Garmin Hack, Glitch in Flight Navigation and an NSA Warning: The Massive Threat of WastedLocker

On Thursday, July 23, Garmin started sending out a notice to its users, stating that the company was experiencing an ‘outage’. While occasional outages are fairly common in the tech space, what was happening at Garmin was hardly everyday business. ZDNet promptly reported that the company has been hit by a rather extensive ransomware attack, one which appeared to take down the company’s websites, apps, internal communications, customer support services, and critically, Garmin hardware, software and databases that are used actively for aerospace and even maritime navigation. Earlier yesterday, Garmin partially confirmed the same via a global media statement.

While Garmin has seemingly played down the severity of the hack, the cyber attack is actually of massive, massive consequence. The ransomware-led “outage” at Garmin came on the same day as CISA-NSA’s joint advisory on serious cyber attacks threatening some of the most critical, industrial IoT deployments. Almost as a show of their might and abilities, a part of Garmin’s affected services included their aerospace and even maritime navigation technologies. In essence, the attack could actually have been exponentially more impactful – particularly if commercial aerospace was operating as per its pre-Covid-19 usual.

It also sheds light on how ransomware and related cyber crime techniques have advanced significantly, and also, how the data-led world poses a great amount of risk – all summing up to suggest that Garmin was a very meticulously chosen prey, one that may have been a precursor to an impending wave of cyber attacks.

Evil Corp at play

The ransomware that toyed with Garmin’s systems is alleged to be WastedLocker – the nomenclature assigned to the malware by UK-based security firm, NCC Group. As Stefano Antenucci, cyber threat analyst at Fox-IT, a division of NCC, says, WastedLocker was discovered by cyber security professionals as recently as May this year, and is masterminded by Maksim Viktorovich Yakubets – the alleged leader of notorious cyber criminal group, Evil Corp. Unlike general ransomware attacks, WastedLocker deploys a far deeper technique that capitalises on cyber security lapses to ensure that the ransom encryption takes longer, and at times also becomes impossible, for companies to fight against.

Garmin has not officially used the term “ransomware” as part of its statement, but its wording fairly indicates so. The company stated yesterday that it was the “victim of a cyber attack that encrypted some” of its systems on July 23. Perhaps more important, on this note, is this passage: “We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services. Affected systems are being restored and we expect to return to normal operation over the next few days. We do not expect any material impact to our operations or financial results because of this outage.” In other words – all of the classic indicators of a ransomware attack.

A Garmin India spokesperson declined News18’s request for an interaction on the topic.

The extent of the threat

So, why is this attack on Garmin so significant? The answer lies in Yakubets’ activities, Evil Corp’s activities of late, and how WastedLocker works.

One example of just how widespread and impactful WastedLocker can be is given by Symantec’s spokesperson for its Critical Attack Discovery and Intelligence Team. According to the team, Evil Corp recently targeted a series of cyber attacks that infected the websites of a number of USA-based publications with malware. This malware then injected a further malware payload into selected visitors of the websites, which then enabled them to install WastedLocker on strategic systems. Symantec has claimed that Evil Corp’s series of cyber attacks have hit at least 31 organisations already, with eight of them being Fortune 500 companies. There has so far been no disclosure on which companies may have been compromised.

NCC-Fox-IT’s Antenucci further states that Evil Corp’s modus operandi also involves affecting the backup infrastructure of companies. “This increases the time for recovery for the victim, or in some cases due to unavailability of offline or offsite backups, prevents the ability to recover at all,” he says. To an extent, this would explain why it has been taking Garmin long to restore its services. Garmin Connect, the user dashboard, is seemingly coming back online for users now.

flyGarmin and Garmin Pilot, which are critical commercial aviation services that require regular database updates as per USA’s Federal Aviation Administration (FAA) regulation, were down for four full days, before coming back online yesterday. At a normal time in a pandemic-free world, this could have caused significant mayhem. Thankfully, FAA database data says that the airspace database update was delivered to requisite systems a week prior to the ransomware attack, although Garmin aviation hardware still went offline. A Wired report on the matter says Garmin’s Active Captain app, used for maritime navigation, may have also suffered from the attack.

Warning bells ringing

More than just being an isolated attack, the Garmin hack shows the severity and extent to which a sophisticated malware can impact critical industrial IoT systems. Alarmingly, on July 23, the same day of the Garmin attack, the United States Cybersecurity & Infrastructure Security Agency (CISA) and NSA issued industry-wide advisories to be extra vigilant about cyber attacks on industrial IoT deployments, in the coming weeks. The attack on Garmin, hence, could have just been the tip of the proverbial iceberg.

Garmin has further claimed that it has received no indication of its user data being compromised, which also falls in line with how Evil Corp and WastedLocker work. As Antenucci says, “The group has not appeared to have engaged in extensive information stealing or threatened to publish information about victims in the way that the DoppelPaymer and many other targeted ransomware operations have. We assess that the probable reason for not leaking victim information is the unwanted attention this would draw from law enforcement and the public.”

While reports remain disputed as to whether Evil Corp demanded a $10 million ransom from Garmin, and if the latter paid the same, what’s more alarming to note is the extent of severe risk that many of the world’s biggest companies are at. On the scale of sophistication, WastedLocker is far more impactful than the likes of WannaCry and NotPetya, which have so far been some of the world’s largest coordinated cyber attacks. The new wave, which has apparently only just begun, looks set to transcend it all.