The IT Nerd

So, it’s been since late June since Petro Canada got pwned by hackers. And in the process, all of this happened:

• Petro Canada Gas Stations And More Are Offline Due To Unspecified Computer Problems…. Have They Been Pwned?
• Confirmed: Petro Canada Parent Company Pwned By Hackers
• The Effects Of Petro Canada’s Parent Company Getting Pwned Continue With No ETA For Resolution
• The Petro Canada Cyberattack Could Cost The Company In Multiple Ways… And Who’s Behind This Cyberattack?
• Petro Canada Claims That You Can Pay Via Credit And Debit Cards Again… But Other Things Are Still Down After Getting Pwned
• Petro Canada Speaks Again About Being Pwned… But Says Nothing Of Substance
• Petro Canada App Users Still Can’t Use The App After The Company Was Pwned By Hackers Two Months Ago

But late this afternoon, this changed when Petro Canada published a Petro Canada app update:

Well that’s interesting. So in the interest of science, I downloaded the app and tried to change my password via the App. That failed miserably. So I ended up going to petro-canada.ca and changing it there. My guess is that the fact that you are being forced to change your password implies that this was the attack vector that the threat actors used to get into their systems and pwn them. Or the threat actors were able to steal the login credentials of Petro Points users after they got in. Either is plausible.

Once I was in, I was able to see my points balance which seems right, and not much else. So that means that everything is fine and Petro Canada is off my naughty list.

No.

Let me take you back to this story that I wrote. In it Petro Canada admitted the following was swiped when they got pwned by hackers:

The information that was swiped creates a perfect jumping off point for identity theft for starters. Never mind any number of other scams, fraud, or targeted cyberattacks. Petro Canada said sorry for that, but sorry is not good enough when your personal info is out there for any threat actor to use against you. At the very least, free credit monitoring for every person affected by this hack should be offered by Petro Canada. But to date, that hasn’t been offered. So that leads me to plan b: Class action lawsuit. The fact is that the only way that Petro Canada can be held accountable for this is by a class action lawsuit where the courts will hold them accountable. Plus it will send a clear message that if you don’t take cybersecurity seriously, you will be held accountable in court and it will be expensive. Thus when the first class action lawsuit gets filed, I’ll be joining it. And I suggest that you do the same if you were affected by this.

Oh, by the way, just as I said here, the second I was able to log in I cashed out my Petro Points in the form of iTunes gift cards, and I will be using up my gas discount cards as quickly as possible. After that, I won’t be using Petro Canada as my gas station again as they simply cannot be trusted to keep their customer’s information secure.

In case you’re coming to this story without the full context, let me help you with that. Back in June, Petro Canada and their parent company Suncor were pwned by hackers. That partially took down their gas stations for a few days, and has partially crippled them ever since. Here’s a bunch of stories that you can read that will give you the full background:

• Petro Canada Gas Stations And More Are Offline Due To Unspecified Computer Problems…. Have They Been Pwned?
• Confirmed: Petro Canada Parent Company Pwned By Hackers
• The Effects Of Petro Canada’s Parent Company Getting Pwned Continue With No ETA For Resolution
• The Petro Canada Cyberattack Could Cost The Company In Multiple Ways… And Who’s Behind This Cyberattack?
• Petro Canada Claims That You Can Pay Via Credit And Debit Cards Again… But Other Things Are Still Down After Getting Pwned
• Petro Canada Speaks Again About Being Pwned… But Says Nothing Of Substance

Now, about two months after being pwned by hackers, it’s come to my attention that the Petro Canada app is still not working. When users try to log in, they see this:

Having the app in a state where it isn’t working for two months does not inspire confidence to users. And you have to assume that it’s also costing Petro Canada money. Let me give you an example of that. My go to gas stations have always been Esso/Mobil and Petro Canada. And whenever I needed gas, I would go to the closest one. I didn’t really have a preference. Since Petro Canada got pwned, 100% of my gas business goes to Esso/Mobil. And there’s two reasons for that change:

• The Petro Canada app does not work as mentioned above which is a #fail for me as I use this app to pay at the pump via Apple Pay without putting my credit card into the pump or having to interact with the gas station staff. That’s important for me as gas stations have always been a place where your credit card can be cloned. The app always mitigated that possibility. But since the Petro Canada app doesn’t work, there is no mitigation. However over at Esso/Mobil, this isn’t an issue as their app works fine to pay at the pump.
• I don’t trust Petro Canada because they haven’t really provided an update of any sort that gives me the confidence to trust them.

