Colonial Pipeline remains offline after ransomware attack

Colonial Pipeline, which operates the biggest gasoline conduit to the East Coast, said it has no estimate on when it could restart the 5,500-mile pipeline that it shut Friday after a cyberattack. The 5,500-mile conduit carries 2.5 million barrels a day to the East Coast, or 45% of its supply of diesel, gasoline and jet fuel.

The company took systems offline to contain the threat, temporarily halting all pipeline operations and affecting some IT system. In a statement, the company said the Colonial Pipeline operations team is developing a system restart plan, and while their mainlines remain offline, some smaller lateral lines between terminals and delivery points are now operational.

"We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations," the company stated. "At this time, our primary focus continues to be the safe and efficient restoration of service to our pipeline system, while minimizing disruption to our customers and all those who rely on Colonial Pipeline."

The White House declared a state of emergency in 17 eastern states in the U.S. as a response to the shutdown of the Colonial pipeline. The 17 states affected are: Alabama, Arkansas, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia. According to Bloomberg, the White House also created an interagency task force to address the breach, including exploring options for mitigating the impact on the energy supply.

Marty Edwards, the longest-serving director of ICS-CERT and VP of OT security at Tenable, explains cyberattacks are a real and present danger to critical infrastructure around the world and, by extension, every single consumer. "If reports are accurate, the Colonial Pipeline incident has all of the markings of a possible ransomware attack that began in the IT environment and, out of precaution, forced the operator to shut down operations."

"Ransomware has been a favored attack vector of cybercriminals because of its effectiveness and return-on-investment," Edwards adds. "That’s precisely why bad actors have recently set their sights on critical infrastructure. Shutting down operational technology (OT) environments can cost hundreds of millions of dollars which forces providers to outweigh the costs. We should not underestimate these groups. Many of them now have help desks, technical support, payroll processing and subcontractors. They are essentially full-fledged criminal corporations operating in the digital world. While it's unknown how this attack played out, it's yet another reminder of the increasing threats to critical infrastructure we all rely on."

Current reports suggests the DarkSide group is behind the attack. The group is relatively new and evidence suggests DarkSide may be linked to Russia or somewhere in Eastern Europe, Bloomberg reports.

Mike Hamilton, former CISO of Seattle and CISO of government cybersecurity firm, CI Security, says, "Current reporting suggests that this is a group that is new, but composed of experienced members. The ransomware itself is not that novel - there is a good technical explanation here: http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/."

Hamilton adds, "What seems to set this group apart is the research they conduct before compromising a victim - so they know the reporting structure, who in the organization makes decisions and who handles finances. If that is true, it is unlikely that this event is an artifact of the "spray and pray" type of attack and was highly targeted. That diminishes the theory that this gang is just the "dog that caught the car", as this was an entirely intentional act. Assuming that, it is also unlikely that this occurred without the knowledge, and perhaps support of government entities within the country of origin. Rather than a miscalculation resulting in unwanted scrutiny by the federal government, the perception created is that we're being tested. Will the US Government treat this as just another criminal act, clean up and move on? Or will this generate the urgency necessary to finally connect the acts of hostile governments and their criminal communities."

An opportunity is coming to do just that, Hamilton says. "Coming soon and likely this week, the Biden administration is expected to issue an executive order intended to improve the security of federal and private systems in response to the Solarwinds and Exchange attacks by Russia and China, respectively. This new attack against US energy infrastructure may spur an expansion of the EO from a focus on additional preventive measures to include specific language on actions the US Government will take when critical infrastructure is attacked, potentially treating it as terrorism. That in itself is the slippery slope. A retaliation can cause escalation into points unknown. The administration will need to carefully weigh the benefit of a punitive action with the likelihood of escalation, but this cannot go unanswered."

Stefano De Blasi, Threat Researcher at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, "Although attribution hasn't been confirmed yet, it is realistically possible that this ransomware group gained entry to the Colonial Pipeline networks by buying remote access from other dark web vendors, known as Initial Access Brokers (IABs), given previous DarkSide operations. The popularity of these "men-in-the-middle" of cybercrime has constantly been growing in the past months and now provides a constant pool of potential victims to ransomware groups aiming to expand their operations. Additionally, as Remote Desktop Protocol (RDP) has been the most observed access vector advertised by these actors, it is realistically possible that DarkSide exploited a similar method to gain entry to Colonial Pipeline."

De Blasi adds, "Attacks against critical national infrastructure are certainly among the most pressing cyber threats faced by governments and organizations worldwide. Their potential to ripple severe effects on a massive number of individuals, businesses, and institutions means that these attacks should be a key priority for everyone involved."

