The latest roundtable discussion from Security on Screen analyses the Colonial Pipeline’s major ransomware attack and how it highlights the risk ransomware can pose, not just to businesses, but to critical national industrial infrastructure
The US government issued an emergency legislation on Sunday after The Colonial Pipeline (located in Alpharetta, Georgia) was hit by a severe ransomware attack. The largest fuel pipeline in the US, the Colonial Pipeline carries 2.5 million barrels a day – 45% of the East Coast’s supply of diesel, petrol and jet fuel.
Sources said the ransomware attack was likely to have been caused by a cyber-criminal gang called DarkSide, who infiltrated Colonial’s network and locked the data on some computers and servers, demanding a ransom on Friday. The gang tried to take almost 100 gigabytes of data hostage, threatening to leak it onto the internet, but the FBI and other government agencies worked with private companies to respond.
Subsequently, the operator took itself offline on Friday after the cyber-attack was discovered, with the cloud computing system that was used by the hackers to collect the stolen data was taken offline on Saturday. Colonial’s data did not appear to have been transferred from that system anywhere else, potentially limiting the hackers’ leverage to extort or further embarrass the company.
On Sunday, Colonial said that although its four main pipelines remain offline, some smaller lines between terminals and delivery points were now operational. The US government has now relaxed rules on fuel being transported by road, meaning drivers in 18 states can work extra or more flexible hours when transporting refined petroleum products.
While US fuel prices at the pump were largely unaffected on Monday, there are fears that could change if the shutdown is prolonged.
“The fact that the US government has quickly issued emergency legislation to relax rules on road fuel transportation highlights how concerning this attack is…”
Lewis Jones, Threat Intelligence Analyst, Talion
A major disruption
In response to this substantial attack, Lewis Jones, Threat Intelligence Analyst at Talion says: “This appears to be one of the most disruptive ransomware attacks ever reported, highlighting the vulnerabilities in the energy sector and why it is often targeted by attackers. A long term ransomware negotiation within the energy sector could cause mass disruption and means that the likelihood of payment is increased.
“The fact that US government has quickly issued emergency legislation to relax rules on road fuel transportation highlights how concerning this attack is. A longer term implication of the attack could create a delay in delivery and disruption of the supply chain. This would cause an increase in price at a time when the economy is already fragile due to the current pandemic.”
Computer security service, Digital Shadows has claimed that the Colonial attack was indeed helped by the coronavirus pandemic, with more engineers remotely accessing control systems for the pipeline from home. James Chappell, Co-Founder of Digital Shadows, said DarkSide could have bought account login details for remote desktop software such as TeamViewer and Microsoft Remote Desktop.
“We’re seeing a lot of victims now, this is seriously a big problem,” said Chappell in a statement. “The amount of small businesses that are falling victim to this. It’s becoming a big problem for the economy globally.”
“Cybercriminals don’t really care how important your business is, only how much money they might extract from you,” comments Tim Mackey Principal Security Strategist at the Synopsys CyRC (Cybersecurity Research Centre). “This trend can be seen with increasing attacks on municipalities, healthcare systems, and elements of critical infrastructure. Each of these organisations will bring in law enforcement, yet attackers continue to be aggressive in their activities.
“While Colonial Pipeline is a US operation, attacks are global in scope. And despite warnings from officials like the US Treasury Department highlighting how ransomware payments are used to fund future criminal activities, victims are often faced with the difficult decision of whether to pay the ransom.”
“The Colonial Pipeline attack reinforces the need to update legacy systems running today’s critical infrastructure networks…”
Lior Div, CEO and Co-founder, Cybereason
Remaining critical
“These ‘Cyber Physical’ attacks are a big deal, because they demonstrate just how fragile the provision of critical services are into society,” says Andy Norton European Cyber Risk Officer at Armis. “A few weeks ago a water treatment plant was compromised leading to the potential for poisoning of the water. Now, 45% of the US oil energy provision has been switched off to the East coast. Prolonged shortages in critical services lead to civil unrest, economic pressures, and a general lack of confidence in public administration.”
Lior Div, CEO and Co-founder of Cybereason also comments: “The SolarWinds and Microsoft Exchange Server attacks were unparalleled in their scope, successfully infiltrating and compromising virtually every US government agency and a wide array of medium and large private sector companies. The Colonial Pipeline attack reinforces the need to update legacy systems running today’s critical infrastructure networks.
“If the public and private sectors can work together to solve complex cybersecurity issues, and at the same time accurately identify the threat actors and bring them to account for their actions, it will go a long way in reversing the adversary advantage and enable defenders to retake the high ground. There is also another significant opportunity here as well to cooperate on a global scale to develop extradition laws that enable cyber crimes and cyber espionage to be prosecuted more effectively.”
Mackey agrees, stating: “Avoiding becoming a victim of ransomware requires organisations to have a comprehensive cybersecurity plan in place that fully captures the risks of each software component, its role and lifecycle, and its deployment configuration and usage assumptions. Armed with this basic information, and an exhaustive inventory, it becomes possible to determine how each component might play a role in an attempted ransomware attack.
“An effort like the one impacting Colonial Pipeline is likely the result of multiple weaknesses in process and cyber-defences that were ultimately successfully exploited. With the age of some industrial software systems far exceeding that of commercial software, it’s likely that older software wasn’t designed to limit exposure to modern threats like ransomware attacks.
“While the age of the software has limited impact on its serviceability, threat models and defensive protections need to keep pace with new threats – something that can only be done if all weaknesses present in each component are known and accounted for. After all, if a criminal can identify your weaknesses faster than you can, luck is rarely on your side.”
“While this is indeed a financial disaster, and will have a significant impact on many, let us also consider that this means that, at least for a time, threat actors had control of those very same IT systems.”
Martin Jartelius, CSO, Outpost24
Taking back control
US government officials are currently working with Colonial to help it recover while scrambling to avoid more severe fuel supply disruptions should the outage continue. Whether the pipeline stays shut that long in turn depends on how deeply the hackers penetrated Colonial’s network – and how soon cybersecurity experts can pull them out.
“As so many times before when talking about ransomware – to lock a system with ransomware you need a good degree of control of that system,” says Martin Jartelius, CSO at Outpost24. “While this is indeed a financial disaster, and will have a significant impact on many, let us also consider that this means that, at least for a time, threat actors had control of those very same IT systems. Preventive security, as well as segmentation, are critical for those kinds of environments.”
“One thing to note here is that ransomware has to announce itself to be successful,” adds Tim Erlin, VP at Tripwire. “In industrial environments, cyber events aren’t always this visible. Increasing visibility into industrial networks becomes more important as attackers continue to target critical infrastructure.”
Brad Brooks, CEO and President of OneLogin, rightfully concludes: “This attack represents just how quickly the stakes are escalating on Cybersecurity, with controlling and knowing who has access to your IT systems a board level priority for every company. We are moving from an invisible Cold War that was focused on stealing data to a highly visible hot war that has real implications for physical property and people’s lives.”