The thing with cyberattacks is that there’s financial and repetitional costs to them the longer that the attack affects the public. Petro Canada has entered a place where their reputation has taken a big hit, and this has to be affecting them financially. And I don’t see a scenario at the moment where this ends positively for them. Now Petro Canada is free to prove me wrong on that front. But as long as the public isn’t able to use their app to do anything from pumping gas into their cars, collect and redeem points and the like, Petro Canada isn’t in a good place.

One thing that has been a constant since I reported on Petro Canada and its parent company Suncor being pwned by hackers is that there has been radio silence for the most part from the company.

To catch you up on this, here’s a list of stories that I’ve written about Petro Canada being pwned: 

• Petro Canada Gas Stations And More Are Offline Due To Unspecified Computer Problems…. Have They Been Pwned?
• Confirmed: Petro Canada Parent Company Pwned By Hackers
• The Effects Of Petro Canada’s Parent Company Getting Pwned Continue With No ETA For Resolution
• The Petro Canada Cyberattack Could Cost The Company In Multiple Ways… And Who’s Behind This Cyberattack?
• Petro Canada Claims That You Can Pay Via Credit And Debit Cards Again… But Other Things Are Still Down After Getting Pwned

And the last story that I wrote about this can be found here. That was on July 6th. And there has been no further comment on this from the company. That is until last night when this email hit inboxes of people who are part of Petro Canada’s reward system which is known as Petro Points:

There’s a lot of words written here. But there’s nothing here that people want to hear. For example:

• What is the status of Suncor’s investigation into who did this and how they did this?
• What will Suncor do to protect people who had their information swiped which was disclosed by the company on July 6th? Will the company provide free credit monitoring for example?
• What is Suncor doing to make sure that they don’t get pwned again?

Honestly, if this is the best that Suncor and Petro Canada can do to keep customers from suing them out of existence, they’re in deep trouble. Because I am aware of two class action lawsuits that are about to be filed in relation to this. And when they do get filed, Petro Canada and Suncor are guaranteed to be on the losing end of those lawsuits. Thus if I were them, I would get a whole lot more transparent about this incident and come to the table with more than nice words.

For the last few weeks now, it’s been public knowledge that it has been pwned in some sort of “cybersecurity incident.” For context, here’s a list of stories that I’ve written about this:

• Petro Canada Gas Stations And More Are Offline Due To Unspecified Computer Problems…. Have They Been Pwned?
• Confirmed: Petro Canada Parent Company Pwned By Hackers
• The Effects Of Petro Canada’s Parent Company Getting Pwned Continue With No ETA For Resolution
• The Petro Canada Cyberattack Could Cost The Company In Multiple Ways… And Who’s Behind This Cyberattack?
• Petro Canada Claims That You Can Pay Via Credit And Debit Cards Again… But Other Things Are Still Down After Getting Pwned

Today is July 6th and Petro Canada finally, and I do mean FINALLY has something to say on the matter. This email just hit my inbox:

You can also read the email online here.

So since I am a member of the Petro Points program, the threat actors now have my name, mailing address, and email address along with my phone number and date of birth. That pretty much guarantees that I along with every other member of the Petro Points program are going have very targeted attacks aimed at me in the near future. Not to mention the threat actors will make attempts at stealing my identity. I can also say that it’s a pretty safe bet that someone is going to find this response by Petro Canada to be inadequate and contact a lawyer to file a class action lawsuit. If that happens, I will be joining said lawsuit.

Honestly, after reading this I will not be able to trust Petro Canada again. Sure they could come out with a more detailed statement offering up how they got pwned, and what they’re doing to ensure that they don’t get pwned again. And they can do something more than offer up a credit of Petro Points. For example. Credit monitoring for the next year or two for every Petro Points customer would be a good start. But I don’t see that happening. Thus when this is resolved, whenever that is, I will be cashing out my Petro Points and I will not be doing business with Petro Canada again. But I will be watching this story closely as I fully expect that there will be a lot of developments in the days and weeks ahead.

