Miners band together to fight cyber-criminals

Miners band together to fight cyber-criminals D’Arcy Jenish They called themselves Angels_of_Truth, but there was nothing angelic or truthful about them. On the contrary, they were driven by greed and their actions were malicious, not to mention criminal.

These so-called Angels were blackmailers who hacked the computers systems of eight Canadian mining companies between 2013 and 2016 and stole their data. Then they demanded ransoms ranging from $124,000 to $620,000, payable in Bitcoins, or they would dump the information on publicly accessible websites.

Two companies – Toronto- based Detour Gold and Vancouver-based Goldcorp – refused to meet the demands of the blackmailers and their information was leaked. In the case of Detour, the leak included a corporate credit card used by the CEO and a photocopy of his driver’s licence as well as social insurance numbers, health card numbers, home addresses, banking information and much else on 1,321 employees.

Goldcorp got hit just as hard. The hackers dumped contract agreements with other companies, budget documents from 2012 to 2016, payroll information, email addresses and phone numbers of employees, as well as 2013 performance reviews and 2014 compensation rates.

The hackers have never been caught and nor have investigators been able to determine how many people were involved or where they were based. However, they were tracked to a Russian IP address and they communicated in both English and Russian.

“It was clear that they weren’t Russian because it looked like they’d used Google Translate to translate English into Russian,” says Charles Carmakal, vice-president of Mandiant Consulting, the company that investigated the attacks on behalf of its parent firm, California-based FireEye.

Carmakal speculates that the hackers, who also operated as the Tesla Team, a label used by a notorious group of Serbian hackers, may have attacked Canadian mining companies because they were seen as soft targets. However, those breaches served as a proverbial wake-up call and some companies in the industry have since moved to improve their defences against cyber-attacks.

Sharing communities

In March 2017, executives from six mining companies met and agreed to form the Global Mining and Metals Information Sharing and Analysis Centre, MM-ISAC, for short. ISACs are non-profit organizations formed across an industry to collaborate, pool resources, and share information necessary to deal with threats to information systems.

In the U.S., for example, the aviation, retail, financial services, public transit and real estate sectors, among others, have all formed ISACs.

“Cybersecurity is becoming more and more important because we’re all based in the digital world,” says Cherie Burgett, director of operations for the Vancouver-based MM-ISAC. “Some mining companies that are more mature have analysts watching for anomalies on their systems or they have tools to detect them. Some of the companies that are less mature don’t have dedicated staff looking for this type of information.”

The five-member board of MM-ISAC includes senior IT officers from Goldcorp, Newmont Mining, Barrick Gold, Eldorado Gold and Teck. Membership costs $25,000 annually, it is open to companies of all sizes, from junior explorers to multinationals, and companies at either end of the spectrum can benefit from information sharing.

ISACs work on a simple principle. If one member company gets hacked, or detects suspicious activity on its network, that company relays the information to the ISAC, which then shares it with the rest of the membership. The MM-ISAC has contracted with a Florida-based company called Perch Security to handle the analysis and sharing of a threat.

Perch founder and chief executive officer Aharon Chernin says that joining an ISAC is a cost-effective way to enhance security.

“One of the advantages of sharing communities is that to create and consume the threat intelligence that ISACs distribute requires you to purchase security tools that can cost companies hundreds of thousands, if not millions of dollars a year,” says Chernin.

“Then they have to hire cyber threat intelligence analysts to run these tools.”

Only the largest companies can afford to invest that much money to protect themselves. On the other hand, Chernin notes that companies with as few as 10 work stations can and do join ISACs.

Sharing communities are not only cost effective, they also provide better protection than going it alone.

“If you go out and buy the most expensive security products on the market, you’re only secure because the vendor says you’re secure,” Chernin argues. “Real security is when you know what threats you’re looking for. ISACs tell their members what to look and how to go get it. One company’s incident becomes everyone else’s defence.”

Case study

The attacks on the eight Canadian mining companies represent a case study of sorts on what happens when organizations go it alone on security. The Angels_of_Truth stalked these companies one by one and used a variety of methods to hack their systems. In some cases, security tools employed by the companies were able to detect the breaches. In others, the companies were unaware of the attacks until they were contacted by the hackers.

“A company’s first step is to figure out whether they can resolve the issue themselves or do they have to call somebody for help,” says Carmakal, whose firm has helped hundreds of companies deal with these attacks. “There’s a few fundamental things we do. We investigate what happened. How did the bad guys break into the network? What was the vulnerability they exploited? “

Carmakal, who is based in Washington, D.C., and his Montreal-based colleague Charles Prevost investigated the attacks on behalf of the mining companies and prepared a report that explained how the breaches occurred.

In at least two cases, the hackers used “spear phishing emails with malicious attachments.” One of the emails referred to an updated holiday schedule while another cited an employee questionnaire.

The attackers also used “specifically crafted lures that enticed victims to click on a link” which directed them to servers controlled by the hackers.

Handling breaches

The FireEye report on the attacks provided the victims with advice on how to handle future breaches. First, validate the breach and its scope. Make hard decisions on must-have versus nice-to-have data. Victims should limit their interaction with their attackers and should consider having legal counsel involved in all communication with them. They should consider all options before paying ransom and seek expert advice.

Once the incident has been handled, a victim should review and tighten access to its back up system. According to the FireEye report, primary and back up data are very often part of the same system, which means hackers can access both. Finally, a company that has been hacked should enhance its security since the hackers may return and cause trouble all over again.

In the long run, says Chernin, being part of an ISAC is the best way to defend against breaches.

“It’s not like turning on a light switch,” he adds. “ISACs are communities. IT executives create relationships with each other. They become friends, which creates the level of trust needed to share threat information. Joining an ISAC is taking security into your own hands as opposed to relying on the marketing material of some security product.”

The industry is tackling the issue on another front as well.

The Global Mining Standards Group, a non-profit, Montreal- based organization that promotes collaboration in the industry, supported the creation of MM-ISAC, but is also launching a working group on cyber-security.

The move comes at the request of its members. “It’s one of the most important issues facing the industry and it’s growing in importance,” says Heather Ednie, GMSG’s managing director.

“It’s hit the industry with full force in recent years.”

---