Jimma University

Institution of Technology

Faculty of computing and informatics

Department of Information Technology

Information Assurance and Security Group Assignment

Group members ID

1. Abel Akalu RU 0066/12

2. Abel Gossaye RU 1813/12

3. Abenizer Admasu RU 0268/12

4. Amanuel Girma RU 5855/11

5. Taddese Demis RU 0493/12

6. Abubeker Tofik RU 2012/12

Submitted to Berhanu M(Msc)

Submitted date 03/05/2023GC

1. Briefly describe recent damages to companies affected by cyber-attacks and

data breaches. (at least 5)

A. Colonial Pipeline: In May 2021, a ransomware attack on Colonial Pipeline,
which operates a major fuel pipeline in the United States, caused widespread
disruption and fuel shortages in multiple states. The company reportedly paid a
ransom of $4.4 million to the attackers to regain access to its systems.

The Colonial Pipeline is one of the largest and most vital oil pipelines in the U.S. It
began in 1962 to help move oil from the Gulf of Mexico to the East Coast states.

The Colonial Pipeline comprises more than 5,500 miles of pipeline. It starts in
Texas and moves all the way up through New Jersey, supplying nearly half of the
fuel for the East Coast. The Colonial Pipeline delivers refined oil for gasoline, jet
fuel and home heating oil. Colonial Pipeline headquarters is in Alpharetta, Ga.

What is the Colonial Pipeline hack?

The Colonial Pipeline hack is the largest publicly disclosed cyber-attack against
critical infrastructure in the U.S.

The attack involved multiple stages against Colonial Pipeline IT systems. The
pipeline's operational technology systems that actually move oil were not directly
compromised during the attack.

The attack began when a hacker group identified as DarkSide accessed the
Colonial Pipeline network. The attackers stole 100 gigabytes of data within a two-
hour window. Following the data theft, the attackers infected the Colonial Pipeline

1|Page
IT network with ransomware that affected many computer systems, including
billing and accounting.

Colonial Pipeline shut down the pipeline to prevent the ransomware from
spreading. Security investigation firm Mandiant was then brought in to investigate
the attack. The FBI, Cyber security and Infrastructure Security Agency, U.S.
Department of Energy, and Department of Homeland Security were also notified
of the incident.

Colonial Pipeline paid DarkSide hackers to get the decryption key, enabling the
company's IT staff to regain control of its systems. Colonial Pipeline restarted
pipeline operations May 12.

What was the root cause of the Colonial Pipeline attack?

Attackers got into the Colonial Pipeline network through an exposed password for
a VPN account, said Charles Carmakal, senior vice president and CTO at cyber
security firm Mandiant, during a hearing before a House Committee on Homeland
Security on June 8.

Many organizations use a VPN to provide secure, encrypted remote access into a
corporate network. According to Carmakal's testimony, a Colonial Pipeline
employee -- who was not publicly identified during the hearing -- likely used the
same password for the VPN in another location. That password was somehow
compromised as part of a different data breach.

Password reuse has become a common problem, as many users often use the same
password more than once.

2|Page
Colonial Pipeline attack timeline

The Colonial Pipeline attack and recovery unfolded at a rapid pace in a short
period of time.

May 6, 2021

 Initial intrusion and data theft.

May 7, 2021

 Ransomware attack begins.

 Colonial Pipeline becomes aware of the breach.

 Security firm Mandiant called in to investigate and respond to attack.

 Law enforcement and federal government authorities notified of the attack.

 Pipeline taken offline to reduce risk of exposure to the operational network.

 Colonial Pipeline pays ransom of 75 bitcoin ($4.4 million) to

May 9, 2021

 Emergency declaration by President Joe Biden.

May 12, 2021

 Pipeline restarted as normal operations resumed.

June 7, 2021

 Department of Justice recovers 63.7 bitcoin -- approximately $2.3 million --

from the attackers.

June 8, 2021

 Congressional hearing on the attack.

3|Page
Who was responsible for the Colonial Pipeline hack?

The Colonial Pipeline hackers were identified as a group known as DarkSide.

As part of a ransomware attack, attackers make a ransom demand, which is how

they reveal themselves. If they don't ask for the ransom, they won't get paid -- and
getting paid is what ransomware is all about. With ransomware, attackers encrypt
an organization's data and hold it hostage until a ransom is paid. Once attackers
receive payment, they are supposed to share a decryption key, enabling victims to
recover their data.

DarkSide's first publicly reported activity was in August 2020, when it began a
malicious campaign of infecting victims with ransomware. DarkSide is thought be
operating out of Eastern Europe or Russia -- though there is no confirmed link with
any nation-state sponsored activity. The Russian government has also denied
involvement with DarkSide or the pipeline operator attack.

