Security researchers examine possible perpetrators of the attack & warned that the incident could be a harbinger of things to come.
The Biden administration has declared a state of emergency that covers 17 states & Washington D.C. in the wake of the ransomware attack on the Colonial Pipeline Co. & is working with Colonial to restart operations.
On Mon. morning, FireEye also confirmed that it has been called in to help with the investigation, but it was not at liberty to say anything more.
The news came as security researchers looked at possible perpetrators of the attack & warned that the incident could be a harbinger of things to come.
In recent hours, in a terse statement, the FBI confirmed that Dark Side ransomware is behind the attack.
The Biden declaration, which the US Govt. made on Sun. following Fri.’s attack & pipeline shutdown, covers the US States of Alabama, Arkansas, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, Virginia & The District of Columbia. The US Govt. is working to keep the supply of gasoline, diesel, jet fuel and other refined petroleum products flowing to those states & the capital.
As well, the Cybersecurity & Infrastructure Agency (CISA) has posted ransomware guidance and resources, saying that it is engaged with Colonial over the attack.
Colonial, which moves about 2.5m barrels of liquid fuels to the eastern & southern US every day, was forced to shut down pipeline operations on Fri. It wasn’t clear at the time whether the digital assault had actually caused the shutdown, but in a statement on Sun., the company clarified that the shutdown was in fact proactive.
“Maintaining the operational security of our pipeline, in addition to safely bringing our systems back online, remain our highest priorities,” according to Colonial’s statement. “Over the past 48 hours, Colonial Pipeline personnel have taken additional precautionary measures to help further monitor & protect the safety & security of its pipeline.”
This is a massive hit to the country’s infrastructure: Colonial carries 45% of fuel supplies to the eastern US. About 5,500 miles of pipeline were proactively shut down in response to the attack. As of Sun. evening, Colonials’ operations team was still working on a system restart plan. It is main lines were still offline, but it had restarted some smaller lateral lines between terminals and delivery points.
“We are in the process of restoring service to other laterals & will bring our full system back online only when we believe it is safe to do so,” Colonial observed, “& in full compliance with the approval of all federal regulations.
At this time, our primary focus continues to be the safe & efficient restoration of service to our pipeline system, while minimising disruption to our customers & all those who rely on Colonial Pipeline.”
Lior Div, Cybereason’s CEO & Co-Founder, explained on Mon. that the attack should be evaluated against the backdrop of the SolarWinds & Microsoft Exchange Server attacks, which have been “unparalleled” in scope, “successfully infiltrating & compromising virtually every US Govt. agency & a wide array of medium & large private-sector companies.”
He echoed a call for an overhaul of critical systems that is resounded throughout the country since the attack was made public on Fri. “The Colonial Pipeline attack reinforces the need to update legacy systems running today’s critical infrastructure networks,” he observed. “How the Biden administration responds to the broader & more wide-scale attacks will be a part of the administration’s legacy.”
Who’s Behind the Pipeline Attack? Dark Side?
Before the FBI’s announcement that Dark Side was behind the attack, security experts were looking at a few possibilities regarding which ransomware gang is behind the attack, with the top contenders initially being Dark Side & Ryuk.
Reuters & Bloomberg sources – including a former US official & 2 people involved in the investigation explained that the intruders belong to the Dark Side gang: A group of professional digital extortionists that is new to the party but clearly not lacking in criminal expertise. It has hit utility & critical-infrastructure targets in the past.
Div told Reuters on Sun. that Dark Side is made up of veteran crooks who are adept at squeezing every possible penny out of victims. “They’re very new but they’re very organised,” he stated. “It looks like someone who’s been there, done that.”
As Cyber Reason described in a post in early April, Dark Side made its 1st appearance less than a year ago, in Aug. The team offers its malware up for lease, following the RaaS (ransomware-as-a-service) model.
Cyber Reason mentioned last month that the Dark Side team recently announced on Hack Forums that it had upgraded its offering, releasing Dark Side 2.0, with the fastest encryption speed on this underground market, Dark Side claimed. it includes Windows & Linux versions.
