{
	"id": "716a6f8f-94fe-4b0c-ad6e-68dc5b876066",
	"created_at": "2026-04-06T00:11:59.856355Z",
	"updated_at": "2026-04-10T03:37:01.071938Z",
	"deleted_at": null,
	"sha1_hash": "522bba6e74703f95598b4c3a66891374f211fe35",
	"title": "The Week in Security: A possible Colonial Pipeline 2.0, ransomware takes bite out of American eateries | ReversingLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 951886,
	"plain_text": "The Week in Security: A possible Colonial Pipeline 2.0,\r\nransomware takes bite out of American eateries | ReversingLabs\r\nBy Carolynn van Arsdale, Writer, ReversingLabs.Carolynn van Arsdale\r\nPublished: 2023-04-27 · Archived: 2026-04-05 13:31:43 UTC\r\nSecurity OperationsApril 27, 2023\r\nWelcome to the latest edition of The Week in Security, which brings you the newest\r\nheadlines from both the world and our team across the full stack of security:\r\napplication security, cybersecurity, and beyond.\r\nThis week: A Canada gas pipeline could have suffered an explosion caused by a cyber attack. Also: Financial\r\nservices firm NCR hit with a ransomware attack, hurting thousands of small American eateries.\r\nThis Week’s Top Story\r\nPossible Colonial Pipeline 2.0? Security incident causes concern for Canada’s\r\ncritical infrastructure\r\nA Canadian gas pipeline suffered a security incident that could have caused an explosion at the company’s gas\r\nsite, according to a New York Times story that cited leaked U.S. intelligence documents. The attackers, from a the\r\npro-Russia hacking group Zarya, were communicating with Russia’s Federal Security Service (FSB), the primary\r\nsuccessor to the KGB, about the incident’s potential for physical damage, according to the leaked documents.\r\nhttps://www.reversinglabs.com/blog/the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries\r\nPage 1 of 3\n\nCanadian Prime Minister Justin Trudeau confirmed that the unnamed Canadian gas pipeline was attacked, but said\r\nthere had been no physical damage to any of Canada’s energy infrastructure. The cyber attack which took place on\r\nFebruary 25, 2023, was intended to economically damage the company. With respect to the possibility of physical\r\ndamage, Zarya had access to the infrastructure of the gas pipeline operator, and was awaiting further instructions\r\nfrom Russian intelligence on how to proceed.\r\nThis incident is alarming for two reasons. First, the attack demonstrates that pro-Russian threat actors can\r\npenetrate the critical infrastructure systems of Western countries. Second, communications between Zarya and\r\nRussian intelligence demonstrate that pro-Russian hacking groups could be operating and taking direction from\r\nthe Russian government, which means that this incident could have been carried out based on nation-state\r\nadversary’s motivations.\r\nNews Roundup\r\nHere are the stories we’re paying attention to this week…\r\nFinancial services firm NCR hit by ransomware attack, disrupting Aloha and Back\r\nOffice products (CPO Magazine)\r\nA payment processing system used by over 100,000 restaurants and bars has been temporarily disrupted as its\r\nparent company, NCR, has been hit with a ransomware attack. Most affected are independent eateries and small\r\nlocal chains across the U.S.\r\nGitLab's new security feature uses AI to explain vulnerabilities to developers\r\n(TechCrunch)\r\nDeveloper platform GitLab today announced a new AI-driven security feature that uses a large language model to\r\nexplain potential vulnerabilities to developers, and it plans to expand on this feature in the future to automatically\r\nresolve those vulnerabilities using AI.\r\nLinux shift: Chinese APT Alloy Taurus is back with retooling (Dark Reading)\r\nAfter a brief hiatus, the Alloy Taurus APT (aka Gallium or Operation Soft Cell) is back on the scene, with a new\r\nLinux variant of its PingPull malware. The Chinese nation-state-affiliated threat actor has been around since at\r\nleast 2012, but has only been in the spotlight since 2019. It focuses on espionage, and tends to target major\r\ntelecommunications providers.\r\n#RSAC: Election protection is CISA's top priority for next 18 months\r\n(InfoSecurity Magazine)\r\nFor CISA, the protection of the looming 2024 election is now a high priority in its effort to protect democracy:\r\n“This is our top priority over the next year and a half,” says Eric Goldstein, executive assistant director for\r\ncybersecurity at CISA.\r\nhttps://www.reversinglabs.com/blog/the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries\r\nPage 2 of 3\n\nU.S. Cyber Command is sending experts abroad to help allies catch hackers (Tech\r\nMonitor)\r\nThe U.S. government’s Cyber National Command Force (CNCF) is sending its experts abroad in so-called “hunt-forward” operations to aid partner countries in combating cybercrime. It has launched 47 operations in 20\r\ncountries over the last three years.\r\nSource: https://www.reversinglabs.com/blog/the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries\r\nhttps://www.reversinglabs.com/blog/the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.reversinglabs.com/blog/the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries"
	],
	"report_names": [
		"the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries"