One of the primary ways that DarkSide operates is with a ransomware-as-a-service

(RaaS) model. With RaaS, DarkSide provides its ransomware capabilities to other
threat actors. Instead of the other threat actors developing their own ransomware,
they can use RaaS against potential victims.

Who was affected?

There was significant and immediate effect when the Colonial Pipeline hack
occurred.

4|Page
It affected the airline industry, where there was a jet fuel shortage for many
carriers, including American Airlines. There was also limited disruption at other
airports, including Atlanta and Nashville.

Fear of a gas shortage caused panic-buying and long lines at gas stations in many
states, including Florida, Georgia, Alabama, Virginia and the Carolinas. There was
also a spike in the average price at the gas pump, with regular gas topping
$3/gallon in the aftermath of the Colonial Pipeline shutdown. Panic-buying did
lead to some real shortages in certain areas as consumers bought more gasoline
than usual.

In some states, people even filled plastic bags with gasoline. This triggered a U.S
Consumer Product Safety Commission alert, warning consumers to only use
containers meant for fuel.

Colonial Pipeline ransom paid and recovered

The goal for attackers in a ransomware attack is to have the victim pay a ransom,
which is exactly what Colonial Pipeline did.

The DarkSide attackers asked for a ransom of 75 bitcoin, which was worth
approximately $4.4 million on May 7. Bitcoin's value is volatile and fluctuates
quickly over short periods of time.

Colonial Pipeline CEO Joseph Blount explained why he decided to pay the ransom
during the Congressional hearings. At the time the ransom demand was made,
Blount said it wasn't clear how widespread the intrusion was or how long it would
take Colonial Pipeline to restore the compromised systems. So Blount decided to
pay the ransom, hoping it would speed up the recovery time.
5|Page
Bitcoin is commonly used by ransomware threat actors due to the mistaken belief
that the currency cannot be traced. In a press conference on June 7, Deputy
Attorney General Lisa O. Monaco said the U.S. Department of Justice's
Ransomware and Digital Extortion Task Force traced the ransom paid by Colonial
Pipeline. A Wall Street Journal report on June 11 detailed how FBI agents were
able to follow the bitcoin payment trail to recover the ransom.

Bitcoin is a cryptocurrency, and users have a digital wallet to hold it. The DOJ was
able to find the digital address of the wallet that the attackers used and got a court
order to seize the bitcoin. The operation recovered 64 of the 75 bitcoin that
Colonial Pipeline paid. At the time of the recovery, the 64 bitcoin were worth
approximately $2.4 million.

B. SolarWinds: In December 2020, it was discovered that the SolarWinds Orion

software had been compromised by a sophisticated cyberattack that had gone
undetected for months. The attackers, believed to be a state-sponsored group, were
able to access the networks of numerous government agencies and private
companies, including Microsoft.

2020 was a roller coaster of major, world-shaking events. We all couldn't wait for
the year to end. But just as 2020 was about to close, it pulled another fast one on
us: the SolarWinds hack, one of the biggest cyber security breaches of the 21st
century.

The SolarWinds hack was a major event not because a single company was
breached, but because it triggered a much larger supply chain incident that affected
thousands of organizations, including the U.S. government.

6|Page
What is SolarWinds?

SolarWinds is a major software company based in Tulsa, Okla., which provides

system management tools for network and infrastructure monitoring, and other
technical services to hundreds of thousands of organizations around the world.
Among the company's products is an IT performance monitoring system called
Orion.

As an IT monitoring system, SolarWinds Orion has privileged access to IT systems

to obtain log and system performance data. It is that privileged position and its
wide deployment that made SolarWinds a lucrative and attractive target.

What is the SolarWinds hack?

The SolarWinds hack is the commonly used term to refer to the supply chain
breach that involved the SolarWinds Orion system.

In this hack, suspected nation-state hackers that have been identified as a group
known as Nobelium by Microsoft -- and often simply referred to as the SolarWinds
Hackers by other researchers -- gained access to the networks, systems and data of
thousands of SolarWinds customers. The breadth of the hack is unprecedented and
one of the largest, if not the largest, of its kind ever recorded.

More than 30,000 public and private organizations -- including local, state and
federal agencies -- use the Orion network management system to manage their IT
resources. As a result, the hack compromised the data, networks and systems of
thousands when SolarWinds inadvertently delivered the backdoor malware as an
update to the Orion software.

7|Page
SolarWinds customers weren't the only ones affected. Because the hack exposed
the inner workings of Orion users, the hackers could potentially gain access to the
data and networks of their customers and partners as well -- enabling affected
victims to grow exponentially from there.

