Colonial Pipeline Ransomware Attack Shows Critical Infrastructure Vulnerabilities
In the biggest cyberattack to date on critical infrastructure in the U.S., Colonial Pipeline – sprawling 5,500 miles from Houston to New York City – halted its mainlines on Friday, May 7, when administrators detected advanced ransomware internally.
On Thursday, a day before the ransomware attack, Russia-based cyber criminal group DarkSide stole more than 100GB of data, giving DarkSide added leverage to extract a ransom from Colonial Pipeline, which some speculated could end up paying a ransom to avoid a prolonged and potentially catastrophic shutdown. On Monday, May 10, Colonial announced that it had set a “goal of substantially restoring operational service by the end of the week,” which means the Eastern U.S. will likely face days of uncertainty over its energy supply.
The attack should serve as a wake-up call for organizations in critical infrastructure that have failed to take ransomware protection steps and implement advanced cybersecurity defenses that limit the potential attack surface, like micro segmentation and zero trust, to better isolate critical data and operational technology (OT).
Colonial Attack Route Speculation
Colonial, headquartered in Alpharetta, Georgia, is the largest refined energy provider in the United States. The Colonial Pipeline supplies 45% of the U.S. East Coast’s gasoline, diesel, jet fuel, and heating fuel. With prominent spurs in Georgia, South Carolina, North Carolina, Tennessee, and Virginia, Colonial supplies 70% of these southeastern states’ liquid fuel. Colonial’s mainlines and spurs collectively transport 3.4 million barrels of oil and natural gas daily in the U.S., or nearly 150 million gallons – an amount that the trucking, rail and ship industries can’t match despite emergency orders easing limitations, thus putting pressure on Colonial to resolve the crisis before it cripples the East Coast.
Upon recognizing the ransomware attack on Friday, Colonial stated they “proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.” As the energy provider attempts to remediate the breach, the company has signed on FireEye Mandiant on to lead the investigation, as FireEye continues to make a name for itself after revealing the Sunburst infiltration of SolarWinds in December.
Cybersecurity companies and insiders have speculated about possible causes of the attack.
UK cybersecurity vendor Digital Shadows told the BBC that with more engineers remotely accessing control systems, it wouldn’t be surprising if loosely organized remote access was the root vulnerability.
In a Monday morning tweet, ex-CISA Director Chris Krebs tweeted:
Time Till Restoration
If attackers were limited to business computer systems, Dragos CEO Rob Lee told Politico, “I think it’s going to be short-lived.”
The quick response by most organizations to shut down mission-critical systems in an attempt to stop the spread inherently results in some downtime. Only making the economics of the situation worse, fuel supply for the two mainlines carrying fuels from Pasadena, Texas to Greensboro, North Carolina, had been depleted in recent months as demand for energy dropped during the pandemic.
CrowdStrike co-founder and former CTO Dmitri Alperovitch stated on Sunday via Twitter:
Colonial is in a position where a lengthy restart could be devastating to both the organization and the U.S. economy. Oil market analyst Gaurav Sharma told the BBC, “Unless they sort it out by Tuesday, they’re in big trouble…The first areas to be hit would be Atlanta and Tennessee; then the domino effect goes up to New York.”
Federal and Security industry Response
As President Biden addressed the nation in late April, eSecurity Planet reported on the prospect of an increasing government presence in building a more robust cybersecurity infrastructure for both public and private institutions. In his joint address, Biden’s cyber strategy centered around curbing advanced persistent threats (APTs) coming out of Russia, but advanced cyber threats continue to skirt attribution standards for placing blame between countries, and Russia shows little sign of holding these in-state actors accountable.
Before the Colonial attack, the Department of Energy and CISA launched an initiative to work with industrial control system operations to improve cybersecurity detection, and in February, CISA published a Pipeline Cybersecurity Resources Library.
A handful of federal agencies are now looking into the attack, with CISA and the FBI stating it was likely not a nation-state but rather a group dubbed DarkSide believed to reside in Russia. Crowdstrike co-founder Dmitri Alperovitch said, “Whether they work for the state or not is increasingly irrelevant, given Russia’s obvious policy of harboring and tolerating cybercrime.”