Petro Canada for the last week has been dealing with what the company calls a “cybersecurity incident.” Which to the rest of us means that they have gotten pwned. It started last Friday and has been ongoing for the last week after the company confirmed that they had been pwned on Monday. I’ve been tracking this story since them and I wanted to prove an update. Apparently according to the company, debit and credit cards service is back on line:

Suncor Energy Inc. says it is making progress in resolving the customer disruptions that have occurred this week in the wake of a cyberattack against the oil and gas company.

The Calgary-based company says debit and credit transactions are once again available at most of its Petro-Canada retail sites.

Now I have not tested this personally. Thus I cannot confirm that this is the case. But browsing Twitter indicates that it may not be as people on Twitter today and yesterday are still complaining that paying at the pump is problematic at best. And Canada is heading into a long weekend as Saturday is Canada Day. Which means that if things aren’t 100% working by tomorrow, it will end badly for Petro Canada on a variety of fronts.

What is definitively still problematic is that their Petro Canada app is still not working as evidenced here:

When I tried this at just before 6AM this morning, it was still not working. That means you can’t pay for gas via the app. And if you don’t have a physical Petro Points card, which many don’t as Petro Canada did away with physical cards in favour of the app a few years ago, you can’t earn points towards things like free gas, nor can you redeem those points. Thus even if you can pay for gas using something other than cash, that’s one less incentive to get your gas At Petro Canada.

Petro Canada is in deep trouble here. We’re a week in and there doesn’t seem to be an end in sight. Customer’s buying habits have certainly changed and will not likely change back after this is over. Whenever that is. And if that’s not bad enough, there is no statement from Petro Canada about what happen, what data (be it their data or customer data) is at risk, and why we should ever trust them again. Let’s face it, even after this is over, whenever that is, Petro Canada and their parent company Suncor will have a very hard time in terms of assuring the Canadian public that they can be relied upon to deliver gas to a nation the size of Canada in a reliable manner.

We are now in day six of the Petro Canada/Suncor cyberattack. The app is still down, and stations are still only accepting cash. While the company admits that there has been attack, few details beyond what I have had outlined are available. Though there are rumours that it is worse than what we know. Whatever is going on, it’s going to cost them a lot in multiple ways:

• It will cost them in terms of their reputation: Petro Canada is the nation’s largest gas station. And people not being able to fill up in their stations because of this cyberattack will negatively affect their reputation the longer this goes on. And many will likely going to think twice about using Petro Canada after this situation is resolved. Whenever that is. On top of that, many will be wondering if their personal information is safe. At this time it isn’t clear if their customer’s personal information is at risk or not. That’s really bad from a reputation standpoint.
• It will cost them in lost sales: You have to wonder how many people did what I did which is to go elsewhere because Petro Canada doesn’t accept credit and debit cards? The longer that this goes on, people will get used to going to a gas station other than Petro Canada. And the harder it will be for Petro Canada to get them to return to their stations and spend their gas money there.
• It will cost them in terms of spending to fix this: IBM put out a study that says that the global average cost to companies of a data breach hit an all-time high in 2022 of US$4.35-million. And in the United States, the average cost of a data breach in 2022 was US$9.44-million. That’s not cheap. The same report said that in 2022, it took an average of 277 days for companies to identify and contain a breach. The bottom line is that this is going to get expensive in a hurry.

Another question that has surfaced in recent days is who is behind this and what is their motivation. To give you some views on this question, I sought the commentary of a variety of experts:

Mike Hamilton, Former CISO of the City of Seattle and former Vice-Chair of the DHS State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC) and CISO of Critical Insight

This is not the first time a Canadian energy sector company has been recently compromised. A pipeline company was compromised earlier this year, and a recent intelligence report stated that Russian actors are actively seeking to disrupt Canada’s energy infrastructure. Rather than being victims of opportunity, these events seem to be strategic acts of nation-state actors and not cyber criminals looking for a score.

About a year ago Canada announced that it would boost oil and gas production to assist the European Union cut its use of Russian energy. Notably, and in at least one of the incidents, actors were able to manipulate the operational technologies (OT) and did so. This suggests that the tools and tactics being used were more sophisticated, making these events significantly different than the ransomware attack against the IT (not OT) network of Colonial Pipeline.