	],
	"threat_actors": [
		{
			"id": "76d871c3-96cd-41d3-8889-f0396e480e91",
			"created_at": "2023-11-14T02:00:07.093421Z",
			"updated_at": "2026-04-10T02:00:03.449641Z",
			"deleted_at": null,
			"main_name": "Zarya",
			"aliases": [
				"UAC-0109"
			],
			"source_name": "MISPGALAXY:Zarya",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd",
			"created_at": "2022-10-25T15:50:23.264584Z",
			"updated_at": "2026-04-10T02:00:05.334294Z",
			"deleted_at": null,
			"main_name": "GALLIUM",
			"aliases": [
				"GALLIUM",
				"Granite Typhoon"
			],
			"source_name": "MITRE:GALLIUM",
			"tools": [
				"ipconfig",
				"cmd",
				"China Chopper",
				"PoisonIvy",
				"at",
				"PlugX",
				"PingPull",
				"BlackMould",
				"Mimikatz",
				"PsExec",
				"HTRAN",
				"NBTscan",
				"Windows Credential Editor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "04b07437-41bb-4126-bcbb-def16f19d7c6",
			"created_at": "2022-10-25T16:07:24.232628Z",
			"updated_at": "2026-04-10T02:00:04.906097Z",
			"deleted_at": null,
			"main_name": "Stone Panda",
			"aliases": [
				"APT 10",
				"ATK 41",
				"Bronze Riverside",
				"CTG-5938",
				"CVNX",
				"Cuckoo Spear",
				"Earth Kasha",
				"G0045",
				"G0093",
				"Granite Taurus",
				"Happyyongzi",
				"Hogfish",
				"ITG01",
				"Operation A41APT",
				"Operation Cache Panda",
				"Operation ChessMaster",
				"Operation Cloud Hopper",
				"Operation Cuckoo Spear",
				"Operation New Battle",
				"Operation Soft Cell",
				"Operation TradeSecret",
				"Potassium",
				"Purple Typhoon",
				"Red Apollo",
				"Stone Panda",
				"TA429",
				"menuPass",
				"menuPass Team"
			],
			"source_name": "ETDA:Stone Panda",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"Anel",
				"AngryRebel",
				"BKDR_EVILOGE",
				"BKDR_HGDER",
				"BKDR_NVICM",
				"BUGJUICE",
				"CHINACHOPPER",
				"ChChes",
				"China Chopper",
				"Chymine",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"DARKTOWN",
				"DESLoader",
				"DILLJUICE",
				"DILLWEED",
				"Darkmoon",
				"DelfsCake",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"Ecipekac",
				"Emdivi",
				"EvilGrab",
				"EvilGrab RAT",
				"FYAnti",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"GreetCake",
				"HAYMAKER",
				"HEAVYHAND",
				"HEAVYPOT",
				"HTran",
				"HUC Packet Transmit Tool",
				"Ham Backdoor",
				"HiddenFace",
				"Impacket",
				"Invoke the Hash",
				"KABOB",
				"Kaba",
				"Korplug",
				"LODEINFO",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MiS-Type",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"NBTscan",
				"NOOPDOOR",
				"Newsripper",
				"P8RAT",
				"PCRat",
				"PlugX",
				"Poison Ivy",
				"Poldat",
				"PowerSploit",
				"PowerView",
				"PsExec",
				"PsList",
				"Quarks PwDump",
				"Quasar RAT",
				"QuasarRAT",
				"RedDelta",
				"RedLeaves",
				"Rubeus",
				"SNUGRIDE",
				"SPIVY",
				"SharpSploit",
				"SigLoader",
				"SinoChopper",
				"SodaMaster",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"UpperCut",
				"Vidgrab",
				"WinRAR",
				"WmiExec",
				"Wmonder",
				"Xamtrav",
				"Yggdrasil",
				"Zlib",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"dfls",
				"lena",
				"nbtscan",
				"pivy",
				"poisonivy",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c",
			"created_at": "2023-01-06T13:46:39.062729Z",
			"updated_at": "2026-04-10T02:00:03.200784Z",
			"deleted_at": null,
			"main_name": "Operation Soft Cell",
			"aliases": [],
			"source_name": "MISPGALAXY:Operation Soft Cell",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9faf32b7-0221-46ac-a716-c330c1f10c95",
			"created_at": "2022-10-25T16:07:23.652281Z",
			"updated_at": "2026-04-10T02:00:04.702108Z",
			"deleted_at": null,
			"main_name": "Gallium",
			"aliases": [
				"Alloy Taurus",
				"G0093",
				"Granite Typhoon",
				"Phantom Panda"
			],
			"source_name": "ETDA:Gallium",
			"tools": [
				"Agentemis",
				"BlackMould",
				"CHINACHOPPER",
				"China Chopper",
				"Chymine",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Darkmoon",
				"Gen:Trojan.Heur.PT",
				"Gh0stCringe RAT",
				"HTran",
				"HUC Packet Transmit Tool",
				"LaZagne",
				"Mimikatz",
				"NBTscan",
				"PingPull",
				"Plink",
				"Poison Ivy",
				"PsExec",
				"PuTTY Link",
				"QuarkBandit",
				"Quasar RAT",
				"QuasarRAT",
				"Reshell",
				"SPIVY",
				"SinoChopper",
				"SoftEther VPN",
				"Sword2033",
				"WCE",
				"WinRAR",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Yggdrasil",
				"cobeacon",
				"nbtscan",
				"netcat",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c87ee2df-e528-4fa0-bed6-6ed29e390688",
			"created_at": "2023-01-06T13:46:39.150432Z",
			"updated_at": "2026-04-10T02:00:03.231072Z",
			"deleted_at": null,
			"main_name": "GALLIUM",
			"aliases": [
				"Red Dev 4",
				"Alloy Taurus",
				"Granite Typhoon",
				"PHANTOM PANDA"
			],
			"source_name": "MISPGALAXY:GALLIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434319,
	"ts_updated_at": 1775792221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/522bba6e74703f95598b4c3a66891374f211fe35.pdf",
		"text": "https://archive.orkl.eu/522bba6e74703f95598b4c3a66891374f211fe35.txt",
		"img": "https://archive.orkl.eu/522bba6e74703f95598b4c3a66891374f211fe35.jpg"
	}
}