Motorists who have pulled up to one of Canada’s Petro-Canada gas stations in the last few days have been greeted by “cash only” signs, as a cyber attack on parent company Suncor Energy has disrupted the company’s payment and loyalty reward systems.
Petro-Canada has about 1,500 gas stations that span most of the country. Suncor Energy is one of the largest synthetic crude producers in Canada. The outage is very likely to cost the company millions of dollars when all is said and done, and some security experts believe there is a link to Russian hackers with a nationalist bent.
Suncor Energy customers, suppliers impacted by cyber attack
Suncor issued a press release on June 25 indicating that there is “no indication” that customer, supplier or employee data is impacted. The press release is extremely short and does not provide any further indication about what happened, but the extended downtime of payment systems at the gas stations points to ransomware.
Stephen Gates, Principal Security SME of Horizon3.ai, expands on how a ransomware attack might have ended up compromising payment portals: “Most occurrences of ransomware lock up workstations and data stores but rarely target what most would consider to be IoT. But on the other hand, many gas pumps run commonly used operation systems (like Windows CE) which could make them a considerable target to ransom since an outage could cause untold consumer pain.”
Petro-Canada locations remain open, but visitors have not been able to use cards or loyalty rewards points to pay for transactions. Cash at the register is the only sure means of payment until the incident is sorted out. It does not appear that customers will be able to earn new “Petro-Points” on transactions while the gas stations are hobbled in this way, and loyalty program accounts cannot be accessed via the company app or website.
Petro-Canada has also been selling a “Carwash Season Pass” for use at its gas stations, offering one wash per day for 90 days for a flat price of $65. The cyber attack has also prevented locations from scanning these passes, and customers currently have no means to redeem them.
The full extent of the impact to customers, employees and suppliers remains unknown so long as Petro-Canada and Suncor remain tight-lipped about what happened. Naturally, it takes some time for internal investigations to unfold. However, statements of “no indication” of abuse of sensitive information usually only mean that the company has not yet spotted the data being posted or transferred on the dark web or elsewhere. Ransomware gangs are increasingly using the “double extortion” approach of stealing files prior to locking up victim systems, and using the threat of public leaks as added pressure. Suncor has verified that third-party cybersecurity investigators have been brought in to assist.
Carol Volk, EVP of BullWall, believes that the “radio silence” approach does not necessarily mean that the attack was devastating to the company: “A company as large as Petro-Canada would most likely have had a plethora of security tools in place to prevent attacks like this. We are never going to stay one step ahead of motivated bad actors. A new approach that layers on active attack containment is the new frontier for cyber security.”
An update from Petro-Canada on June 29 indicated that “most” of its locations are again able to take credit and debit card payments as it makes headway on remediation of the cyber attack.
Hack reduces services for Canada’s second-largest chain of gas stations
The impact is significant, with some customers taking to Twitter and other social media platforms to report that they coasted into Petro-Canada gas stations on fumes only to find that they had no means available to pay for their fill-up, instead having to use their credit card to pay for a tow to another station. Petro-Canada is the second-largest chain of gas stations in the country, holding nearly 11% of national market share as of early 2023 and second only to Parkland Fuel.
Hackers have shown an increased interest in the oil and gas sector in recent years. While some of this is driven by expected nation-state espionage and the occasional attempt at causing damage, the biggest share of growth has been for-profit criminals looking to steal valuable data and extort these companies. The 2021 Colonial Pipeline attack was the obvious poster child for this trend, but there have been numerous other major incidents involving for-profit criminal hackers in recent years. A 2022 report from the S&P Global Platts Oil Security Sentinel project found 35 major cyber attacks within the prior five years, and that ransomware attempts on oil and gas companies were up 150%.
The incident also closely follows a warning that Russian hackers might be looking to disrupt Canada’s oil and gas industry with cyber attacks, in a bid to weaken national support for Ukraine’s defense. The Communications Security Establishment, one of Canada’s intelligence agencies, issued a warning on June 21 that non-state actors based in Russia were planning ransomware campaigns focused more on end users, such as targeting gas stations, in an attempt to both make some money and express nationalistic support for their government. The agency believes that these hackers will not be looking to directly attack pipelines or core infrastructure, however.
In April, state-backed Russian hackers did claim credit for a disruptive attack on an unnamed natural gas pipeline company in Canada that they said took place in early 2023; however, no evidence of such an attack could be found. Leaked documents do indicate that Russia’s “Zarya” hacking group, affiliated with the FSB, is “standing by” on opportunities to conduct destructive cyber attacks against Canadian pipelines.