Critical Infrastructure Takes a Critical Hit: Largest U.S. pipeline shuts down after ransomware attack
By: M20 Associates SME
May 11, 2021
A cyberattack has temporarily halted operations at Colonial Pipeline, the largest pipeline system for moving gas and diesel products in the U.S., the company said Friday. It has been assessed as a ransomware attack that caused the shutdown. The ransomware appears to be linked to the “Dark Side” group according to a Department of Homeland Security (DHS) official. Experts have called this the “most significant assault on U.S. infrastructure to date.” Colonial Pipeline said it had contacted law enforcement, and that efforts to restore normal operations were “already underway.”
Colonial Pipeline delivers more than 100 million gallons (2.5 million barrels) of fuel daily to customers from Texas to New York through its 5,500-mile (about twice the width of the United States) pipeline. The pipeline provides 45% of the fuel consumed on the East Coast. The company said that after learning of the incident on Friday (7 May), it “proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations and affected some of our IT systems.”
DarkSide has a pattern of being used against targets in English-speaking countries while avoiding entities located in former Soviet Bloc nations. These threat actors are characterized as a cyber-criminal professional group and are often recruited. DarkSide typically finds vulnerabilities in a network, gains access to administrator accounts, and then harvests data from the victim's server and encrypts it. They spread the malware to other devices while gathering credentials and stealing unencrypted documents. The core developers will gain access to Windows domain credentials, deploy the ransomware throughout the network, encrypting devices, while maintaining the malware and payment infrastructure.
Their operations commenced in August 2020 and have since published stolen data from more than 40 victims. It is not immediately clear how much money the attackers demanded or whether Colonial Pipeline has paid. It is assessed, based on past attacks, that it is in the millions. It has been assessed that close to 100GB of data was stolen in two hours on the Thursday before the attack. The group has threatened to release the stolen data on the internet, while the encrypted data remains locked until the ransom is paid. There is no indication on when the pipeline or networks will be operational. Cybersecurity firm FireEye's Mandiant incident response division is said to be assisting with the investigation, according to multiple reports.
Security experts have been warning about something of this magnitude for some time. Over the past years, there have been several cyber-attacks on critical infrastructure that went unacknowledged, leaving security experts trying to identify the culprits. In 2015 and 2016, there was an attack on the Ukrainian power grid followed by attacks on the power grids of the Baltic States and on Saudi Aramco. March 2019 saw an attack on the power grid of the western United States and in early 2020, a cyber-attack was launched against the European network of Transmission System Operators for Electricity. In all these incidents, there was no open acknowledgment by the perpetrator of having conducted the cyber-attack.
“This underscores the threat that ransomware poses to organizations regardless of size or sector,” DHS’s Cybersecurity and Infrastructure Security Agency (CISA) said, adding that it was working with Colonial Pipeline to address the issue.
A breach of the IT services that pipeline operators use to process transactions can also be a risk to a business. In April 2018, a hack of a billing software vendor used by Texas-based Energy Transfer Partners LP, which owns more than 71,000 miles of pipelines, forced the company to process transactions on its own until the issue was resolved.
As the operators of the nation’s 2.7 million miles of pipelines for oil, natural gas, and other hazardous liquids embrace digital technology to run their businesses more efficiently, concerns about their susceptibility to hackers have grown. U.S. lawmakers in late 2018 called on DHS to step up its cybersecurity guidelines and services to support pipeline operators out of concern the U.S. government was not doing enough. DHS and Department of Energy officials that year announced an initiative to coordinate with oil and gas executives more closely on pipeline cybersecurity. In February, CISA published cybersecurity assessment tools meant to strengthen the defenses of pipeline operators.
The DHS in February 2020 revealed that a ransomware attack on an unnamed natural gas compression facility caused the organization to shut down its operations for two days.
More broadly, U.S. national security officials have warned for years that state-sponsored hackers from Russia and elsewhere demonstrated an interest in mapping vulnerabilities in U.S. critical infrastructures such as electric systems and pipelines.
As stated in previous posts, there seems to be a blind spot regarding soft power being used against our own systems. At times it appears that the economy is not considered within the construct of CIKR (Critical Infrastructure and Key Resources). The Federal Motor Carrier Safety Administration (FMCSA) issued a regional emergency declaration affecting 17 states and the District of Columbia.