In what is being described as the largest and most egregious cyberattack against United States critical infrastructure in our history, Colonial Pipeline which operates the nation’s largest fuel pipeline was forced to shut down all operations this past Friday and is still not operational as of Monday afternoon, May 10. The devastating ransomware attack against Colonial forced an unprecedented emergency declaration from the federal government as the cyberattack essentially dried up gas distribution throughout the East Coast as the company indicated that it was working to resume operations and hoped to restore service by the end of the week.
Colonial issued a press release this afternoon stating: “While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach,”
Homeland Security Advisor Elizabeth Sherwood-Randall told reporters in an afternoon press conference that shutting down the Colonial networks was a “precautionary measure, and that while the hackers broke into networks devoted to the company’s business operations, it did not reach computers that control the physical infrastructure that transports gasoline and other fuel.”
Simple Greed is the Motive
The FBI confirmed Monday that the culprit is a strain of ransomware called DarkSide, believed to be operated by a Russian cybercrime gang referred to by the same name. The hacker gang posted a statement on their website in a refrain that has become all too familiar to victims and cybersecurity experts alike around the country. DarkSide affirmed its intention was not political but was simply old-fashioned extortion.
The DarkSide website message read: ““We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment and look for other our motives,” misspelling "government."
“Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” This seems to indicate that even the DarkSide attackers realize they might have gone too far with this hack against a critical American infrastructure company.
“The Colonial pipeline ransomware attack demonstrates yet again the significant impact of ransomware attacks. Once ransomware actors get an initial foothold, no system is safe. These new higher-end, professionalized ransomware attacks are harder to defend against because of the automated and human intervention where human actors pick the targets and operate the attack,” warns Pascal Geenens, who is the Director for Threat Intelligence at Radware.
“There is a growing underground economy where ransomware operators have access to verified credential lists, attack tools, and malware platforms. This is a game-changer. Previously, gangs could never pull this off on their own, but now they can because of underground trading. The world is facing a severe enemy in ransomware and no one is safe. Authorities should not lose sight of this threat and continue or increase their resources in the fight against ransomware actors.”
Chilling Vulnerabilities
The ransomware attack on Colonial Pipeline underscores just how vulnerable critical U.S. infrastructure is to cybercriminals in a way no previous attack has done. The successful breach of Colonial Pipeline’s IT system forced the company to shut down 5,500 miles of pipelines to ensure hackers could not gain access to its operational technology.
“Unfortunately, a ransomware attack of this magnitude has been anticipated, with hackers turning their sights more toward government and utilities, targeting industrial control systems and critical infrastructure. When it comes to attacking these types of organizations, the goals can vary,” says Ruston Miles, Founder and Advisor at Bluefin. “On the first level, and the most basic, hackers want a payout. They will employ a double-extortion scheme, including first encrypting files which they can leverage for a payout if an organization does not have backups of their files and can easily re-establish them. If the organization can re-establish their backups, then the hackers can move on to leveraging the files that they originally stole to still demand a payout if those files contain clear-text payment or sensitive consumer data. They can threaten to expose that clear-text data on hacker websites, or even resell this data in order to monetize it.”
Miles confides, that when it comes to compromising the oil and gas industry, though, it becomes more nefarious because a further goal of these attacks can be to disrupt operations in the energy sector, making this type of attack a national security threat.
Miles continues that although we're in the very early-stages of this ransomware incident, and it is not known how the attackers were able to get into the Colonial Pipeline network, all companies – including those in oil and gas – should be following best practices to minimize the potential for a ransomware attack:
- Educate your employees. Training your employees in cybersecurity best practices can help them spot potential phishing attempts and other cyber threats.
- Stay up to date on security patches. To reduce vulnerabilities, keep your operating system updated on the latest patches.
- Back up your data. Frequent, automatic updates won’t prevent ransomware, but they may help you access files in the event of an attack. Many businesses are moving data to the cloud as a resilient strategy
- Create a defense-in-depth security strategy. An effective defense is one with multiple layers of protection, from employee training to encryption and more.
- Never allow clear-text sensitive data to enter your system. Make sure to encrypt or tokenize all sensitive data (PII, PHI, PCI, etc) so that it renders sensitive information useless in the event of an attack. Otherwise, hackers may use your data to force you to pay the ransom.
Hackers Do Their Homework
For Mike Hamilton, former CISO of Seattle and CISO of government cybersecurity firm, CI Security, what seems to set this group apart is the research they conducted before compromising their victim. They apparently knew the reporting structure, who in the organization made decisions and who handled finances.
“If that is true, it is unlikely that this event is an artifact of the ‘spray and pray type of attack and was highly targeted. That diminishes the theory that this gang is just the ‘dog that caught the car’, as this was an entirely intentional act. Assuming that, it is also unlikely that this occurred without the knowledge, and perhaps support of government entities within the country of origin. Rather than a miscalculation resulting in unwanted scrutiny by the federal government, the perception created is that we're being tested. Will the U.S. Government treat this as just another criminal act, clean up and move on? Or will this generate the urgency necessary to finally connect the acts of hostile governments and their criminal communities,” ponders Hamilton.
Hamilton adds that an opportunity is coming to do just that. Coming soon and likely this week, the Biden administration is expected to issue an executive order intended to improve the security of federal and private systems in response to the SolarWinds and Exchange attacks by Russia and China, respectively. This new attack against US energy infrastructure may spur an expansion of the EO from a focus on additional preventive measures to include specific language on actions the U.S. Government will take when critical infrastructure is attacked, potentially treating it as terrorism.
“That in itself is the slippery slope. A retaliation can cause escalation into points unknown. The administration will need to carefully weigh the benefit of a punitive action with the likelihood of escalation, but this cannot go unanswered,” Hamilton says.
About the Author:
Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology Executive, Security Business and Locksmith Ledger International and top-rated webportal SecurityInfoWatch.com. Steve can be reached at [email protected]
