A simple explanation of why the ransomware attack on the Colonial Pipeline Company is such a big deal for the U.S. critical infrastructure
The increasing number and severity of cyberattacks on critical infrastructure is truly believed to be one of the greatest concerns of the ongoing decade. Recent cybersecurity events support this statement. Particularly, intrusion to SolarWind, which is believed to be organized by Russia’s intelligence service, and hacker attack on Microsoft-designed systems, which was likely to be executed from China, underscored the vulnerability of the networks on which the corporations and government rely. Although these cases are extremely important for understanding the state of the national cybersecurity landscape, this article shifts its focus to another event – a ransomware attack on the Colonial Pipeline Company – one of the most disruptive digital ransom attacks ever reported.
The cyberattack on Colonial elevated a governmental concern about the security of the nation’s energy infrastructure because it has distinguishing features previously uncommon for such kinds of cyberattacks. First, the attacker was not a hostile state like Russia or China but a criminal extortion ring named DarkSide. Second, predators aimed not to disrupt the economy or customer communication system but to hold corporate data for ransom. These conditions, unfortunately, show how vulnerable the critical infrastructure is to hackers.
Colonial Pipeline is rightfully considered as a “jugular” of the US fuel pipeline sector. Every day, it transports 2.5 million barrels of refined gasoline, diesel fuel, and jet fuel through 8,850 km of pipelines. Colonial’s conduit links the refiners from the Gulf Coast up to New York Harbor and New York’s major airports, including Atlanta’s Hartsfield Jackson Airport, the world’s busiest by passenger traffic. Disruptions on such a vital fuel artery have caused a mess around its service area.
On May 6, 2021, Colonial Pipeline Company’s network was attacked by hackers. The criminals obtained unauthorized control of around 100 gigabytes of data and locked the enterprise’s computers with ransomware announcing they will hold data until the victim pays a ransom.
On May 8, 2021, Colonial announced the shutdown of its pipeline operations as a precautionary act for fear that the perpetrators might have obtained critical information that would enable them to attack the most susceptible parts of the pipeline.
Occurring ahead of peak summer driving season, the pipeline shutdown created a mess among U.S. consumers and hit the economy. The incident provoked disruptions in large parts of the Eastern and Southern U.S. and caused petrol shortages for motorists. According to the Washington Post analysts, the sweeping economic effect of the incident could be explained by an artificial shortage driven by panic buying. As a result of the heightened demand, the national average for a gallon of gas was pushed to $3.02 (up 8 cents) and reached its highest level since 2014, according to the Washington Post. Сrude prices, meanwhile, dropped at around 2,9 percent while West Texas Intermediate, the U.S. oil benchmark, was trading at $64.19 per barrel. Despite the trials to find the haul gasoline and jet fuel using alternative ways, the fuel shortage was sharply felt.
Soon after, Colonial released the official statement about the incident reporting that:
“Colonial Pipeline Company learned it was the victim of a cybersecurity attack and has since determined that the incident involved ransomware…These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring… We have remained in contact with law enforcement and other federal agencies, including the Department of Energy, who is leading the Federal Government response.”
On May 8, 2021, Colonial had paid a ransom of $4,4m (75 bitcoin) to the perpetrator’s crypto wallet.
On May 12, the Colonial Pipeline resumed fuel shipments, delivering fuel to most of the pipeline’s markets.
The incident was immediately called a “wake-up call” for the nation’s security infrastructure because it only shows what disruptions a single hacker attack may cause but also stresses how vulnerable U.S. energy infrastructure is. Moreover, it prompts us to reconsider the priorities and legislation in the sphere of the US critical infrastructure.
As the FBI reported it, the Colonial Pipeline fell victim to the DarkSide – a cybercriminal hacking group that targets victims using ransomware and extortion. The U.S. Government interagency technical guidance defines ransomware as,
Ransomware is a form of malware that seeks to deny users access to data and IT systems by encrypting the files and systems—thus locking out users. Hackers usually extort victims for a payment, typically in cryptocurrency, to decrypt the system. Recently, such attacks have been coupled with data breaches in which perpetrators also steal data from their ransomware victims. In addition to locking their computer systems, the hackers notify victims that they have copies of their data and will release sensitive information unless a ransom is paid, extorting them twice (p.2).
