THE PRESSURE IS RISING: THE RECENT CYBER-ATTACK ON COLONIAL PIPELINE
When listing the most dangerous industrial technology malware, a recent article by Stormshield ended on an ominous note. After shortly discussing the impacts of Shamoon, Industroyer, Triton and Stuxnet on world industry and economy, the last – and most threatening – malware on their 5-point list was left unnamed and unidentified. The article concluded with warning words: “The fifth most dangerous industrial cyberattack could already be happening right now, without anyone’s knowledge.”
And it seems as if this prediction came true. While we were working on our last article, in which we discussed the 2017 Triton attack on a critical infrastructure site located in the Middle East, and warned that the threat of malicious software continues growing, a story of a new industrial cyber security attack suddenly broke.
This time it wasn’t based in the eastern regions, but in the United States of America – targeting, again, the primary sector of its economy.
THE COLONIAL PIPELINE COMPANY – IN BRIEF
The Colonial Pipeline Company was founded in 1961, and today is the owner of the largest pipeline system for refined oil products in the U.S.
The infrastructure consists of two pipes, which stretch over 8,000 kilometers and on average carry 3 million barrels of fuel on a day-to-day basis. Over the course of its length, the pipeline crosses 10 state lines, travelling through 12 U.S. states total – from Texas, through Louisiana, Mississippi, Alabama, Georgia, South Carolina, North Carolina, Virginia, Maryland, Delaware, Pennsylvania, until it finally reaches New Jersey.
The oil products that the Colonial Pipeline delivers are not just limited to gasoline (which is reserved for one of the two pipes), but also extend to home heating oil, jet and diesel fuel plus other refined petroleum products. Considering the expanse of its operations, the pipeline is divided into three distinct areas: the Gulf Coast District, the Southeast District, and the Northeast District. A separate part of its distribution is reserved for major U.S. airports, to which the pipeline delivers directly, such as airfields based in Atlanta, Nashville, Charlotte, Greensboro, Raleigh-Durham, Dulles, and Baltimore-Washington.
Given the scale of Colonial Pipeline’s reach, which carries around 45 percent of the entire U.S. East Coast’s fuel supplies, makes the news of a ransomware attack on this company all the more disconcerting.
THE ATTACK: TIMELINE AND CONSEQUENCES
As Bloomberg reports, the ransomware attack is estimated to have occurred on Thursday, May 6, 2021 forcing Colonial Pipeline to announce the next day a partial shutdown of its services. This included taking some of their systems offline and disabling pipeline distribution – for an undisclosed amount of time. Instantly, this news triggered a strong reaction within the USA’s economy, with price increases reflecting the sudden gas shortage. The U.S. national average gas price rose to over $3 for the first time since 2014, with even bigger increases in the states most affected by the shutdown, namely Georgia, North and South Carolina, and Virginia. The U.S. administration was soon forced to declare a regional state of emergency in 17 states in order to provide immediate transportation of the necessary refined petroleum products.
The initial inquiry speculated that the ransomware attack was performed by a cybercrime group DarkSide based in Eastern Europe, which was later confirmed by the Federal Bureau of Investigation (FBI) on May 10. The intruders stole almost 100 gigabytes of data in the period of two hours on Thursday, threatening to leak its contents online. While DarkSide claims it is an apolitical association with strictly monetary interests, the fact it collaborates with other hacker organizations to yet unclear extent and means, opens up the probability of more insidious proportions to this particular attack.
While dealing with the problem at hand, Colonial Pipeline remained mostly quiet, releasing several statements assuring its partners and customers that the company “has and will continue to put safety and system integrity first and will invest the required resources to maintain safe and reliable operations”. Then, on May 19, CEO Joseph Blount confirmed to the Wall Street Journal that he authorized a Bitcoin payment of $4.4 million, a decision that was not easy to make, but nonetheless necessary. The cost of DarkSide’s attack is estimated to be much larger than just the ransom amount, though, with tens of millions of dollars expected to go into system restoration and further protection.
RANSOMWARE EXPLAINED
The Colonial Pipeline case represents a standard example of a ransomware attack, which has been on the steady uptake in the last decade. What makes it stand out from the cases documented in the past, is the scale of those affected.
“This is the largest impact on the energy system in the United States we’ve seen from a cyberattack, full stop.” said Rob Lee of Dragos in a statement for Wired.
WHAT DOES A RANSOMWARE ATTACK TYPICALLY INVOLVE?
In practice, simply put, it is malware used for purposes of cryptoviral extortion.
While the early rise of ransomware has mostly been associated with targeting the average computer user, gaining access to their private files and blackmailing them for negligent sums, as malware on a whole continues evolving, in recent years it has more and more often been leveraged against entire organizations, from private companies, governmental plans, and even hospital computer systems, such was the case with the attack on Universal Health Services (UHS) last fall. Finally, the focus of various hacker groups has been increasingly turning toward critical infrastructure – with particular attention directed at electric power and energy industries.
Performed on this scale, the most standard ransomware practice is locking companies out of access to their own internal systems until financial compensation is received. This is typically done by planting a Trojan into the victim’s system, masked as a legitimate file.
Once the bug infiltrates the internal IT system of an industrial site, acquiring access to a substantial amount of data and even sometimes taking control of the OT infrastructure, a ransom note is sent to the authorities involved, requesting, usually, substantial amounts of money.
This, in effect, disables any possibility for a normal way of operations from top to bottom of the production line, with great financial losses and sometimes even endangering safety of the employees. Paying for the encryption key to get your data back often runs to the cost of several millions of dollars. The use of cryptocurrencies such as Bitcoin for the transactions, makes their tracing very difficult, and leaves the attackers in a position of power.
WHAT’S NEXT?
As the Colonial Pipeline attack shows, the levels of cyber security challenges to big industry today are unprecedented. And, as this case highlights, the risk industrial technology malware poses is not only directed at the sites it targets and companies that own them, but also carries wider consequences – that can very quickly reflect on a global economical level.
For its part, the U.S.’ administrative response was quick and decisive: on May 13, President Biden signed an executive order on improving cybersecurity in the federal government, which included implementing multi-factor authentication, encryption of data both at rest and in transit, and improvements in endpoint protection and incident response, amongst other things.
Keeping in mind that the latest statistics do not show any sign of ransomware attacks slowing down in the future, and taking cue from Biden’s order, which quotes the need for “bold changes and significant investments” to cybersecurity, other world- and industry- leaders would do well to follow USA’s example.
ATS has been in the ICT field for 18 years and our expertise includes System Integration, Maintenance, and Support, along with Advisory and Consultancy. For more information about the advanced cyber security services we offer click the image below..
