Juha Saarinen: Garmin needs to explain cyber attack

Garmin brings GPS navigation and wearable technology to the automotive, aviation, marine, outdoor and fitness markets. Photo / Garmin

COMMENT:

Another week, another famous name falls prey to "a cyber attack that encrypted some of our systems".

That's what Garmin, maker of activity and location trackers said, in the wake of an outage that, as of writing, is still to be fully resolved.

Systems being encrypted sounds very much like ransomware, and some publications have even published screenshots allegedly from Garmin systems, with file names that look like those created by the WastedLocker malware.

Either way, Garmin users have not been able to sync their exercise data with the company's online services and dashboards because of the outage. Contacting Garmin has been impossible too, as their email is down, ditto the online chat and their phones.

FlyGarmin, the umbrella brand for the company's avionics data services, has been partly unavailable too. Some services have been restored and Garmin says it's working hard to get back online.

That's about the extent of the information so far though. Garmin hasn't said how the attackers got it, and how much damage they did.

One real concern is that Garmin users' data was accessed or copied by the malware. You only need to go back to January 2018 to understand why: in January that year, Nathan Ruser, an Australian university student, found military personnel had shared their run data with activity tracker Strava.

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option). https://t.co/hA6jcxfBQI … It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable pic.twitter.com/rBgGnOzasq

— Nathan Ruser (@Nrg8000) January 27, 2018

The data was used by Strava to create a "global heat map" that showed people's movements. It was in the words of Strava engineer Drew Robb "the largest, richest, and most beautiful data set of its kind".

This was and is probably true, but Ruser discovered that the 13 trillion (!) global positioning data points visualised by Strava could be used to map military bases around the world. Not just that, but the lovely heat maps generated from the data could be used to deduce military personnel's patterns of movement. That's invaluable information for adversaries, and orders to turn off data sharing were soon issued by various armed forces around the world.

You don't want to leak people's location and movement data, ditto any avionics info, but it appears that Garmin dodged a bullet here if it was slammed by WastedLocker. So far, all signs point to WastedLocker not being quite as nasty as other ransomware, in that it doesn't copy and steal data, and only encrypts it.

Garmin says it has no indication that any user data was accessed or taken.

WastedLocker is supposedly developed by Evil Corp group headed by Maksim "Aqua" Yakubets. The group is known for demanding ransoms in the millions of dollars range and for that reason, targets large enterprises that have that kind of money.

It's clearly a lucrative business, and British intelligence dug up pictures of the brazen Yakubets driving expensive cars.

This is where it gets interesting though: security professionals and law enforcement agencies agree that paying ransoms to criminals in the hope that they will, in turn, send victims the digital keys needed to decrypt scrambled data is a bad idea. Doing so only perpetuates the extortion enterprise and there's no guarantee that a key will be delivered, or that the decryption software will work.

In the case of Evil Corp, the Russian ransomware raiders are under United States sanctions since last year for spreading the Dridex banking credentials stealing malware.

Dridex alone has caused hundreds of millions of dollars in losses worldwide, and it's one of several malware released by Evil Corp. No wonder that the US wants to shut them down, and the sanctions are an effort to stem the flow of stolen money.

The question on everyone's mind now is: if it was WastedLocker, did Garmin pay Evil Corp the ransom to decrypt its scrambled files? If so, does that amount to sanction busting?

US authorities taking a close interest in Evil Corp could perhaps be a reason why the criminals don't try to exfiltrate data via WastedLocker. However, another worrying aspect is that the Americans believe Evil Corp has close ties to Russian intelligence agencies.

One of Yakubets' gigs with Russian intelligence services is apparently to acquire confidential documents through "cyber-enabled means".

That's enough to put Yakubets and Co on the Federal Bureau of Investigation's most wanted cyber criminals. The Evil Corp gang would be wise to spend their ill-gotten gains in Russia and nowhere else in the world if they want to avoid arrest.

With that background, it will be very interesting to watch how the Garmin story unfolds. It has already raised many questions that need answers that might help other victims caught in the flood of ransomware crime currently.