How did the SolarWinds hack happen?

The hackers used a method known as a supply chain attack to insert malicious code
into the Orion system. A supply chain attack works by targeting a third party with
access to an organization's systems rather than trying to hack the networks directly.

The third-party software, in this case the SolarWinds Orion Platform, creates a
backdoor through which hackers can access and impersonate users and accounts of
victim organizations. The malware could also access system files and blend in with
legitimate SolarWinds activity without detection, even by antivirus software.

SolarWinds was a perfect target for this kind of supply chain attack. Because their
Orion software is used by many multinational companies and government
agencies, all the hackers had to do was install the malicious code into a new batch
of software distributed by SolarWinds as an update or patch.

The SolarWinds hack timeline

Here is a timeline of the SolarWinds hack:

September 2019. Threat actors gain unauthorized access to SolarWinds network

October 2019. Threat actors test initial code injection into Orion

Feb. 20, 2020. Malicious code known as Sunburst injected into Orion

8|Page
March 26, 2020. SolarWinds unknowingly starts sending out Orion software
updates with hacked code

According to a U.S. Department of Homeland Security advisory, the affected

versions of SolarWinds Orion are versions are 2019.4 through 2020.2.1 HF1.

More than 18,000 SolarWinds customers installed the malicious updates, with the
malware spreading undetected. Through this code, hackers accessed SolarWinds's
customer information technology systems, which they could then use to install
even more malware to spy on other companies and organizations.

Who was affected?

According to reports, the malware affected many companies and organizations.

Even government departments such as Homeland Security, State, Commerce and
Treasury were affected, as there was evidence that emails were missing from their
systems. Private companies such as FireEye, Microsoft, Intel, Cisco and Deloitte
also suffered from this attack.

The breach was first detected by cybersecurity company FireEye. The company
confirmed they had been infected with the malware when they saw the infection in
customer systems. FireEye labeled the SolarWinds hack "UNC2452" and identified
the backdoor used to gain access to its systems through SolarWinds as "Sunburst."

Microsoft also confirmed that it found signs of the malware in its systems, as the
breach was affecting its customers as well. Reports indicated Microsoft's own
systems were being used to further the hacking attack, but Microsoft denied this
claim to news agencies. Later, the company worked with FireEye and GoDaddy to

9|Page
 block and isolate versions of Orion known to contain the malware to cut off
hackers from customers' systems.

They did so by turning the domain used by the backdoor malware used in Orion as
part of the SolarWinds hack into a kill switch. The kill switch here served as a
mechanism to prevent Sunburst from operating further.

Nonetheless, even with the kill switch in place, the hack is still ongoing.
Investigators have a lot of data to look through, as many companies using the
Orion software aren't yet sure if they are free from the backdoor malware. It will
take a long time before the full impact of the hack is known.

1. C. Target:

The Target data breach of 2013 was one of the largest and most significant data
breaches in history, and it had far-reaching consequences for the retail giant and its
customers. In this essay, we will discuss the background and causes of the breach,
the impact of the incident on Target and its customers, and the lessons that can be
learned from the incident.

Background and Causes of the Breach

The Target data breach occurred during the holiday shopping season of 2013,
between November 27 and December 15. During this time, cybercriminals were
able to gain access to Target's payment processing system and install malware that
collected the personal and financial information of customers as they made
purchases.

10 | P a g e
The breach compromised the data of approximately 40 million customers,
including their names, addresses, credit and debit card numbers, and in some cases,
their card's security codes. The attackers were able to exploit a vulnerability in
Target's payment processing system, which allowed them to gain access to
unencrypted data as it was transmitted between the cash registers and Target's
servers.

The breach went undetected for several weeks, and it was not until December 15
that Target's security team became aware of the incident. The company
immediately launched an investigation and worked to contain the breach, but the
damage had already been done.

Impact of the Breach on Target and Its Customers

The Target data breach had significant consequences for both the company and its
customers. Target faced significant reputational damage and financial losses as a
result of the incident, including the cost of providing credit monitoring and identity
theft protection services to affected customers.

The breach also had a significant impact on Target's customers, who were advised
to monitor their credit and financial accounts for signs of fraudulent activity. Many
customers reported unauthorized charges on their credit and debit cards, and some
were victims of identity theft as a result of the breach.

The Target data breach had far-reaching consequences beyond just the immediate
financial and operational impacts. It highlighted the need for stronger data security
measures and greater accountability for companies that collect and store sensitive
personal information, and it prompted a broader discussion about the risks and
consequences of cyberattacks and data breaches.

