06-26-2023, 10:48 AM
|
#1
|
Atomic Nerd
Join Date: Jul 2004
Location: Calgary
|
Suncor Energy Major Cybersecurity Incident/Outage
https://calgary.ctvnews.ca/calgary-b...dent-1.6455796
Open source intelligence (ie: Reddit) seems to indicate that managers are telling staff they expect up to a month of systems being down. This sounds like quite a serious incident, possibly from a state-oriented actor such as Russia.
It sounds like even retail/downstream in Petro Canada Gas Stations (I thought the network was sold or did they back off) has been affected which is quite serious. 3rd party suppliers/vendors for which Suncor is a client also claimed they were affected but it may have just been their access to Suncor systems and integrations.
Does anybody have any more information on what is going on there? Mainly looking for indicators of compromise and more guidance on things to be vigilant on for local and adjacent companies here in Calgary.
|
|
|
06-26-2023, 12:18 PM
|
#2
|
Scoring Winger
Join Date: Feb 2014
Location: Springfield
|
It's been going on since Thursday is what I know.
__________________
Your real name?
Uh... Lance Uppercut.
|
|
|
06-26-2023, 01:02 PM
|
#3
|
First Line Centre
|
A buddy who works at Suncor said it was a well planned and coordinated attack... he thinks they may be down for months, I assume he's talking about his specific department and not in reference to key infrastructure, but I don't imagine it being a lot of fun over there right now.
|
|
|
06-26-2023, 01:19 PM
|
#4
|
Atomic Nerd
Join Date: Jul 2004
Location: Calgary
|
Quote:
Originally Posted by Old Yeller
A buddy who works at Suncor said it was a well planned and coordinated attack... he thinks they may be down for months, I assume he's talking about his specific department and not in reference to key infrastructure, but I don't imagine it being a lot of fun over there right now.
|
That sounds like a state-based or affiliated attacker. If key systems are down, I wonder how much oilfield like SCADA and IoT are or did they have proper network zoning and isolation. They must have for a company of that scale and size? Or did bureaucracy prevent from from moving faster to modernize and adapt?
|
|
|
06-26-2023, 01:27 PM
|
#5
|
Franchise Player
Join Date: Aug 2012
Location: Seattle, WA
|
It's pretty bad.
Sounds like they are nuking everyone's accounts and rebuilding from scratch.
__________________
It's only game. Why you heff to be mad?
|
|
|
The Following User Says Thank You to DoubleK For This Useful Post:
|
|
06-26-2023, 02:10 PM
|
#6
|
Franchise Player
|
How do they not have a disaster recovery plan? Rebuild from scratch? That's the plan?
|
|
|
The Following User Says Thank You to Fuzz For This Useful Post:
|
|
06-26-2023, 02:16 PM
|
#7
|
#1 Goaltender
|
They may have determined some of their backups got hit as well?
|
|
|
The Following User Says Thank You to woob For This Useful Post:
|
|
06-26-2023, 02:17 PM
|
#8
|
#1 Goaltender
Join Date: Oct 2009
Location: North of the River, South of the Bluff
|
I wonder if this is ransomware or sabotage based.
If ransomware at least maybe you can pay for the key.
Sabotage by Russia would be worse. No key to be had I would presume and your going off DR backups. Which I am not confident any company that large has a great plan around.
Not great
|
|
|
06-26-2023, 02:19 PM
|
#9
|
#1 Goaltender
Join Date: Oct 2009
Location: North of the River, South of the Bluff
|
Another complication is bringing systems back up. How do you know the backups are clean or you get locked out again and again. This thing could have been sleeping for months baked into multiple backups.
|
|
|
06-26-2023, 02:24 PM
|
#10
|
Franchise Player
|
What's worse is, with the emergence of increasily-sophisticated AI, we can probably expect these kinds of attacks to grow both in frequency and severity over time. I don't know what the long-term solution is to stave off these attacks, or if there will ever be one. Scary times.