DarkSide is believed to be based in Eastern Europe (most likely in Russia). It targets critical infrastructures and businesses but avoids hitting schools, healthcare centers, and non-profit organizations. Although it is not believed to be a government-sponsored organization, the experts state that the DarkSide has proliferated in Russia with at least the implicit sanction of the Kremlin authorities. The distinguishing feature of DarkSide’s operations is that it avoids targeting geographic locations that use certain system language settings (generally Cyrillic).
The DarkSide releases ransomware under an affiliate program and uses the ransomware-as-a-service (RaaS) model for maintaining its criminal operations.
RaaS is a cybercrime model in which one criminal group develops the ransomware and hosts the infrastructure upon which it operates. It then leases that capability to another criminal group to conduct an attack cutting clients’ earnings from every successful extortion.
Since DarkSide follows the RaaS business model, an affiliate group may be behind the attack and extortion. However, as with Colonial, the victim paid the ransom to DarkSide. Specifically, the Bitcoin wallet, which is assumed to be owned by DarkSide, received the 75 BTC payment (worth $4.4 million). According to Elliptic analysts, the wallet has been active since 4th March 2021 and has received 57 payments from 21 different wallets. Notably, some of these payments match ransoms known to have been paid to DarkSide by other victims.
On May 14, according to the New York Times, the DarkSide reported closing its affiliate program after the U.S. law enforcement operation. However, the experts admit that even if the DarkSide has shut down, the threat from ransomware has not passed. So, organizations must be fully prepared to respond to similar or even more severe attacks.
Investigation Process and Reaction
Being a privately-held organization, Colonial is exposed to less pressure than any publicly traded company might be to reveal details. However, as the guardian of stability within the critical pipeline infrastructure, the company is bound to come under scrutiny over the quality of its protections and its transparency about how it responded to the attack.
Investigation of such a disruptive attack involved private and governmental parties, including the F.B.I., the Energy Department, the Department of Homeland Security’s Cybersecurity, the Infrastructure Security Agency, and the FireEye security group. The most challenging for the process was the sheer fact of the ransom payment, despite the FBI’s advice against it. This controversial decision reinvigorated the national debates over whether there should be a blanket ban on victims paying a ransom.
The case of Colonial shows that a company can be easily breached in one moment while the recovery process may be long-lasting. With Colonial, the ransom paying did not resolve the issue immediately since the process of decrypting data and turning the pipeline back took days before the East Coast returned to normal life.
The ransomware attack has become a “wake-up call” that raises questions about the national preparedness for the cyber era. Notably, a long-gestating Executive Order on Improving the Nation’s Cybersecurity, which seeks to mandate changes in cybersecurity on the national level, was issued on May 12, 2021. Compared to the previously issued guidelines to bolster national digital defenses, the current order is more detailed and intends to reach the private sector intensively. For instance, the order establishes an incident review board, requires data encryption (whether it is in storage or while it is being transmitted), requires all software purchased by the federal government to meet a series of new cybersecurity standards, etc.
Many state- and privately-owned enterprises started to recheck their protective measures against ransomware attacks and strengthen their security postures. For those unknown where to start, we suggest acquainting with reputable guidelines on addressing the ransomware attacks presented by The Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Federal Bureau of Investigation (FBI). Planet 9 also aims to help organizations increase their awareness and facilities to resist ransomware. For this purpose, we prepared a special roadmap for ransomware protection.
The recent events in the cyber environment draw more public and governmental attention to critical infrastructure players. The case of the Colonial Pipeline Company showed how important it is to strengthen the security posture within the US critical infrastructure. As for now, the state- and privately-owned organizations should prepare for changes in the cybersecurity sphere. For more detailed information about the ongoing changes, consult the Planet 9 team, and we’ll be happy to assist.
Website: https://planet9security.com
Email: info@planet9security.com
Phone: 888-437-3646