11 | P a g e
Lessons Learned from the Target Data Breach

The Target data breach serves as a cautionary tale about the potential risks and
consequences of cyberattacks and data breaches, and it underscores the need for
companies to take proactive measures to protect their systems and data from cyber
threats.

One of the most important lessons learned from the Target data breach is the
importance of investing in cybersecurity measures and maintaining up-to-date
security protocols. Companies must take steps to identify and mitigate
vulnerabilities in their systems, and they must be prepared to respond quickly and
effectively to security incidents when they occur.

Additionally, the Target data breach highlighted the need for greater transparency
and accountability in the handling of sensitive personal information. Companies
that collect and store this information must be transparent about their data security
practices and must take responsibility for any breaches or incidents that occur.

D.JBS: In May 2021, meat processing company JBS suffered a ransomware attack
that disrupted its operations in North America and Australia. The attack caused
temporary shutdowns of several facilities and led to concerns about potential meat
shortages. The company reportedly paid a ransom of $11 million to the attackers.
Nearly one week after JBS USA announced it had recovered from a ransomware
attack thanks to proper backups and incident response practices, the company has
now confirmed it paid an $11 million ransom.

JBS USA, a subsidiary of the world's largest beef producers, was struck by REvil
ransomware on May 30, forcing the company to shut down operations. On June 3,
the company announced the resolution of the ransomware attack, citing the

12 | P a g e
company's "swift response, robust IT systems and encrypted backup servers" for
the "rapid recovery."

However, in a press release Wednesday, JBS USA confirmed it paid a hefty

ransom to REvil threat actors. The global beef manufacturer said it made the
decision to pay in order to mitigate "any unforeseen issues related to the attack, and
ensure no data was exfiltrated." In response to the attack against its operations, JBS
USA said it paid the equivalent of $11 million in ransom -- even though the
company admitted the "vast majority" of its facilities were operational at that time.

"This was a very difficult decision to make for our company and for me
personally," Andre Nogueira, CEO of JBS USA, said in the statement. "However,
we felt this decision had to be made to prevent any potential risk for our
customers."

It is still unclear when systems were fully restored -- before or after paying the
ransom -- and when the payment was made. The June 3 press release said, "all of
its global facilities are fully operational after resolution of the criminal
cyberattack." In Wednesday's statement, JBS USA said that "at the time of
payment, the vast majority of the company's facilities were operational."

SearchSecurity contacted JBS USA for comment, but the company did not respond
at press time.

The initial attack only affected some of the servers supporting JBS' North
American and Australian IT systems. It did not impact the company's backup
servers or core production systems.

The FBI later attributed the attack to the REvil ransomware group. The group is
behind one of the highest demands ever made, $50 million, against Taiwan-based
PC manufacturer Acer Inc. just last month. REvil is known to use data exfiltration

13 | P a g e
with threats to leak the stolen data if victims do not pay. JBS said one reason it
paid was to ensure no data was exfiltrated.

JBS USA is the second company to give in to a multi-million-dollar ransom

demand recently. Colonial Pipeline Co. confirmed it paid a $4.4 million ransom to
DarkSide ransomware actors last month, though the FBI seized the majority of the
payment. While the attackers differed, in both cases the ransomware only affected
IT systems and not core production systems. Yet, in both cases, the ransomware
groups made off with millions.

JBS USA said it has maintained constant communications with government

officials throughout the incident, and that third-party forensic investigations are
still ongoing, but no final determinations have been made about how the threat
actors gained access to its network. According to the statement Wednesday,
preliminary investigation results show no evidence that any company, customer or
employee data was compromised.

E. Marriott:

The Marriott data breach of 2018 was a significant cyberattack that affected the
hotel chain and compromised the personal information of millions of customers. In
this essay, we will discuss the background and causes of the breach, the impact of
the incident on Marriott and its customers, and the lessons that can be learned from
the incident.

Background and Causes of the Breach

The Marriott data breach occurred in 2018 and went undetected for several years.
The breach was caused by a vulnerability in the company's Starwood guest
reservation database, which stored the personal and financial information of
millions of customers.

14 | P a g e
The attackers were able to gain access to the database and steal sensitive
information such as names, addresses, passport numbers, and credit card
information. The breach compromised the data of approximately 500 million
customers, making it one of the largest data breaches in history.

The attack was believed to have been carried out by a state-sponsored group, and it
was not discovered until September 2018, when Marriott's security team became
aware of unauthorized access to the Starwood database.

Impact of the Breach on Marriott and Its Customers

The Marriott data breach had significant consequences for both the company and
its customers. Marriott faced significant reputational damage and financial losses
as a result of the incident, including the cost of providing credit monitoring and
identity theft protection services to affected customers.

