Colonial Pipeline Ransomware Attack Shows 'Fear Fast Becoming Reality'
Colonial Pipeline is the largest refined products pipeline in the United States.
![Oil pipeline at sunset Oil pipeline at sunset](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blte651577d297894cd/652451e7372d32d072921663/Oil-Pipeline-Feature.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Zarmeena Waseem is director of cybersecurity education at the National Cyber Security Alliance (NCSA). She said Darkside has managed to significantly impair a major piece of infrastructure within the United States.
“Colonial’s system spans over 5,000 miles between the Northeast and Texas, and provides gas and oil to more than 50 million customers, so any disruption to this system would have significant ramifications,” she said. “DarkSide stated they were interested in money; everyone knows that oil still means money. Consumers are already concerned about gas prices. Stations are limiting gasoline at the pump in cities on the East Coast because they don’t know exactly when they will get another shipment. And, given how much of the pipeline still remains offline, it underlines how far-reaching the consequences of this attack are. There are signs that this breach is much more far-reaching that we currently know.”
As energy and utility services become more integrated with technology, companies should invest in better understanding their security vulnerabilities, Waseem said. Since we don’t know the exact delivery method of this attack, there are a number of things to keep in mind.
“Ransomware is a type of malware that has to execute and run on your network,” she said. “Knowing this, intrusion detection and prevention should always be a priority. Along with better technical scanning of attachments, we have to look at employees as a firewall of their own. Diligent employees who carefully consider file exchanges, message attachments and programs they download are often our best defense. The Colonial Pipeline cyberattack is also a serious reminder to any corporation that backing up data is crucial for resilience and continuity of business while the threat is being mitigated.”
Based on movements within the Biden administration, there seems to be growing acknowledgement that more has to be done to rebuild cybersecurity as part of the nation’s infrastructure, Waseem said.
“However, without the proper buy-in, planning and people in place, critical pieces of infrastructure still likely remain at high risk,” she said. “The Cybersecurity and Infrastructure Security Agency (CISA) has continually reminded both consumers and private enterprises that ransomware is a threat to the supply chain globally. If businesses choose to align themselves with government messaging, they will likely be better prepared to protect their assets and processes.”
Mark Bowling is ExtraHop’s vice president of security response services.
“As critical infrastructures, including electrical power distribution, natural resources recovery, and distribution and logistics, among other things, have become more automated and interconnected, they’ve also become increasingly vulnerable to cyberattack,” he said. “These networks are no longer internal. They now have multiple internet-connected infrastructure components, which create a much larger attack surface and create many more opportunities for cyberattackers to find and exploit vulnerabilities. The reality is that, whether you’re talking about a nation-state or a cybercriminal gang, these systems are frighteningly vulnerable to compromise.”
This attack shows the power of what Darkside ransomware can do, Bowling said. However, the “far scarier thing, in my mind, is the attack activity we don’t know about yet – and may never know about, because we don’t have effective visibility into the networks that control our critical infrastructures.”
“The time to act to shore up these systems happened long ago, but that doesn’t mean we should simply throw up our hands,” he said. “Advances in artificial intelligence (AI) and machine learning (ML) have made it possible to monitor activity on these distributed control networks with much more granularity, efficiency and responsiveness. Now it’s time for infrastructure providers to adopt these technologies to better defend these vulnerable critical systems.”
Garret Grajek is CEO of YouAttest. He said beyond the ramification of this attack, it’s additionally alarming how Darkside is now operating. It’s selective in its targets and avoids ex-Soviet Union enterprises.
“According to Cybereason, Darkside has created an affiliate program where Darkside creates the malware and others are financially motivated via an embedded affiliate code to other hacking groups for a successful delivery of the malware,” he said. “This means that there’s not just one threat vector to close off, but dozens if not more attack entries to block.”
Darkside has often created malware-targeted domain controllers, so traditional hardening approaches are crucial, including patching and a “fanatical” lockdown of admin and service accounts, Grajek said.
Vladimir Kuskov is head of threat exploration at Kaspersky. He said Darkside is a typical case of cybercriminal groups involved in “big game hunting.”
“Their stated goal is to make money,” he said. “Unlike some other groups, Darkside claims to have a code of conduct. They claim not to attack hospitals, schools, government institutions and non-commercial organizations.”
Interestingly, Darkside published a statement Monday on its leak site.
“Judging by the statement, it looks like they did not expect such consequences and attention after the latest attack on Colonial Pipeline, and now they are planning to introduce some sort of moderation to avoid such situations in the future,” Kuskov said.
Purandar Das is CEO and co-founder at Sotero. He said what many people have feared is fast becoming a reality.
“Broadly speaking, the vulnerability posed by underprepared and underprotected networks and systems has long been feared as potential targets for hackers,” he said. “Within the last few months, it has been clear that organized groups are rapidly targeting these systems both for monetary and intellectual property gain, but also to demonstrate the potential power they could hold over critical infrastructure. Attacks like these have the potential to wreak havoc on the economy as well result in the destruction of systems critical for the nation to function.”
Purandar Das is CEO and co-founder at Sotero. He said what many people have feared is fast becoming a reality.
“Broadly speaking, the vulnerability posed by underprepared and underprotected networks and systems has long been feared as potential targets for hackers,” he said. “Within the last few months, it has been clear that organized groups are rapidly targeting these systems both for monetary and intellectual property gain, but also to demonstrate the potential power they could hold over critical infrastructure. Attacks like these have the potential to wreak havoc on the economy as well result in the destruction of systems critical for the nation to function.”
Last week’s Colonial Pipeline ransomware attack shut down a major U.S. fuel pipeline. It could potentially push gas prices higher and disrupt supply in the eastern United States.
Russian cybercrime group Darkside carried out the attack. In response, the U.S. Department of Transportation issued an emergency declaration to increase alternative transportation routes for oil and gas.
Colonial Pipeline is the largest refined products pipeline in the United States.
Restoration Expected by End of Week
On Saturday, Colonial Pipeline said it proactively took certain systems offline to contain the threat. This temporarily halted all pipeline operations and affected some of its IT systems.
“To restore service, we must work to ensure that each of these systems can be brought back online safely,” Colonial Pipeline said on Monday. “While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach. This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week. The company will provide updates as restoration efforts progress.”
In addition, FireEye has confirmed its Mandiant incident response division is investigating the nature and scope of the ransomware attack. It hasn’t released any further information regarding its work with Colonial Pipeline.
Critical Infrastructure Updates Necessary
Shared Assessments’ Tom Garrubba
Tom Garrubba is CISO at Shared Assessments. He said numerous agencies for years have been calling for an update to critical infrastructure; however, the time for initial action has long passed.
“The evidence is clear: We are under attack by both rogue and state-sponsored organizations, and the cyber community along with the general public have taken notice and are getting very worried,” he said. “Any company, whether primary or downstream providing support to our country’s national infrastructure, needs to take a good, hard look at the systems supporting those processes and ask themselves, ‘Can we be next? Do we need to update our systems? Do we need assistance to support and secure these systems?’ And if so, petition their corporate boards and owners for the requisite financial support in upgrading and securing these systems.”
Scroll through our slideshow above for more reactions to the Colonial Pipeline ransomware attack.
About the Author(s)
You May Also Like