When ransomware hackers hit Colonial Pipeline last month and closes the gas distribution long much of the East Coast of the United States, the world has awakened with the danger of digital disruption of the chemical pipeline industry. Now it appears that another pipeline-focused business has also been hit by a ransomware crew around the same time, but it has kept its breach quiet — even when 70 gigabytes of its internal files were stolen and thrown overboard. the dark web.
A group that identified itself as the Xing Team last month posted on its dark website a collection of stolen files from LineStar Integrity Services, a Houston-based company that sells inspection, compliance, maintenance and technology services to customers. of the pipelines. The data, first spotted online by the WikiLeaks Denial Distributed Transparency Group of Secrets, or DDoSecrets, includes 73,500 emails, accounting files, contracts and other business documents, around 19 GB of software code and data, and 10 GB of human resources files that include employee driver license scans and Social Security cards. And while the breach does not appear to have caused any disruption in infrastructure such as the Colonial Pipeline incident, security researchers warn that the leaked data could provide hackers with a roadmap for more pipeline targeting.
DDoSecrets, which makes it a practice of trawling data filtered by ransomware groups as part of its mission to expose data it deems worthy of public scrutiny, it released 37 gigabytes of the company’s data on Monday. The group says it was careful to write down data and code for potentially sensitive programs – what DDoSecrets says could enable hackers to track or exploit vulnerabilities in pipeline software – as well as filtered human resources material, in an effort to leave out LineStar employees ’sensitive, personally identifiable information.
But the unedited files, which WIRED has reviewed, remain online. And they may include information that could allow the target tracking of other pipelines, says Joe Slowik, a threat intelligence researcher for the security company Gigamon who has focused on critical infrastructure security for years as a former. head of incident response at Los Alamos National Laboratories. While Slowik notes that it’s still unclear what sensitive information could be included in the 70 GB leak, he fears it could include information about the software architecture or physical equipment used by LineStar customers, given that LineStar provides information technology and industrial control system software to pipeline customers.
“You can use it to enter a lot of target data, depending on what’s there,” says Slowik. “It’s very concerning, given the potential that it’s not just about people’s driver’s license information or other elements related to the Ur, but potentially data that relates to the operation of these networks and its most critical functionality. “
Xing Team is a new entrant relative to the ransomware ecosystem. But while the group writes its name with a Chinese character on its dark website – and comes from the Mandarin word for “star” – there’s little reason to believe the group is Chinese based solely on that name, says Brett Callow, a ransomware- researcher focused with the antivirus company Emsisoft. Callow says he saw Xing Team use the rebranded version of the Mount Locker malware to encrypt victims ’files, and threaten to steal unencrypted data as a way to stifle targets to pay. In the case of LineStar, Xing Team seems to have followed this threat.
This leak could in turn serve as a springboard for other ransomware hackers, who often scam the dark web data dumps for information that can be used to mimic companies and target their customers. “If you’re going to steal data from a pipeline company, that could possibly allow you to build a fairly conventional spearphishing email to another pipeline company,” Callow says. “We absolutely know that groups do that.”