__________________
|
|
|
06-26-2023, 02:32 PM
|
#11
|
Scoring Winger
Join Date: Aug 2005
Location: 12 > 13
|
fwiw my local Petro-can could only accept cash and the car wash was offline (which the clerk attributed to this issue). You could still pump gas though.
So, thanks Putin, but I'll just keep driving my dirty, dirty car.
|
|
|
06-26-2023, 02:35 PM
|
#12
|
#1 Goaltender
|
There's some good podcasts on these kinds of things, that I've recently started listening to. The one on NotPetya was really informing and kind of opens your eyes to how severe an attack could be; banking systems offline, transit affected, etc. etc.
https://darknetdiaries.com/
|
|
|
The Following User Says Thank You to woob For This Useful Post:
|
|
06-26-2023, 02:36 PM
|
#13
|
Powerplay Quarterback
|
The LockBit group has been targeting Calgary companies over the past couple of months. These guys are typically in systems well before they initiate anything giving them time to learn the systems and live in the back-ups. I wonder if its the same shop...
https://www.cisa.gov/news-events/cyb...ries/aa23-075a
|
|
|
06-26-2023, 03:41 PM
|
#14
|
Franchise Player
Join Date: Aug 2012
Location: Seattle, WA
|
Quote:
Originally Posted by Hack&Lube
Does anybody have any more information on what is going on there? Mainly looking for indicators of compromise and more guidance on things to be vigilant on for local and adjacent companies here in Calgary.
|
Hearing an executive clicked on a phishing link.
__________________
It's only game. Why you heff to be mad?
|
|
|
06-26-2023, 04:11 PM
|
#15
|
First Line Centre
|
I suspect there are a ton of these that go unreported.
The last place I worked at was hit by a ransomeware attack. Swept under the rug for fear of impacting donor dollars, negative PR, etc. Everything lost, no recovery plan. From my end, my dept. was relatively unscathed cause I'd set up a basic google drive so I could telecommute easier.
|
|
|
06-27-2023, 08:14 AM
|
#16
|
Dances with Wolves
Join Date: Jun 2006
Location: Section 304
|
I know somebody in the network security space, and their life is mostly consumed by fear of this happening all the time. A hacker with resources and time can almost always find a way in, and on top of that there are companies with 10s of thousands of employees and only one of them needs to click a bad link to set off a real sh*t-storm.
As for Suncor, it's hard to find a good time for layoffs... but this was a bad time for layoffs. Not to say that's related to this, but it makes for a morale swamp.
|
|
|
06-27-2023, 04:18 PM
|
#17
|
Scoring Winger
Join Date: Feb 2014
Location: Springfield
|
I've heard remote access is still down today, but I have not heard about anything about in office access to systems. Anyone know if Suncor employees in the building can access systems?
__________________
Your real name?
Uh... Lance Uppercut.
|
|
|
06-27-2023, 04:26 PM
|
#18
|
Franchise Player
|
Remote access is probably pretty low on the priority list for them.
__________________
Quote:
Originally Posted by MisterJoji
Johnny eats garbage and isn’t 100% committed.
|
|
|
|
06-27-2023, 05:28 PM
|
#19
|
Franchise Player
|
From what I have heard there is no access at head office.
__________________
Quote:
Originally Posted by calgaryblood
Looks like you'll need one long before I will. May I suggest deflection king?
|
|
|
|
06-28-2023, 11:48 AM
|
#20
|
Powerplay Quarterback
|
Quote:
Originally Posted by Sr. Mints
I suspect there are a ton of these that go unreported.
The last place I worked at was hit by a ransomeware attack. Swept under the rug for fear of impacting donor dollars, negative PR, etc. Everything lost, no recovery plan. From my end, my dept. was relatively unscathed cause I'd set up a basic google drive so I could telecommute easier.
|
I'm pleasantly surprised that a place I worked at took the opposite approach and disclosed everything to our clients. Learn from us so it doesn't happen to you, and hopefully our transparency is reassuring that we are doing all the right things to recover.
Sent from my IN2025 using Tapatalk
|
|
|
The Following 2 Users Say Thank You to InglewoodFan For This Useful Post:
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -6. The time now is 03:03 PM.
|
|