Stimulus Check Up | Apr 8, 2022 | 0
Everything you need to know about the Colonial Pipeline ransomware attack
The real-world consequences of a successful cyberattack have been clearly highlighted this week with the closure of one of the US’ largest pipelines due to ransomware.
Here’s everything we know so far.
On Friday, May 7, Colonial Pipeline said that a cyberattack forced the company to proactively close down operations and freeze IT systems after becoming the victim of a cyberattack.
This measure “temporarily halted all pipeline operations” and cybersecurity firm FireEye, which operates the Mandiant cyberforensics team, was reportedly pulled in to assist.
What is Colonial Pipeline?
Founded in 1962 and headquartered in Alpharetta, Georgia, privately-held Colonial Pipeline is one of the largest pipeline operators in the United States and provides roughly 45% of the East Coast’s fuel, including gasoline, diesel, home heating oil, jet fuel, and military supplies.
The company says that it transports over 100 million gallons of fuel daily across an area spanning Texas to New York.
There are few concrete details on how the cyberattack took place, and it is likely that this will not change until Colonial Pipeline and the third-party company brought in to investigate have concluded their analysis of the incident.
However, what appears to have happened is a ransomware outbreak, linked to the DarkSide group, that struck Colonial Pipeline’s networks.
The oil giant said it “proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems.”
Colonial Pipeline’s latest update, published on Monday 10, said that remediation is ongoing and each system is being worked on in an “incremental approach.”
“This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week,” the company added.
Why does it matter?
As shown in the company’s operations map, by taking out the systems supporting and managing pipeline operation and fuel distribution, vast swathes of the US have been impacted.
At the time of the attack, supply shortage concerns prompted gasoline futures to reach their highest level in three years. Demand has risen, but drivers are being urged not to panic buy, as this could impact prices that have already increased due to the pipeline disruption by six cents per gallon in the past week.
With normal operations not expected to resume until, at best, the end of the week, we are likely to see fluctuations — and potentially further price increases — in fuel supplies across impacted areas in the US.
US President Biden has also been briefed on the event. If anything highlights just how serious a cyberattack has become, it is this.
Have any agencies become involved?
To keep supplies flowing, the USDOT Federal Motor Carrier Safety Administration (FMCSA) issued a Regional Emergency Declaration on Sunday 9, easing standard restrictions on the land transport of fuel and the permissible working hours of drivers.
“FMCSA is issuing a temporary hours of service exemption that applies to those transporting gasoline, diesel, jet fuel and other refined petroleum products to Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia,” the agency said.
The US Federal Bureau of Investigation (FBI) is also aware of the incident. On May 10, the law enforcement agency said:
“The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation.”
Who is DarkSide?
DarkSide is a Ransomware-as-a-Service (RaaS) group that offers its own brand of malware to customers on a subscription basis. The ransomware is currently in version 2.
According to IBM X-Force, the malware, once deployed, steals data, encrypts systems using Salsa20 and RSA-1024 encryption protocols, and executes an encoded PowerShell command to delete volume shadow copies.
SecureWorks tracks them as Gold Waterfall and attributes the group as a Russian-speaking past affiliate of the REvil ransomware RaaS service.
A decryptor for DarkSide malware on Windows machines was released by Bitdefender in January 2021. In response, the group said the decryptor was based on a key previously purchased and may no longer work as “this problem has been fixed.” (ZDNet has requested an update from Bitdefender on the decryption tool status.)
While believed to be relatively new to the ransomware scene, first spotted in the summer of 2020, DarkSide has already created a leak website used in double-extortion campaigns, in which victim companies are not only locked out of their systems, but also have their information stolen.
If these organizations refuse to pay up, stolen data may be published on the platform and made available to the public.
DarkSide isn’t just content in making money from ransomware demands, however, as the group has indicated it will happily work with competitors or investors before leaks are published.
“If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares,” the group says.
Perhaps unusually, however, DarkSide also appears to be trying to cultivate a Robin Hood and good-guy image — stealing from the rich (the so-called ‘big game’ targets) and giving a portion of the criminal proceeds to charity.
Charities reportedly offered donations in stolen Bitcoin (BTC) have, so far, refused to accept them.
The RaaS service operators have also tried to distance themselves from the incident by vaguely implying it was a customer at fault and that the cyberattack doesn’t fit the DarkSide ethos.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives,” DarkSide said on May 10. “Our goal is to make money, and not creating problems for society. We [will] introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
What happens next?
As a group known to double-extort victims, Colonial Pipeline could be the next company to face the threat of the leak of data unless they give in to blackmail and pay the attackers. It may be, however, that DarkSide could choose not to pursue this usual tactic due to the aforementioned “social” problems caused by the ransomware.
Bloomberg says that during the attack, over 100GB in corporate data was stolen in just two hours.
As of May 11, Colonial Pipeline has not been added to the DarkSide leak site.
This appears to be one of the largest and most successful cyberattacks on a critical component of a country’s infrastructure to date — but it is not the first.
In February, a cyberattacker attempted to add dangerous levels of a chemical to a city in Florida’s drinking water system, and back in 2016, the city of Kieve, in Ukraine, lost all power for an hour due to Industroyer malware.
If the prospect of fuel shortages, the invoking of emergency powers, and the briefing of a president is anything to go by, we may see a more urgent review of cybersecurity procedures and practices in the US soon — and perhaps the implementation of severe punitive actions to companies that do not maintain a strong security posture.
However, cyberthreats continue to evolve and, either way, this is unlikely to be the last time we see such severe social disruption caused by cyberattackers just in it for the money.
“This incident is not the first and will definitely not be the last, as US critical infrastructure spans across an entire continent and relies on engineers in remote places to log in and perform maintenance when needed,” Bitdefender commented. “It is common for ransomware operators to probe networks for such points of entry or even to buy phished credentials to remote desktop instances that they can use to mount an attack. Critical infrastructure is becoming increasingly appealing to ransomware operators — particularly those who are involved in Ransomware-as-a-Service schemes.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0