On Mon., Cyber Reason explained that its researchers have seen Dark Side launched against targets in English-speaking countries, & that it appears to avoid targets in countries associated with former Soviet-bloc nations. The group’s ransom demands range between $200k to $2m, & like so many similar groups, it throws a superhero cloak over its crimes:
In Oct., the group tried to donate around $20,000 in stolen Bitcoin to 2 international charitable organisations, The Water Project & Children International, which was announced by a press release on the underground: A gimmick that experts suggested was likely a publicity stunt. The charities refused to accept the funds.
Dark Side, again like similar Robin Hood wannabes, also reportedly has an ethics code that prohibits attacks against hospitals, hospices, schools, universities, non-profit organisations, & govt. agencies.
Cyber Reason outlined that it cannot say with 100% certainty that Dark Side is behind the attack, although “the characteristics of the attack are consistent with what we’ve seen with Dark Side,” a spokesperson suggested.
Was It Ryuk?
Ryuk, meanwhile, was first observed in 2018, as a variant of the Hermes 2.1 ransomware. Unlike Hermes, it is not peddled on underground markets like the Exploit forum. Deloitte researchers have theorised that Ryuk is sold as a toolkit to attacker groups, which use it to develop their own “flavours” of the ransomware. There could therefore be as many variants as there are attacker groups that buy the code.
Ryuk has been increasingly prolific over time, spearheading double-extortion attacks where cyber-criminals steal data on top of locking up files. In early 2021, it was estimated that Ryuk operators have raked in at least $150m, according to an examination of the malware’s money-laundering operations. It also keeps improving; it recently added a self-propagation “worming” variant.
Massive Number of Victims
Check Point Research pointed to reports that finger Ryuk ransomware as being behind the pipeline attack, as opposed to Dark Side. Prior to the FBI’s confirmation that Dark Side was behind the assault, Ryuk was a reasonable contender, given the massive number of victims it is had just this year alone: Check Point puts it at more than 2,000.
The US is one of Ryuk’s favourite markets, Check Point explained Mon.: American organisations make up 15% of its efforts.
Bloomberg’s sources classified this as a double-extortion scheme, as in, besides encrypting files, the threat players also stole data & threatened to leak it if the ransom isn’t paid.
Bloomberg reported on Sat. that the attackers actually began to steal Colonial’s data on Thurs., a day before triggering the ransomware attack itself, & said that they guzzled 100Gb of data in just 2 hours on Thurs.
Is There a Nation-State Cyber-Attacker?
As far as attribution goes, prior to the FBI’s naming of Dark Side, there were some interesting possibilities, according to Mike Hamilton, former CISO of Seattle & CISO of US Govt. cyber-security firm CI Security.
“If Colonial is being extorted with ransomware it does not necessarily implicate organised crime, as nation-states have been known to obfuscate their motivation using ransomware as a false flag,” he revealed Mon. morning.
“If Colonial is NOT being extorted, this may be pure disruption for the purpose of creating further chaos in the American economy. This is a strategic interest of some countries, especially those that depend on energy for a good portion of their GDP; it is likely that energy prices will spike as a result of this action.”
Cyber-activism is another possibility, he suggested – such groups are increasingly using cyber-methods – but although pipelines are known to be targets for activists, they usually target pipelines under construction, he stated.
This might end up becoming designated as a terrorist act, he added. “These pipelines have been designated critical infrastructure,” Hamilton points out. “Intentionally disrupting or damaging these systems can be considered an act of terrorism. As more is learned about the event, & as the motivation of the actors becomes clear, we’ll find out if this event has taken us from a cold to a much warmer cyber-conflict.”
Adam Bixler, global head of 3rd-party risk at cyber-security firm Blue Voyant, explained on Mon. morning that the attack does not sound like the work of a nation-state.
“The Colonial Pipeline vulnerabilities exposed to the internet, including open services on standard ports open to the internet, over the past few months are more than enticing for criminal groups indiscriminately scanning the internet. In light of the news that ransomware was the attack vector of choice, this is more than likely a monetarily motivated effort, likely excluding nation-state adversaries.”
One thing is certain: Ransomware attacks on these types of targets are likely to become more frequent. John Cusimano, VP at industrial cyber-security company ae Cyber Solutions, explained that the industry is lagging in protecting critical infrastructure from the stranglehold of cyber-attack.