According to the intelligence report, these events will likely continue for the duration of the war in Ukraine and are intended to produce psychological impacts in the population and yes, the United States is also a target for this activity. Whereas the actual destruction or permanent disruption of this infrastructure would constitute an act of war, temporary disruptions to energy generation and transmission are likely to proliferate and insofar as possible create the perception that it’s a criminal act. (Note that disrupting distribution is the domain of domestic nutjobs.)

Ron Brash, VP of Research and critical infrastructure software security firm, aDolus Technology

In the respect of comparing Suncor and Colonial, they are not the same and are not really in the same business.  Had Suncor been Enbridge, this would have been a vastly different story, but based on POS outages, rewards programs and corporate AD/credentials – it appears again to be more of a Honda-like event and some operations affected. Given the size and nature of Suncor/Petroncan,  it’s more likely that cardlocks, volume tracking and maybe metering/pos on pumps were affected. Some warehouse activities such as product management and shipping may have been stalled or degraded, but like downstream retail – they can often be run with a clipboard, measuring stick, calculator and an alternative form of payment (all except cardlock of course).

This could be a focused event because of Canada and other allies’ stance on the war in Ukraine, but evidence points to more of an inconvenience vs being a major incident or an organization such as a significant pipeline.   It may have been entirely opportunistic, and dressed up under a guise. However, more accurate details are needed before a true impact assessment can be surmised. 

Ron Fabela, field CTO at cybersecurity firm XONA Systems

It’s incredibly difficult to tie any intention to the Suncor cyber event with geopolitical actions or threats.  This very loose hypothesis comes from reports of “A pro-Russia hacktivist group claims to have breached the network of a Canadian gas pipeline company in February and caused damage that resulted in loss of profits, according to a document found among a tranche of US classified intelligence assessments leaked online recently.” (source Kim Zetter https://zetter.substack.com/p/leaked-pentagon-document-claims-russian).  Note that at the time, this breach and impact was communicated in the past tense, meaning an event that already occurred earlier this year.Even so, impacts reported by Petro-Canada (and parent Suncor Energy) indicate a potential standard ransomware attack against point of sale systems and supporting backend systems  (Nothing close to the reported “[…]show their access to the Canadian facility and indicating that they had the ability to increase valve pressure, disable alarms, and initiate an emergency shutdown of the facility” (source again from Kim Zetter).)At this time, there’s no indication that this event is having Colonial Pipeline-like impacts on Canadian infrastructure or customer confidence. However any cyber event, whether a direct APT attack or opportunistic ransomware, that affects critical infrastructure operations should be taken seriously and as a recipe for what’s ahead. The prevalence of ransomware targeting remote access services like with Colonial Pipeline or exposed vulnerable technologies such as MoveIT is only going to continue to have secondary impact on the safe and reliable operations of critical systems. Regardless of geopolitical intent this continues to be a concern for not just the US, but critical infrastructure organizations around the world. My advice: create plans around incident response, implement technologies that support visibility and zero trust architectures, take those first concrete steps into preventing future attacks instead of waiting for them to strike close to home.

For the sake of Petro Canada and Suncor, I hope that they’re making every effort to address this because the longer it goes on, the more likely that it won’t end well for them. On top of that, I hope that there’s a focused effort to find who did this and bring them to justice.

This is now day 5 of Suncor Energy being the victim of some sort of cyberattack. I first wrote about this on Sunday where Petro Canada gas stations were unable to accept payment by debit or credit card. On top of that, Petro Canada’s app which allows you to collect “Petro Points” for things like free gas and gift cards isn’t working either. On Monday led to Suncor admitting that it was dealing with a cyberattack. But as I type this, there’s no ETA as to when all of this will be resolved. And what makes things worse is that there is likely more going on than we know based on this report:

Ian L. Paterson, CEO of Vancouver-based cybersecurity company Plurilock Security Inc., said these public-facing issues could be “just the tip of the iceberg.” He added that as early as Friday, he was also hearing about Suncor employees being unable to log in to their own internal accounts.

“All of these things put together seem to suggest that there could be a sizable cyber incident that’s taking place,” Paterson said, cautioning that much is still unknown about the current situation.

“I think that this actually could be the Canadian Colonial Pipeline, just in the sense that Suncor is such a large part of the economy.”

If this is an attack as big as Colonial Pipeline, then this event is as non-trivial as it gets for Canada as Petro Canada is “the” gas station for many parts of the country.

