncor employees in the building can access systems?

[nik-]

Remote access is probably pretty low on the priority list for them.

[Hockeyguy15]

From what I have heard there is no access at head office.

[InglewoodFan]

Quote:

Originally Posted by Sr. Mints

I suspect there are a ton of these that go unreported.

The last place I worked at was hit by a ransomeware attack. Swept under the rug for fear of impacting donor dollars, negative PR, etc. Everything lost, no recovery plan. From my end, my dept. was relatively unscathed cause I'd set up a basic google drive so I could telecommute easier.

I'm pleasantly surprised that a place I worked at took the opposite approach and disclosed everything to our clients. Learn from us so it doesn't happen to you, and hopefully our transparency is reassuring that we are doing all the right things to recover.

Sent from my IN2025 using Tapatalk