Ransomware attack shuts down major US gas pipeline
Last Friday, hackers hit the Colonial Pipeline fuel company with a ransomware attack. When the company realized what was going on, it shut down its 5,500-mile pipeline as a proactive measure. Here’s what we know about the Colonial Pipeline attack so far:
Colonial Pipeline attack: Timeline and Scope
Colonial Pipeline issued a statement about the incident over the weekend. Company officials say they first learned that they’d been hit by a cyberattack on May 7. They quickly shut down their pipeline system as a precaution. On May 8, they confirmed that they were dealing with a ransomware attack.
According to the BBC, the hackers got hold of an estimated 100GB of the Colonial Pipeline’s data and encrypted it. They demanded a ransom and threatened to leak the data to the Internet if the company didn’t pay.
At this stage, we know that the attackers breached Colonial Pipeline’s corporate IT network. But it’s still unclear whether or not they also managed to infiltrate their industrial control systems. That would have been even more serious, since the attackers could have affected the physical operation of the pipeline (see: Hacker breaches water treatment plant in Florida).
Colonial Pipeline attack: Impact and Remediation
Colonial Pipeline operates one of the most important fuel pipelines in the United States. It carries gas and jet fuel from refineries in Texas through the eastern United States to New York. According to statistics provided by the company, its pipeline accounts for 45% of all fuel consumed in the eastern US. The disruption to the fuel supply is significant, and industry experts say prices at the pump will likely rise in the coming days.
The federal government is directly involved in the effort to get the pipeline up and running again. In the meantime, the US Department of Transportation (USDOT) has issued a regional emergency declaration. USDOT says that the declaration will help “create more flexibility for motor carriers and drivers” transporting fuel in the affected states.
Colonial Pipeline says that it is working to restore full functionality as soon as possible. They have not said whether or not they intend to pay the ransom. However, some observers in the media think that the silence itself may be significant, since companies often refuse to comment when they are considering paying a ransom or have already done so.
Colonial Pipeline attack: Who was responsible?
The big question, of course, is who was responsible for the Colonial Pipeline attack.
Attributing a cyberattack to a specific threat actor is not easy; and it’s probably too early to be making any definitive statements. However, several sources have speculated that the attack was carried out by a Russian ransomware gang known as DarkSide.
DarkSide is a newer organization, but they appear to be made up of experienced cybercriminals. They engage in targeted attacks, use custom ransomware packages, and are fairly professional in their communications. They also seem to have a code of conduct, saying that they will only attack large, profitable corporations, and that they won’t go after schools, hospitals, or governments. In one incident last year, DarkSide even donated part of a ransom to charity!
In terms of motivation and affiliations, again it’s difficult to say anything with absolute certainty. On the one hand, there are definitely Russian APT groups with links to Russian military intelligence, and their attacks on US organizations have obvious geopolitical aims (see: SolarWinds hack impacts US government and military). However, it’s not clear that DarkSide has any such links to the Russian government. If they turn out to be the guilty party, their motivation in the Colonial Pipeline attack may have been purely financial.
More attacks to come?
Unfortunately, incidents like the attack on Colonial Pipeline are likely to become more common in the years ahead.
Last summer, the US government issued an alert about cyberattacks on critical infrastructure facilities — and offered some recommendations for how organizations could protect themselves. However, as the events of the last few days demonstrate, such facilities are still quite vulnerable to attack. In general, ransomware is a growing threat, and security experts warn of a rise in ransomware attacks on local governments and on businesses as well.
In addition, companies and organizations are fielding more Internet of Things (IoT) devices than ever before. But IoT technology is notoriously insecure, and its widespread adoption is expanding the attack surface available to the bad guys.
If there’s any “good news” in all of this, it’s that many of these compromises happen because someone failed to follow basic best practices for cybersecurity. Organizations (and individuals) can protect themselves by emphasizing security fundamentals like phishing awareness, password security, two-factor authentication, and regular software updates.