On Friday, Colonial Pipeline Company discovered that it had been hit by a ransomware attack. Responsible for delivering gas, heating oil and other forms of petroleum to homes and organizations, the company accounts for 45% of the East Coast’s fuel. The attack forced Colonial Pipeline to shut down certain systems, temporarily stopping all pipeline operations.
In a statement released on Sunday, the company said that it hired a third-party cybersecurity firm to investigate the attack and contacted law enforcement as well as federal agencies, including the Department of Energy. Beyond dealing with the incident itself, Colonial Pipeline is under the gun to get its operations back online safely and securely.
“The Colonial Pipeline operations team is developing a system restart plan,” the company said. “While our mainlines (Lines 1, 2, 3 and 4) remain offline, some smaller lateral lines between terminals and delivery points are now operational. We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.”
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
If the pipeline is down for just a couple of days, customers and consumers should be spared any economic or supply issues. But, an attack with longer-term repercussions could trigger higher gas prices and even shortages. More importantly, the incident shows the impact of critical infrastructure as a victim of a cyberattack.
“The economic impact wrought by this cyberattack will bring home to government and energy operators the vulnerabilities in critical infrastructure,” David Bicknell, principal analyst for thematic research at GlobalData, said in a statement. “This is not the first ransomware cyberattack on an oil and gas utility—and it won’t be the last. But it is the most serious. It is also potentially one of the most successful cyberattacks against US critical national infrastructure.”
James Shank, Ransomware Task Force (RTF) committee lead for worst case scenarios, said that this type of attack against critical infrastructure or services shows the rise of ransomware as a threat to national security, especially as we continue to grapple with COVID-19.
“Targeting pipelines and distribution channels like this attack on the Colonial Pipeline Co. makes sense–ransomware is about extortion and extortion is about pressure,” Shank told TechRepublic. “Impacting fuel distribution gets peoples’ attention right away and means there is increased pressure on the responding teams to remediate the impact. Doing so during a time when the pandemic response has created other distribution and supply chain problems, many of which will require timely and efficient distribution of goods, adds to the pressure.”
SEE: Colonial Pipeline attack reminds us of our critical infrastructure’s vulnerabilities (TechRepublic)
Colonial Pipeline has contracted security firm FireEye Mandiant to investigate the attack. A spokesperson for FireEye told TechRepublic that the company isn’t commenting on the incident at this point. In the meantime, the FBI has fingered the DarkSide ransomware gang as the culprit behind this attack.
Surfacing during the summer of 2020, DarkSide has already garnered an infamous reputation and has eked out a healthy profit from its tactics, according to Lior Div, CEO of security firm Cybereason. The group is known for being both “professional” and “organized” and has potentially taken in millions of dollars in profits with ransom demands ranging from $200,000 to $2,000,000.
DarkSide has typically targeted English-speaking countries, at the same time avoiding regions associated with former Soviet Bloc nations, Div said. The group purportedly has a code of conduct in which it vows not to attack hospitals, schools, non-profits and government agencies. DarkSide reportedly has tried to donate its ill-gotten gains to various charities, which refused to accept them because of its tactics.
The gang also likes to use a double-extortion tactic in which it demands payment to decrypt the victim’s data but also vows to publicly leak the information if the ransom isn’t paid. This way, even organizations with viable backups of the stolen data may be more prone to pay the ransom. The group also historically targets domain controllers, threatening entire networks, Div added.
“DarkSide’s motives are ostensibly motivated by profit, however in today’s world of false flags and vague associations with governments, this is not a given,” Mike Hamilton, former CISO of Seattle and CISO of government cybersecurity firm CI Security, told TechRepublic.
“Because the Colonial Pipeline is a significant energy artery of the United States, its strategic importance is such that the DarkSide group could not have been ignorant of the fact,” Hamilton said. “Further, given this importance it is likely that this act was known to Russian government—either through direct communication or from intelligence gathering by the GRU and SRV.”
The motives for the attack could differ between DarkSide and the Russian government, Hamilton added. However, the Kremlin could be using DarkSide to determine whether the U.S. would “draw the line” between a criminal act and an act of aggression.
“I think we need to ask why this keeps happening—same MO every time,” Mark Stamford, CEO of security firm OccamSec, said. “There’s a hack or ransomware. It’s described as being done by ‘elite hackers.’ Incident response kicks in, which is expensive. Company buys some new tools. Rinse, repeat. At some point we are going to have to come to grips with how the bad guys actually operate, stop putting technology into everything because we can, and do something other than issue a press release, set up a task force, etc.”
Infrastructure systems aren’t necessarily more susceptible to cyberattack, but they do still have weaknesses ripe for exploitation, according to FiniteState CEO Matt Wyckhouse.
“In fact, the energy sector, aided by federal initiatives, has come a long way to ensure that their systems are secure,” Wyckhouse said. “But there is still a lot of work to be done, and some sophisticated attackers know that there are still weaknesses that they can exploit. It is critical that organizations understand what their risks are, and address them proactively rather than maintaining a reactive posture.”