How did the Garmin cyber attack happen, and what does it mean for users?
You would have seen the news about the massive “ransomware” attack on Garmin last week. Starting early on Thursday and continuing through the weekend, Garmin users worldwide weren’t able to upload activities through Garmin Connect, the Garmin website was down, support centres were out of commission, manufacturing was brought to a halt, and flyGarmin services used by pilots were also down. The attackers encrypted some of Garmin’s systems and then reportedly demanded a US$10 million ransom in order to restore access.
As of Tuesday, the Garmin site is back up and activities are syncing again. But how did this attack happen in the first place? And what does it mean for Garmin users now and into the future?
How it happened
Oren T. Dvoskin is the global marketing director at Sasa Software, an Israeli IT security firm that specializes in preventing file-based attacks (he’s also a VeloClub member). As Dvoskin explained to CyclingTips this week, ransomware attacks are commonplace and easy to fall for.
“You open an inconspicuous email attachment, and before knowing it, your files are encrypted,” Dvoskin said. “These [files] can sometimes be restored using backups, or by paying the ransom, usually in Bitcoin. Victims often find that ransomware actors have excellent customer service. Really. It’s called RaaS: ‘ransomware as a service’.”
While ransomware attacks can target individuals, it’s usually more profitable for attackers to go after large organisations.
“Since early 2019 there’s been a shift in the pattern of attacks, especially against manufacturing companies and public utilities,” Dvoskin said. “While the primary motive of the attacks remains financial gains, the current trend is ‘wiper’ attacks aiming to severely disrupt operations.”
A “wiper” attack is exactly as it sounds — the attackers overwrite or remove data from the victim’s system.
In the case of Garmin, the attackers used the so-called “WastedLocker” ransomware. Operated by Russian cybercrime group Evil Corp, WastedLocker is used by the group in targeted attacks against specific organisations. As Dvoskin explained, Evil Corp delivers the ransomware by adding malicious code to existing websites; code which prompts users to download a “software update”.
“The initial attack ‘vector’ was users browsing a compromised (legitimate) website,” Dvoskin said of the Garmin case. “Browsing the site opens a page luring users to download fake software. In this case, it seems [it was] hacked news sites, triggering a request to ‘update’ [Google] Chrome browsers.”
Installing the “update” to Google Chrome introduced the weaponised file into the user’s computer, from where it was able to spread across Garmin’s network. “The initial compromise enables attackers to initiate a sequence of steps,” Dvoskin explained. “These include studying the victim’s network to identify weaknesses, and using the discovered vulnerabilities to deploy the ransom component in as many locations as possible. When control is achieved, many attacks exfiltrate data from the network prior to the ransomware activation. This is usually where the ‘big’ money is.
“Once control and exfiltration has been achieved, the ransom component is activated in an orchestrated way to achieve a rapid enterprise-wide disruption. This process can actually take several weeks depending on the effort required to achieve control.”
Once activated on the Garmin network, the WastedLocker ransomware set about encrypting files. BleepingComputer.com reports that the Garmin IT department “tried to remotely shut down all computers on the network as devices were being encrypted, including home computers connected via VPN”. All devices in a data centre were also shut down. The result of these shutdowns was the outage of Garmin Connect and other services.
With the data encrypted, the attackers then reportedly demanded a US$10 million ransom in exchange for a key that would decrypt the data.
What it means for users
So is this attack simply a concern for Garmin itself? Or do users have reason to be concerned?
As Dvoskin explained, when a company like Garmin comes under attack, there are a couple of user-related questions that need to be asked. “The two concerns here are data privacy and integrity,” he said. “Has data integrity been compromised? Is activity history complete? Will activities stored upload properly? Time will tell.”
As for data privacy, analysis of previous WastedLocker incidents shows they didn’t include the exporting of data, so Garmin users’ activity data appears to be safe for now. It would seem that the greatest impact to Garmin users was the inability to upload activities for a few days, or to access the brand’s website or support services.
“We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen,” Garmin said in a statement. “Additionally, the functionality of Garmin products was not affected, other than the ability to access online services. Affected systems are being restored and we expect to return to normal operation over the next few days.”
But say you work for a large organisation that could possibly be subjected to such an attack. Or maybe you just want to protect yourself more generally. What can you do?
“In the Garmin incident there were reports that employees’ personal laptops were encrypted [by WastedLocker] since they connected via VPN,” Dvoskin explained. “So, I’d make sure that all ‘work’ equipment is properly updated with the organization’s security policies and tools. Then, I’d strongly suggest separating between work and ‘home’ devices. Don’t browse work email from your home laptop, and don’t plug in a private USB into your work device and vice versa. Remember: incident containment.
“Many organizations also allow you to install a home version of their security solution on personal devices, for free. If that isn’t available, then I’d invest in the paid version of security software. Change passwords on all of your devices. Yes, even on your new smart TV, home router and … refrigerator! And, well, think twice before opening links, downloading files and activating macros!”
What comes next
As noted, the worst of the attack seems to be over for Garmin, but it’s not quite clear how it got things under control. Paying the US$10 million ransom would likely have been a breach of US Treasury rules.
CyclingTips has reached out to Garmin on several occasions to learn more about the attack and its handling of the situation. So far no response has been forthcoming. In the absence of any official response, Dvoskin has some educated guesses about what’s probably going on at Garmin right now and how the company would be best-placed to respond.
“I’d imagine that Garmin is now deploying an incident response and forensic analysis to understand what happened and how to recover,” he said.
If he was involved in the recovery effort here’s what he’d recommend the company do.
“Undergo an analysis of existing vulnerabilities, with a focus on IT to OT/ICS security (Operational Technology / Industrial Control System),” he said. “Establish preventative measures to ‘kill’ the initial attack sequence. In this case, a combination of web isolation, advanced email security, and file security using Content Disarm and Reconstruction (CDR). The combination of the above would have prevented the download of the document that initiated the attack.
“When a ship has a breach in a single compartment, it shouldn’t sink. The same thing is true for cybersecurity incidents. Use network separation to prevent the propagation of threats. Deploy OT/ICS specialized endpoint and network monitoring tools to detect anomalous behavior and terminate malicious processes. Rigorously apply best practices such as deploying security patches, updating systems, changing default passwords, etc. It might sound trivial but [it’s] challenging to implement.”
Notably, Dvoskin doesn’t mention employee training as a method of stopping a similar, future attack: “It’s really the last line of defence and will always have a weak link.”
So where to from here from Garmin? Dvoskin would like to see the company do more to inform users and the general public about what happened, how it’s handling the problem, and what it will do to stop it happening again; something other affected companies have done well. “What I’m missing from Garmin is transparency about their incident recovery efforts,” he said. “Equifax was hit badly [ed. with millions of users’ data exfiltrated] but came through on who was affected. Norsk Hydro was applauded for the trust they established [ed. by being transparent about what happened in their attack].”
One thing’s clear. Garmin isn’t the first sports company to be hit by a massive cyber attack — indeed Canyon was hit earlier this year — and it certainly won’t be the last. Or as Dvoskin puts it: “The light at the end of the tunnel? Every company has or will have their incident. They recover. So will Garmin.”