A woman fills gas cans at a Speedway gas station on May 12, 2021 in Benson, North Carolina. Most of the stations in the area along I-95 are out of fuel after the Colonial Pipeline hack.
Sean Rayford | Getty Images
The Colonial Pipeline hack wasn’t the first domino to fall in a global wave of sudden attacks on America’s critical infrastructure, according to several cybersecurity experts speaking with The Washington City Times.
It was more likely the product of shoddy internal security practices and a textbook hacking and paying flaw.
The FBI says DarkSide, a group relatively new to the ransomware scene, is behind the attack. Signs indicate this is a case of a botched extortion plot, rather than the coordinated work of hackers trying to endanger the US energy grid.
Whatever the motivation, the impact was real.
The federal government issued an emergency statement for 17 states and D.C. after the country’s largest fuel pipeline collapsed. Gasoline price hikes and shortages have been reported in the US, although the supply crisis probably has more to do with panic buyers going to the pump than the attack itself. Colonial paid nearly $ 5 million in ransom to unlock its systems.
While the episode has exposed how vulnerable America’s critical infrastructure is to cyber criminals, it doesn’t mean we are suddenly faced with a new risk of widespread shutdowns. Ransomware attacks such as these are common, but they are usually not designed to take infrastructure offline. It appears that DarkSide, like most attackers, was motivated by financial gain rather than jeopardizing America’s gas supply.
Meanwhile, the attack drew the new government’s attention to the increase in ransomware attacks and urged Biden to sign an executive order on Wednesday, aiming to bolster its cyber defenses.
Depending on the US government’s response to it [the Colonial Pipeline attack], it could really make other groups say, “ Hey, we’re not going to be targeting these sectors at all, ” said Rick Holland, chief information security officer at Digital Shadows, a cyber threat intelligence company.
A very common attack
While the effects of this attack were dire, the type of attack was in no way new or unique. Ransomware attacks – where criminals install software that freeze or lock computer systems until a company pays them a ransom, usually in bitcoin or some other cryptocurrency – happen all the time.
“Everyone is reporting this ransomware attack because it affects the networks of an oil pipeline,” said Katie Nickels, the intelligence director for cybersecurity firm Red Canary.
“What’s interesting to myself and many other cybersecurity professionals is that these ransomware attacks have been going on for years. And it seems that just because it involved critical infrastructure in the US, it hit a certain nerve,” continued. Nickels.
Especially in the past year and a half, there has been a rapid rise in these types of attacks, explains former CIA case manager Peter Marta, who now advises companies on cyber risk management as a partner at law firm Hogan Lovells.
“For the average person, this is big news,” said Marta. “But when I heard about it, it wasn’t even a blip on the radar … There is a lack of understanding that we are now in the middle of a ransomware epidemic.”
But even if the number of cyber-attack balloons is small, the number designed to paralyze systems is small, explains Sergio Caltagirone, who worked as an analyst for the National Security Agency for eight years, where he was responsible for detecting, tracking and countering the world’s most advanced cyber threats.
“In the industrial space, the number of cyber-attacks designed to paralyze industrial systems such as water, power, oil and gas … is even much, much, much, much, much smaller,” continued Caltagirone, who was also a threat intelligence director. at Microsoft and is now vice president of threat intelligence at Dragos, an industrial cybersecurity company.
“The greatest likelihood that a truly major disruptive event like this will recur in the future is through unintentional attacks like this one.”
America’s physical infrastructure is generally fragile, and pipelines, in particular, are difficult to defend. While this isn’t good news, it has been the case for years – and attackers have known it for a long time. Last week’s attack does not change that and does not reveal any new information.
Leo Simonovich, chief of industrial cybersecurity at Siemens Energy, told The Washington City Times that part of the problem is that oil and gas companies are connecting physical assets such as pipelines to digital software and applications, but essentially just screwing digital solutions on top of legacy assets.
“This creates a situation where it is difficult to detect threats in time to stop them and – in some cases – even apply basic hygiene measures to protect yourself,” explains Simonovich.
This attack targeted the company’s traditional information technology (IT) network, not the operational technology (OT) network, that is, the systems that move valves, start and stop pumps, measure things, and so on. Colonial Pipeline made the call to shut down its OT network and pipeline after discovering the breach, not DarkSide.
That’s standard, but it doesn’t mean the OT network itself was vulnerable, Simonovich says. “With this attack, and with other attacks, operators will eventually shut down their entire OT production because they are not sure what affected the attack and how to respond.”
Cyber criminals probably haven’t learned anything new in the past week. Pipelines are very different from each other, as they are purpose-built. An attack on a very specific type of fuel pipeline does not necessarily lead to an attack on another.
In addition, because intruders are eager to learn about their victim’s networks before launching an attack, there are typically multiple options for defenders to find and stop the ransomware’s attack chain before it gets to the point of data interception and encryption.
“A network just doesn’t wake up one morning and is ‘ransomwared’ out of nowhere,” Nickels said. “It has to go through a whole attack chain … There are so many options for defenders to stop this ransomware.”
Often times, ransomware enters through a phishing email or network connection that is not secured with two-factor authentication. Nickels says simple hygiene techniques can stop that first entry.
“I think there is a lot of fear and a lot of people panic … but it is possible to detect these ransomware intrusions at an early stage,” continued Nickels. “It’s very doable to detect these operators … you can find them and stop them before things get that bad.”
Having enough manpower is key, and a place where there is room for improvement.
“The TSA admitted in 2017 that they had six full-time staff members responsible for overseeing the security of 2.7 million miles of pipeline. That worries me,” said Neil Chatterjee, a commissioner for the Federal Energy Regulatory Commission. or FERC, the sector-specific body empowered to oversee critical grid security.
The Washington City Times reached out to Colonial Pipeline to ask for a vacant “Manager, Cyber Security” job posted on the company’s job portal for more than 30 days.
Colonial Pipeline wrote in an email to The Washington City Times that “the cyber security position did not arise as a result of the recent ransomware attack.” Instead, the position was part of her ongoing recruiting efforts. “This is a role we wanted to add to further expand our current cyber security team.”
Unwanted side effects
Many signs indicate that DarkSide did not want things to turn out this way.
The organization claims a lot to give its reputation. DarkSide has cultivated a “Robin Hood” image and praises a code of conduct in which the hackers claim they do not target hospitals, nonprofits and – especially – governments.
“Our goal is to make money and not create problems for society,” DarkSide wrote on its website.
The statement, which contained spelling and grammatical errors, further claimed that the organization is not political and “does not participate in geopolitics.”
“It hurts the overall brand for DarkSide, and DarkSide is very brand aware,” said Holland. “They want to have a really positive brand of,” If you pay us, we’ll actually decrypt for you. We’ll destroy the data we’ve stolen from you. ” ”
“They didn’t plan for this to be the result of the attack, but it happened because of the complexity of the systems,” said Caltagirone.
While Nickels said it’s too early to know for sure, she did say that in its ten-month history, DarkSide has typically focused on organizations that are less of a national security concern.
In a way, Holland says, the attack failed – the US administration is now much more focused on the threat than it used to be, and President Biden has pledged to “disrupt and prosecute” members of DarkSide.
“There are enough victims to extort without going after this kind of critical infrastructure,” explains Holland. “I think there could be some changes in the target audience, chasing after other groups that won’t blow the US government and all possible agencies into a rage.”
On Wednesday, the hacker group said it had already attacked three other companies since the attack on Colonial Pipeline. One of the companies is based in the United States, one in Brazil and the third in Scotland. None of the three appears to be involved in critical infrastructure.