“In our company’s extensive experience in assessing oil & gas pipelines for several of the country’s largest pipeline operators, we have found that pipeline cyber-security is far behind that of other energy sectors (upstream & downstream O&G & electric utilities),” he suggested Mon. morning.
Cusimano says that a common gap in the pipeline industry is the lack of segmentation of the pipeline supervisory control & data acquisition (SCADA) networks, which are the networks that connect the pipeline control centre to every terminal, pumping station, remote isolation valve & tank farm along the pipeline.
These are sprawling networks covering extensive distances, but from a network segmentation standpoint, they are flat, as in, once attackers gain access, there are no barriers, and they have access to every device on the network.
“While pipeline SCADA networks are typically separated from the company’s business (IT) networks with firewalls, by design, those firewalls pass some data between the networks,” Cusimano noted. “For example, network monitoring software, such as SolarWinds, may be permitted through the firewall in order to monitor the SCADA network.
These permitted pathways through the firewall are 1-way malicious software or hackers can move from the IT network into the SCADA network. This was 1 of my greatest concerns when I learned of the SolarWinds attack.”
Another challenge with securing pipeline SCADA networks is that they branch into every facility along 100s of miles of pipeline, Cusimano explained. “Some of those facilities are in very remote places with little to no physical security, meaning that if an attacker breached the security of one of those facilities they could gain access to the network.”
Another complicating factor in securing pipelines: SCADA networks rely on extensive use of wireless communications such as microwave, satellite & cellular. “Breaching the wireless signals or stealing a cellular modem from a remote site could give an attacker access to the entire SCADA network,” Cusimano outlined.
‘Absolute’ & ‘Recurring’ Nightmare
Andrew Rubin, CEO & Co-Founder at Illumio, observed that this could be “the most impactful ransomware attack in history, a cyber-disaster turning into a real-world catastrophe.”
It is not only an “absolute nightmare,” he stated on Mon. morning – it is a recurring nightmare.
“Organisations continue to rely and invest entirely on detection as if they can stop all breaches from happening,” Rubin stated. “But this approach misses attacks over and over again. Before the next inevitable breach, the President & Congress need to act on our broken security model. This begins but does not end with the adoption of a zero-trust strategy.
Entire Security Industry
‘But instead of talking about & doing the hard work we need to do, we’ll watch the financial markets on Mon. reward the entire security industry for failing to stop modern attacks from spreading into a disaster.”
According to the New York Times, pertol prices rose as much as 4.2% early on Mon. By 9:30 a.m. EST, futures of petrol for June delivery were up 1.6%: the highest level since late 2018. The outlet predicted that the instability is contained to prices that traders pay for petrol, but we can expect it to ripple to prices at the pump in the coming weeks.
More of the Same
Grant Geyer, Chief Product Officer at industrial cyber-security company Claroty, predicted that the attack against Colonial is just a teaser of future attacks.
“As cyber-criminals & foreign adversaries seek opportunities for financial gain & power projection, our national critical infrastructure is an easy target,” he stated on Mon. morning. “Industrial environments are operating with infrastructure that commonly maintains obsolete technology that can’t be patched, & staff that frequently are not as cyber-savvy as they need to be to keep attackers at bay.
This leads to a situation where cyber-security risk levels are below acceptable tolerances, & in some cases organisations are blind to the risk.”
Critical Infrastructure Sectors
He pointed to the water utility attack in Oldsmar, Fla. in Feb. as being an example. “One additional risk factor of pipelines is that they are highly distributed environments, & the tools that are used to enable asset operators’ remote connectivity are optimised for easy access & not for security,” he commented. ‘This provides attackers opportunities to sneak through cyber-defences.”
Among critical infrastructure sectors, energy is especially at risk: Claroty’s researchers have found that the energy sector is one of the most highly impacted by industrial control systems (ICS) vulnerabilities, & that it experienced a 74% increase in ICS vulnerabilities disclosed during the 2nd half of 2020 compared to 2 years prior.
Improving the US’s critical infrastructure is going to require a public-private sector partnership, Geyer concluded, given the current gaps & potential risk to the US supply chain & to their national security.