Colonial Pipeline ransomware attack has grave consequences

The consequences of Friday’s DarkSide ransomware attack against the operator of the Colonial Pipeline, the largest fuel pipeline in the US, are spreading rapidly, with real-world disruption now cascading throughout the US energy sector, providing an object lesson in the importance of protecting critical national infrastructure (CNI).

Over the weekend, the US government declared an emergency and the Department of Transportation (DoT) temporarily relaxed regulations across most of the Mid-Atlantic and southern US, and Texas, that govern how long truckers are permitted to remain behind the wheel, to improve flexibility in the fuel supply chain.

US commerce secretary Gina Raimondo told the CBS TV network: “Unfortunately, these sorts of attacks are becoming more frequent. They are here to stay and we have to work in partnership with businesses to secure networks, to defend ourselves against these attacks.

“As it relates to Colonial, the president was briefed yesterday. It’s an all-hands-on-deck effort right now. We are working closely with the company, state and local officials to make sure that they get back up to normal operations as quickly as possible and that there aren’t disruptions in supply.”

Meanwhile, energy sector analysts have warned of “domino effects” on the US transport system, and the possibility of price rises at petrol stations.

Steve Forbes, Nominet government cyber security expert, said it was likely the Colonial attack would have a ripple effect beyond the US.

“While the demand for oil across the US East Coast is evident, the fact that this is already impacting the financial markets and traders demonstrates that it really is the tip of the iceberg,” said Forbes. “That’s not to mention the fact that the severity of this breach will worsen if confidential information is leaked, as the group has threatened.

“Being able to take systems offline and begin a process of restoration is undeniably important, but there is an additional threat if this data is exposed. It underlines the importance of international collaboration to bring down these highly coordinated groups early in their development if we want to protect our critical services.”

Forbes added: “As we watch the domino effect of this cyber attack, it is very apparent that impact is not limited to systems and software – victims will come in all shapes and sizes, from industries to individuals.”

Andy Norton, European cyber risk Officer at Armis, added: “These cyber-physical attacks are a big deal, because they demonstrate just how fragile the provision of critical services are into society. A few weeks ago, a water treatment plant was compromised, leading to the potential for poisoning of the water. Now, 45% of the US oil energy provision has been switched off to the East Coast. Prolonged shortages in critical services lead to civil unrest, economic pressures, and a general lack of confidence in public administration.”

How the attack unfolded

The attack itself was first detected on Friday 7 May, when the Colonial Pipeline Company determined that it had been hit by a cyber attack, understood to be the DarkSide ransomware.

DarkSide is a relatively new human-operated ransomware strain, first observed in 2020. The group behind it operates double extortion attacks on a ransomware-as-a-service model with numerous affiliate groups and is highly active online.

It almost certainly operates out of Russia or another former Soviet state, and its ransom demands range widely, from $200,000 up to as much as $2m. As of early April 2021, according to Cybereason’s Nocturnus team, it had leaked data from about 40 victims.

The DarkSide gang makes a point of analysing its targets’ financial situation before attacking them, and claims to only go after large corporations, never medical organisations, non-profits or government bodies. Of particular note is the gang’s use of “Robin Hood” style tactics – last year the DarkSide gang attempted to donate thousands of dollars’ worth of bitcoin to two US-based charities, but the donations were refused.

On discovering the attack, Colonial Pipeline said it proactively took a number of systems offline to contain the problem, which temporarily stopped all its pipeline operations and affected a number of its IT systems, which now need to be restored. It has informed the US government, law enforcement, and engaged third-party cyber forensics. It has given no indication that it is negotiating payment of a ransom.

“Maintaining the operational security of our pipeline, in addition to safely bringing our systems back online, remain our highest priorities,” said the firm in a statement on Sunday 9 May. “Over the past 48 hours, Colonial Pipeline personnel have taken additional precautionary measures to help further monitor and protect the safety and security of its pipeline.

“At this time, our primary focus continues to be the safe and efficient restoration of service to our pipeline system, while minimising disruption to our customers and all those who rely on Colonial Pipeline. We appreciate the patience and outpouring of support we have received from others throughout the industry.”

CNI a frequent target

As commerce secretary Raimondo noted, attacks against CNI are becoming more frequent – recent incidents include an attempt to poison the water supply of a Florida town – and governments around the world, including the UK, are making CNI security a priority.

Mimecast’s director of threat intelligence and response, Francis Gaffney, commented: “Cyber security professionals have, for some time, warned of outdated practices and implementation associated with IoT [internet of things], IT systems and OT [operational technology] security and these are now becoming realised.

“With the convergence of these systems, it is almost certain that data and networks are at heightened risk of both ransomware and data compromise attacks, and a danger that devices critical to a nation’s infrastructure may be used as a stepping stone for lateral movement within a compromised network.”

Armis’ Norton said he was troubled by the lack of progress that CNI providers were making in improving their resilience to cyber attack. “Both the NIST Cyber Security Framework and the International Society for Automation (ISA) published ISA 99, now IEC 62443, have been available for several years as the compliance measures for cyber resilience in ICS and critical infrastructure providers,” he said.

“However, it would appear that many of the requirements outlined in the frameworks are not being adhered to because the infection methods of the crime gangs are well known and provisioned for in both frameworks. So, it would appear to be missing in practice.”

Tom Garrubba, CISO of Shared Assessments, added: “Numerous agencies, including CISA [the US’s Cybersecurity and Infrastructure Security Agency] have been trumpeting warnings or calls to action to update critical infrastructure for years, and sadly, the time for initial action has long since passed. The evidence is clear: we are under attack by both rogue and state-sponsored organisations and the cyber community, along with the general public, have taken notice and are getting very worried.

“Any company, whether primary or downstream, providing support to our country’s national infrastructure needs to take a good, hard look at the systems supporting those processes and ask themselves: ‘Can we be next? Do we need to update our systems? Do we need assistance to support and secure these systems?’ and if so, petition their corporate boards and owners for the requisite financial support in upgrading and securing these systems.”

Illumio CEO Andrew Rubin said organisations were missing attacks by continuing to rely on, and invest in, threat detection, as if there was a chance that they could stop all breaches from happening by doing so, but that this approach was clearly missing a lot of attacks. He called for the authorities to take action on the “broken security model”. 

“But instead of talking about and doing the hard work we need to do, we’ll watch the financial markets on Monday reward the entire security industry for failing to stop modern attacks from spreading into a disaster,” he said.

Leave a Reply