Carol Volk, EVP, BullWall starts off the commentary: 

    “A company as large as Petro-Canada would most likely have had a plethora of security tools in place to prevent attacks like this. We are never going to stay one step ahead of motivated bad actors. A new approach that layers on active attack containment is the new frontier for cyber security.” 

Stephen Gates, Principal Security SME, Horizon3.ai follows with this:

   “Although the details of the cyber incident are few, this sounds like a targeted attack against the point-of-sales systems since the organization is unable to accept and process credit/debit card transactions. If a ransom-related campaign is the culprit, then this may indicate a new attack path and outcome.

   “Most occurrences of ransomware lock up workstations and data stores but rarely target what most would consider to be IoT. But on the other hand, many gas pumps run commonly used operation systems (like Windows CE) which could make them a considerable target to ransom since an outage could cause untold consumer pain.”

Finally I have a comment from Roy Akerman, Co-Founder & CEO, Rezonate:

   “This is an example of how cyber risk has a direct impact on business continuity. We often see that when an organization settles for compliance checks rather than a robust security program. Organizations should not invest only in preventative and cyber readiness actions, but also in recovery and response. As more information unfolds, we can further evaluate actions taken and the cause for business disruption.”

You would have thought that after the Colonial Pipeline incident, that companies overall would be better prepared. But that appears not to be the case and that doesn’t surprise me. Companies need to get serious about cybersecurity or they will end up like Suncor.

Yesterday, I noted that every Petro Canada gas station that I went to wasn’t accepting debit or credit cards. Instead they were cash only. And their mobile app wasn’t working as well. At the time, I said this:

But this reminds me of the Sobeys situation as well as the Garmin situation. In both cases, normal business was disrupted for some period of time. Neither company commented in any significant way on their issues. Then it later came out that both companies were pwned by ransomware. This Petro Canada situation has that feel to it. 

It appears that I might have been correct on them getting pwned by hackers. As per Reuters:

Canadian energy firm Suncor on Sunday said it experienced a cybersecurity incident, adding that some transactions with customers and suppliers could be impacted while they investigate and resolve the situation.

“At this time, we are not aware of any evidence that customer, supplier or employee data has been compromised or misused as a result of this situation,” the company said in a statement.

Suncor owns Petro Canada. Thus if Suncor has been pwned, Petro Canada has been pwned. The question that we all have to be asking is what did the hackers do (chances are it’s ransomware, but let’s leave that question open ended for now) and what info did they steal? And is any of that information personally identifiable information? For example, I use the Petro Canada app, is any of my info on the dark web someplace? These are all questions that Petro Canada needs to answer. And answer soon as silence isn’t an option if they want to regain the trust of Canadians that almost certainly been shaken because of this incident.

Last night I went out to get gas at my local Petro Canada which is the closest gas station to my home. Upon arrival, I was greeted with this:

If you look at the top right corner, there’s a handwritten note that says “only cash”. But I wasn’t deterred as I opened the Petro Canada app and tried to do the pay at the pump method via the app. However I was met with this:

You can see that it says “Login is currently unavailable”. So that was a #Fail. Since I didn’t have any cash on me, I was forced to go to my nearest Esso station to fill up. Upon returning home, I decided to go to the Petro Canada website. I was met with this:

If you look at the top, it says “Login is temporarily unavailable”. Thus it didn’t take a rocket scientist to figure out that something is up with Petro Canada. I then checked the companies Twitter feed and it hasn’t been updated in over two days. That’s odd. And checking the local and national media, I I found two stories talking about this online. Twitter has people talking about this as well:

That last Tweet highlights what many are thinking. Which is that this is some sort of cyberattack. I don’t say that lightly. But this reminds me of the Sobeys situation as well as the Garmin situation. In both cases, normal business was disrupted for some period of time. Neither company commented in any significant way on their issues. Then it later came out that both companies were pwned by ransomware. This Petro Canada situation has that feel to it. And we’ll find out what the deal is soon enough because Petro Canada has a very high profile in Canada, which means the Federal Government will start to ask questions about this (if they haven’t already) as in many parts of Canada, gas stations are few and far between. Thus if your closest option for gas is Petro Canada, and the next option is miles of away, you might have a problem. The Federal Government knows that and will want answers. Hopefully Petro Canada will be able to answer them fully and transparently.