The breach also had a significant impact on Marriott's customers, who were
advised to monitor their credit and financial accounts for signs of fraudulent
activity. The personal and financial information of millions of customers was
compromised, and some were victims of identity theft as a result of the breach.

Lessons Learned from the Marriott Data Breach

The Marriott data breach serves as a reminder of the potential risks and
consequences of cyberattacks and data breaches, and it underscores the need for
companies to take proactive measures to protect their systems and data from cyber
threats.

One of the most important lessons learned from the Marriott data breach is the
importance of maintaining up-to-date security protocols and investing in
15 | P a g e
cybersecurity measures. Companies must take steps to identify and mitigate
vulnerabilities in their systems, and they must be prepared to respond quickly and
effectively to security incidents when they occur.

Additionally, the Marriott data breach highlighted the need for greater transparency
and accountability in the handling of sensitive personal information. Companies
that collect and store this information must be transparent about their data security
practices and must take responsibility for any breaches or incidents that occur.

2. What are the most common computing security attacks and their
countermeasure?

There are several common computing security attacks that organizations and
individuals may encounter. Here are examples of some of these attacks and the
countermeasures that can be taken to prevent or mitigate them:

Phishing attacks: Phishing attacks are a type of social engineering attack in which
attackers attempt to trick individuals into revealing sensitive information, such as
login credentials or financial information. Countermeasures include educating
employees and individuals about how to identify and report phishing emails,
implementing email filters and spam blockers, and using two-factor authentication
for sensitive accounts.

Malware attacks: Malware attacks involve the use of malicious software, such as
viruses, worms, or Trojans, to compromise systems and steal data or disrupt
operations. Countermeasures include implementing anti-virus and anti-malware
software, keeping software and operating systems up-to-date with security patches,
and restricting access to sensitive systems and data.

16 | P a g e
Denial-of-service (DoS) attacks: DoS attacks involve overwhelming a system or
network with traffic or requests in order to disrupt its operations. Countermeasures
include implementing network firewalls and intrusion detection systems, using
load balancers to distribute traffic across multiple servers, and maintaining backup
systems and data.

Ransomware attacks: Ransomware attacks involve encrypting a victim's data and

demanding payment in exchange for the decryption key. Countermeasures include
regularly backing up data and storing backups offline or offsite, using anti-
malware software that can detect and block ransomware, and educating employees
about how to identify and report suspicious activity.

Password attacks: Password attacks involve attempting to guess or steal

passwords in order to gain unauthorized access to systems and data.
Countermeasures include enforcing strong password policies, implementing multi-
factor authentication, and using password manager software to securely store and
generate complex passwords.

Insider attacks: Insider attacks involve malicious actions taken by employees or

contractors with authorized access to systems and data. Countermeasures include
implementing access controls and monitoring systems to detect and prevent
unauthorized access, conducting background checks and security screenings for
employees and contractors, and educating employees about the consequences of
violating security policies.

17 | P a g e
3. Briefly discuss Legal, Privacy and Ethical issues in computer security

Legal, privacy, and ethical issues are important considerations in computer

security. Here is a brief overview of each of these issues:

Legal Issues: Legal issues in computer security involve compliance with laws and
regulations related to data protection, privacy, and cybersecurity. For example,
companies may be subject to data breach notification laws that require them to
notify affected individuals and regulatory bodies in the event of a data breach.
Other laws, such as the General Data Protection Regulation (GDPR) in the
European Union, impose strict requirements for the collection, use, and sharing of
personal data.

Privacy Issues: Privacy issues in computer security involve protecting individuals'

personal information from unauthorized access, use, and disclosure. This includes
issues related to data collection, storage, and sharing, as well as the use of tracking
technologies such as cookies and web beacons. Companies must be transparent
about their data collection and use practices and must obtain explicit consent from
individuals before collecting or using their personal information.

Ethical Issues: Ethical issues in computer security involve considerations of

fairness, transparency, and accountability. For example, companies must ensure
that their security measures do not unfairly discriminate against certain groups or
individuals, and that they are transparent about their security practices and how
they use individuals' personal information. Companies must also take
responsibility for any breaches or incidents that occur and work to minimize harm
to affected individuals.

18 | P a g e
Reference
 Sean Michael Kerner. (26 Apr 2022). https://www.techtarget.com/.
 Saheed Oladimeji, Sean Michael Kerner. (29 Jun 2022). ).
https://www.techtarget.com/.
 OpenAI. OpenAI API. OpenAI. https://openai.com/api/

19 | P a g e