In the days since news broke, many prominent Capitol Hill officials have shared their concerns and directly called for more vital cybersecurity for both the public and private sectors.
As Congress debates massive infrastructure legislation, the Colonial Pipeline attack underscores the fact that cybersecurity itself is critical infrastructure and thus likely to see increasing Federal focus.
With ransomware attacks on critical infrastructure up by 566% between 2018 and 2020, the security of these resources was already receiving significant attention. Last month, the private sector ransomware task force (RTF) launched a campaign to mitigate global ransomware attacks. Their Comprehensive Framework for Action offers 48 recommendations for detecting and disrupting ransomware.
Source: Colonial Pipeline
Defending against DarkSide
Starting in August 2020, the organized malware group known as DarkSide has already made a name for itself, claiming over 40 victims in the last nine months. Two cybersecurity firms that offer in-depth analysis of the upstart Ransomware-as-a-Service (RaaS) group are Cybereason and Varinis.
What they describe are the same tactics, techniques, and practices (TTPs) that have become all too familiar with APTs. Malicious hacking families perform careful reconnaissance to inform a breach and attack strategy that will go undetected. TTPs described include:
* Avoiding network segments where EDR is running
* Customized malware for attacking each client machine
* Convoluting traffic with encoding and DLL
* Harvesting credentials stored in files, memory, and controllers
* Loosening permissions and spreading malware through file shares
* Deleting backups, including shadow copies
While ransomware continues to evolve as fast as defenses do, there are nonetheless defensive moves all organizations should be taking, as we outlined in Ransomware Protection 2021.
These actions include:
* Training to recognize malware and eliminate common user vulnerabilities
* Optimizing software management with appropriate tracking, privileges, and patching
* Blocking email spam executables, and malicious JS files
* Enlisting technologies like CASB, IDPs, SIEMENS, and EDR for advanced security systems
* Moving towards a zero-trust network and application framework where isolating applications and network segments provides the most robust internal security for protecting what’s most important
* Always store viable backups offline for adequate protection and prompt restoration
Sitting comfortably in the corner of the dark web, DarkSide’s code of ethics calls for attacks only against companies that can afford to pay its ransoms and a prohibition on attacking education, health, nonprofit, and government bodies. That said, there are no terms of service and little accountability for hackers seeking to target any institution.
In a statement released today, DarkSide stated:
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other [our] motives…Our goal is to make money, and not create problems for society.”
DarkSide also employs a double-extortion method where victim organizations’ options are to pay for data restoration or don’t pay and the hackers publish the data. For public and private companies, data released could be immensely valuable proprietary information.
Critical Infrastructure Needs Advanced Protection
From electric grids to water plants, critical infrastructure is the latest target of advanced persistent threats and ransomware. From NotPetya hitting the Ukrainian energy sector in 2017 to an attack on a Tampa water treatment facility last year, public and private infrastructure are the critical cogs of the international economy.
Temple University has compiled a record of critical infrastructure ransomware attacks (CIRW) dating to November 2013. Details of note include:
* Maze, Ryuk, REvil, and WannaCry made up 64% of the most commonly used strains.
* Over half of ransomware attacks target government facilities (24.4%), healthcare and public health (15.9%), and education facilities (13.7%).
* While the number of attacks was between 70-80 between 2016 and 2018, attacks jumped to 205 in 2019 and 396 in 2020.
* Almost 42% of attacks lasted longer than one week, and 13% lasted more than a month.
The Fight Against Ransomware Continues
The Colonial Pipeline attack could serve to make critical infrastructure attacks even more attractive for cybercriminals. Organized malware gangs are cognizant of modern defensive strategies and patient enough to collect information and attack when the time is right.
Building a cyber citadel over the internet is not possible, so it is on public and private organizations to take the necessary steps to protect their assets. Industry analysts and companies alike point to developing frameworks like zero trust and microsegmentation for additional layers of security within the organization network.