Here's what security executives had to say about this cyberattack:

Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers:

Increasingly, the risk of strategic disruption or destruction of a nation’s critical infrastructure is not measured by its proximity to an adversary’s airfield or carrier group, but is measured by the degree to which its connectivity to the outside world is insufficiently safeguarded. Alarm bells from credible voices in the security industry have been ringing for critical infrastructure for much of the last decade. Unfortunately, this is an area overrun by sprawling and difficult to manage technical debt, with variable levels of awareness and sophistication on behalf of parties directly responsible for its safeguard. As this is an area of national, strategic importance addressing it requires national, strategic vision, execution, and the relentless pursuit of consequence and accountability until the risks are mitigated – if there are leaders still asleep at the wheel on this one, they need to wake up or step aside.

Sounil Yu, Chief Information Security Officer at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions:

This even will bring greater public awareness of what's already happening in other parts of the world. The Middle East is a hotbed of activity where countries such as Iran and Saudi Arabia are actively attacking one another's critical infrastructure and defending each other from it (e.g., Triton). The same is happening repeatedly between Russia and Ukraine (e.g., Industroyer). This constant aggression means that countries like Iran and Russia are continuously honing their skills on the attack side (and defense side too). I would hate for us to be at the pointy end of that spear without being better prepared for it. The Colonial Pipeline case (and the Florida Water Treatment Plant case earlier this year) offers an opportunity for us to be better prepared for these types of attacks without suffering what could have been a more catastrophic outcome.

Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software:

This attack, and the broader consequences, are a global call for action in all Critical Infrastructure sectors. For Colonial itself, it will be seen whether they failed at the essential cyber hygiene (which means they were a rather easy target) or they did well in cyber security and the attackers had to use sophisticated methods for the attack. Based on known facts and insights, it rather seems that Colonial missed on the essentials. Some of the webservers in their infrastructure show old vulnerabilities, dated back to 2010 according to a Shodan search. In addition, there is quite an amount of knowledge about the DarkSide ransomware family to be prepared for it. The group behind DarkSide is known to spent at least two weeks inside the infrastructure before starting to encrypt device, something which is confirmed by the fact that the attacker extracted about 100G of data from Colonial. So, at least the detection capabilities need some improvement.

Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security:

Connected industrial control systems now have given adversaries access to our distribution systems. What is worse is that with such remote access, the relative anonymity and the potential safe-harbor, adversaries do not have any deterrent to launch such malicious and profound attacks. While the alleged perpetrators deemed this as an accident and claimed they did not want to harm society, their acts need to be dealt with a response that acts like a deterrent. The administration and Colonial will respond to this tactically, and rightfully so to resurrect operations. However, if not now, then when will we lead the charge on deterring and punishing malicious cyber activity that targets the individual, a corporation or the society as a whole. While cyber is a part of each one of our defense forces, it is time to recognize and elevate Cyber Force as the eighth force in our national defense.

Pascal Geenens is the Director, Threat Intelligence for Radware:

The Colonial pipeline ransomware attack demonstrates yet again the significant impact of ransomware attacks. Once ransomware actors get an initial foothold, no system is safe. These new higher-end/professionalized ransomware attacks are harder to defend against because of the automated and human intervention where human actors pick the targets and operate the attack. There is a growing underground economy where ransomware operators have access to verified credential lists, attack tools, and malware platforms. This is a game-changer. Previously, gangs could never pull this off on their own, but now they can because of underground trading. The world is facing a severe enemy in ransomware and no one is safe. Authorities should not lose sight of this threat and continue or increase their resources in the fight against ransomware actors.

Daniel Smith is Head of Security Research for Radware’s Cyber Threat Intelligence:

Today's threats, without a doubt, require full-spectrum solutions, but nothing will change the threat landscape without firm action from governments around the world. No task force against ransomware will solve this unless we are ready to address international loopholes and arrest criminals who operate with impunity from specific regions in the world. Giving advice to organizations on “not clicking links” or “not paying ransomware authors” has clearly not the answer. Nothing will change until we have the international law and the power to arrest actors in countries that are hacking us like Russian and China. The same should be applied to us. Nation-states should have the ability to detain US citizens suspected of hacking as well. Once we have a strong governing law with consequences, then we will see change.

Purandar Das, CEO and Co-Founder at Sotero:

What many people had feared is fast becoming a reality. Broadly speaking, the vulnerability posed by underprepared and under protected networks and system have long been feared as potential targets for hackers. Within the last few months, it has been clear that organized groups are rapidly targeting these systems both for monetary and intellectual property gain but also to demonstrate the potential power they could hold over critical infrastructure. Attacks like these have the potential to wreak havoc on the economy as well result in the destruction of systems critical for the nation to function.

As these attacks are demonstrating, it is already late in the context of fortifying systems like these. What this also demonstrating, besides the urgency, is the need for coordinated responses both on the defense as well as the offense. All the activity that the government and the congress have initiated, are demonstrating, that they too see the need for a massive, coordinated effort. That is the only way to defeat state actors with the wherewithal to coordinate such large-scale sophisticated attacks. It is time for the private sector to consider seriously the investments needed to beef up security, not just as a onetime response but as a long-term strategic initiative.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.