On May 7th, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston Texas, which delivers 45% of the East Coast’s fuel including gasoline, diesel, jet fuel, home heating oil, and military supplies suffered a ransomware cyberattack impacting the computerized equipment that manages the pipeline.
This attack forced Colonial Pipelines to take certain systems offline to try and contain the threat, causing a temporary halt of all pipeline operations, highlighting the concerns in the vulnerability of the nation's critical infrastructure.
Due to the attack, the CEO of Colonial Pipelines, Joseph Blount told Wall Street Journal that he authorized a ransom payment of $4.4 million to the cybercrime group on May 7th striving to restore the services as soon as possible.
How did it happen?
There are few details as to how this cyberattack took place, the rest of the details probably won’t come to light until Colonial Pipeline and the third party company they brought to investigate have concluded their analysis on the incident.
However, what we do know, is that it was a ransomware outbreak that struck Colonial Pipeline’s networks. The initial attack vector is still unknown, it may have been an old, unpatched vulnerability in the system; a phishing email that fooled an employee; the use of purchased credentials or credentials obtained elsewhere that were leaked previously, or any other tactics employed by the cybercriminals to infiltrate the company’s network.
It’s important to note that the attackers targeted the business side of the company rather than the operational systems, this leads to the conclusion that the intent was money-related rather than to send the pipeline crashing down.
Who did it?
The FBI has confirmed that DarkSide, a relatively new but prolific ransomware gang believed to be based in Eastern Europe, likely Russia, was responsible for the Colonial Pipeline attack.
Although it’s believed that DarkSide is relatively new to the ransomware scene, they have already created a leak website used for double-extortion campaigns where the victim company is not only locked out of their systems, but they also have their information stolen.
It’s unusual for hackers to attack such important national infrastructures but experts say it is a growing concern. Surprisingly, the group posted something like an apology on their darknet website, stating that their goal is to make money and not create problems for society. They also stated that they would introduce moderation and check each company that their partners want to encrypt to avoid social consequences in the future.
The shutdown of the pipelines caused alarm in the US citizens, believing that there was going to be a gas shortage. And there was, during the pause in Colonial Pipelines services, people ran to the nearest gas station in order to fill in their tanks, causing long lines and an increase in the price of gas. The shortage due to people buying gas in a panic, caused 80% of Washington’s stations to be out of gas.
Luckily, the pipeline shutdown only lasted for 5 days. Colonial Pipelines restored their pipeline operations on May 12th, 2021 at 5:00 PM. During this time, the gas price went up due to the higher demand and lower gas supply on the east coast.
Today, the gas price is over $3 per gallon. This price and the difficulty to fill your gas tanks is thought to stay up until after memorial day when lots of Americans travel
How similar attacks can be prevented in the future.
The simplest way to avoid operational technology from any kind of attack is to keep it offline, but this is becoming more difficult for businesses each passing day, as they increasingly rely on connecting their devices to increase their efficiency.
But as staying offline seems to be impossible for a modern company, there are other solutions to this problem:
Restrict Internet access: staying completely offline gets more difficult with each passing day, but using a proxy server for internet access and ad-blocking software, restricting the access to commonly known ransomware entry points is possible.
User awareness training to mitigate social engineering and phishing attacks.
Have an incident response plan: Having a plan on what to do in case of a ransomware event can be time and life-saving.
Use antivirus and anti-spam software: this one may seem obvious, but it is an indispensable solution. Enabling regular system and network scans with antivirus programs enabled in order to automatically update signatures. The anti-spam solution is perfect to stop phishing emails from reaching the network; consider adding a reminder in external sources to remind the users of the danger of clicking on links or opening attached documents.
Using multi-factor authentication: coming in different versions like one-time passwords, QR Codes, and more, this is a way to make sure that anyone entering the organization’s network is actually an employee or authorized personnel.
Backups are crucial: Routinely testing backups for data integrity and to ensure it is functional.
Utilizing a Zero Trust Security: In essence, this approach assumes that every network is breached, that every machine is compromised and every user is (consciously or not) at risk. No one can be trusted on a zero-trust network until it is proven that it’s not an undercover threat to the organization's security.
This approach may seem paranoid, but it might also be the best plan to secure the organization’s networks against the ever-evolving threats that can strike at any moment.