Colonial Pipeline, the largest refined products pipeline in the United States, became the victim of a devastating cyber attack on Friday. The company has determined that the incident involved ransomware and various agencies believe that the DarkSide group was behind the attack.
On May 7, Colonial Pipeline released a statement saying that it proactively took certain systems offline to contain the threat. Particularly, this included 5,500 miles or about 8,850 kilometres of pipelines that deliver gasoline and fuel from Texas to New York.
With such a critical role in the US, the Federal Bureau of Investigation (FBI) and the White House got involved, along with the Energy Department who is leading the Federal Government response, as this attack signifies the vulnerabilities faced by energy infrastructures in the country.
This is because many critical firms dealing with energy, such as Colonial Pipeline, are still using legacy systems that make them more exposed to increasingly sophisticated cyber attacks.
In Colonial Pipeline’s case, the firm acknowledged that its corporate computer networks had been hit by a ransomware attack, holding sensitive data hostage. Colonial Pipeline is less pressured to pay to get the data back as it is a private company but it still plays a big role in the US’ energy infrastructure, making the case a high priority.
Signs of More Attacks to Come?
Commenting on the incident, Grant Geyer, Chief Product Officer of Claroty, believes that the attack against Colonial Pipeline is only a teaser of the future of cyber attacks, stating that the country’s national critical infrastructure will remain an easy target as cybercriminals and foreign adversaries seek opportunities for financial gain and power projection.
“Industrial environments are operating with infrastructure that commonly maintains obsolete technology that can’t be patched and staff that frequently are not as cyber-savvy as they need to be to keep attackers at bay. This leads to a situation where cybersecurity risk levels are below acceptable tolerances and, in some cases, organisations are blind to the risk”, Grant added.
He shared that Claroty researchers have found that the energy sector is one of the most highly impacted by Industrial Control System (ICS) vulnerabilities, with a 74% increase in ICS vulnerabilities disclosed during the second half of 2020 compared to 2018.
According to Vladimir Kuskov, Head of Threat Exploration at Kaspersky, DarkSide is a typical case of cybercriminal groups involved in ‘Big Game Hunting’. Their stated goal is to make money. They work via affiliate partner schemes – offer their ransomware ‘product’ to ‘partners’ which may in turn buy access to organisations from other hackers and then use it to deploy ransomware.
However, Vladimir added that unlike some other groups, Darkside claims to have a code of conduct: they do not attack hospitals, schools, government institutions and non-commercial organisations.
“Interestingly, DarkSide published a statement today on their leak site. Judging by the statement, it looks like they did not expect such consequences and attention after the latest attack on Colonial Pipeline and now they are planning to introduce some sort of ‘moderation’ to avoid such situations in the future”, he said.
Dealing with the Looming Threat of Ransomware
Speaking about ransomware, Sheena Chin, Managing Director of ASEAN at Cohesity, warns that it is not going away anytime soon. “If organisations automatically defer to paying the ransom knowing they can fall back on insurance, this could prompt more and more bad actors to engage in ransomware attacks, as it becomes a guaranteed pay-out - not the desired outcome,” Sheena added.
For Sheena, the right way is to be on the front foot and build your lines of defence and recovery before you are targeted. Limiting the damage caused and working on getting users and services back online is your end goal.
As DarkSide favours using Windows vulnerabilities to gain initial access, Sean Deuby, Semperis Director of Services (Microsoft MVP), suggests that as a first step, companies should absolutely ensure their windows systems are kept up to date.
“Once in, Active Directory is a favourite access path due to its complexity and broad attack surface; Mandiant estimates that 90% of the incursions their teams are involved in have some Active Directory component. Using a free tool such as Purple Knight can quickly reveal indicators of exposure that an attacker would use. You should also ensure that your backups are saved in non-writeable (offline or on write once read many – WORM) storage so they can’t be encrypted by the malware”, commented Sean.
Nevertheless, for cybersecurity expert Robert Cattanach, companies will never be able to completely prevent the threat actors from gaining access somewhere. That is why it is important to segregate IT systems and make it as difficult as possible for them to move horizontally once they are in.
“That means self-imposed inefficiencies, which are counterintuitive to your IT experts. Silo your systems and increase the detection threshold for anomalous activity. That will make it tougher for your company’s systems to operate as smoothly as you’d like, but the roadblocks this creates for attackers will pay critical dividends”, he added.
Last but not least, Robert recommends that victims should communicate constantly with industry groups and regulators, as cybercriminals are creatures of habit. “They look for a common vulnerability, and exploit it until it's eliminated. Where else had these hackers been before Colonial Pipeline, and what could have been learned about this threat if more information had been shared?”
It's Now Open Season on Infrastructure Providers
What’s worrying is that whether the DarkSide operators had intended to attack an important piece of US infrastructure, or whether an affiliate organisation used the ransomware-as-a-service without their blessing to attack, Sean Deuby states that the Colonial Pipeline attack signals “it's now open season on infrastructure providers”.
He adds that while the rewards may be larger for critical utilities like these that likely have deep pockets, attacking such high-visibility targets also means the stakes are higher for the ransomware actors. “The Colonial Pipeline attack is making DarkSide a more intense focus for law enforcement, which is not good for their continued business, so it’s possible they may adopt a low profile for a while. Regardless of what happens to DarkSide, there are many other ransomware actors watching these events and making their own decisions on whether they too should begin attacking similar targets. The message is clear: the infrastructure sector should be running to secure their systems. Time is up.”
Robert Cattanach believes that the full extent of the damage to Colonial Pipeline, and its business partners, will not be known for weeks, if not months. “The breadth and duration of the impact of the ransomware provides important lessons to us all”, he concluded.
In its latest statement, Colonial Pipeline is still in the process of restoring service to other laterals. The firm also said it would bring its full system back online only when it is safe to do so and in full compliance with the approval of all federal regulations.