SOCRadar® Cyber Intelligence Inc. | From Fuel Shortages to Gas Hikes: How the Colonial Pipeline Co. Fell Victim to a Ransomware Attack?

Resources

May 17, 2021

8 Mins Read

From Fuel Shortages to Gas Hikes: How the Colonial Pipeline Co. Fell Victim to a Ransomware Attack?

On May 7, 2021, Colonial Pipeline suffered a ransomware attack that impacted computerized equipment managing the pipeline. The attack was the largest cyberattack on an oil infrastructure target in the history of the United States.

Who is Colonial Pipeline?

The Colonial Pipeline is the largest pipeline system for refined oil products in the U.S. The pipeline is 8,850 km long and can carry 3 million barrels of fuel per day between Texas and New York. About 45% of all fuel consumed on the East Coast arrives via the pipeline system.

Source: https://www.bbc.com/news/technology-57063636

What Did Happen?

On May 6, 2021 – A hacker group is believed to have stolen 100 gigabytes of data from Colonial Pipeline’s servers the day before the ransomware attack^{^[1]}.

On May 7, 2021 – Colonial Pipeline suffered a ransomware attack that impacted computerized equipment managing the pipeline^{^[2]}.

On May 8, 2021 – Colonial Pipeline paid 75 Bitcoin, or roughly $5 million, to hackers. The Company had begun to restart its operation after a six-day shutdown^{^[3]}.

Source: https://www.bbc.com/news/technology-57063636

On May 9, 2021 – President Joe Biden declared a state of emergency. It was the largest cyberattack on an oil infrastructure target in the history of the United States^{^[4]}.

On May 10, 2021 – The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks^{^[5]}.

On May 11, 2021 – Colonial Pipeline’s Website Offline^{^[6]}.

On May 12, 2021 – The CSIA and FBI issued a cybersecurity advisory that described DarkSide ransomware and associated risk mitigation strategies^{^[7]}.

On May 13, 2021 – The operators of the DarkSide passed an announcement to its affiliates claiming a public portion of the group’s infrastructure was disrupted by an unspecified law enforcement agency^{^[8]}.

Source: https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime

What is Ransomware?

Ransomware is a kind of malware that encrypts files and documents from a single PC to a whole network including a server. Usually, victims have two options, paying ransoms to the adversaries by hoping that a decryption key works or restoring their data from backups.

Ransomware is one of the biggest challenges and security problems on the internet and its costs are forecast to reach a record $20 Billion by 2021. It was predicted by security researchers that in 2021, a ransomware attack will take place every 11 seconds. Following statistics can give a better understanding of how ransomware attacks are getting more dangerous and harmful

51% of businesses have been impacted by ransomware in the last year^{^[9]}.
90 % of IT pros had clients that suffered ransomware attacks in the past year.
50% of IT professionals don’t believe that their organization is ready to defend against a ransomware attack.
85% of ransomware attacks target Windows systems.

Who is DarkSide?

DarkSide^{^[10]} is believed to be based in Eastern Europe, likely Russia, but unlike other hacking groups it is not believed to be directly state-sponsored (i.e., operated by Russian intelligence services). DarkSide avoids targeting former Soviet countries; specifically, DarkSide’s ransomware avoids targeting computers for which the default language setting is Russian, Ukrainian, Georgian, or Belarusian. Experts state that the group is one of the many for-profit ransomware groups that have proliferated and thrived in Russia with at least the implicit sanction of the Russian authorities, who allow the activity to occur so long as it attacks foreign targets.

How did the Colonial Pipeline Ransomware Attack Happen?

Few details of how the cyber campaign was carried out are clear, other than that it is expected to alter only when the review of the event is complete by Colonial Pipeline and the third-party firm.

The initial attack vector is unknown, although it may have been an old unpatched flaw in a system, a phishing email successfully tricked an employee, the exploitation of previously leached access credentials or other strategies used to penetrate a company’s network by cyber criminals.

Why is the Attack on Colonial Pipeline Important?

It was the largest cyberattack on an oil infrastructure target in the history of the United States.

At the time of the attack, the supply shortage caused gasoline prices to peak in 3 years. Demand has grown, but drivers are cautioned not to panic since prices that have climbed by six cents a gallon last week might have an impact.

President Joe Biden declared a state of emergency on May 9.

The NCSC, alongside the US Department for Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), FBI and the National Security Agency (NSA), has today published a report to provide further details of Tactics, Techniques and Procedures (TTPs) associated with SVR cyber actors. SVR cyber actors are known and tracked in open source as APT29, Cozy Bear, and The Dukes.

The Advisory can be reached: https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf

What is the New Executive Order on Cybersecurity?

The New Executive Order looks^{^[11]} to make immediate improvement to the nation’s cybersecurity defenses, with the headline item being new reporting requirements for federal government vendors that experience cybersecurity breaches.

The executive orders included a number other items: the new security rating system for software supplied to the federal government, new security requirements for federal agencies stressing behavioral authentication and monitoring approaches; the setting up of a new review board on major cybersecurity breaches.

What are the Mitigation Strategies for such Attacks?

Adversaries regularly make use of publicly known vulnerabilities (alongside complex supply chain attacks) to gain initial access onto target networks. Managing and applying security updates as quickly as possible will help reduce the attack surface available for adversaries, and force them to use higher equity tooling to gain a foothold in the networks.

Despite the complexity of supply chain attacks, following basic cyber security principles will make it harder for even sophisticated actors to compromise target networks. By implementing good network security controls and effectively managing user privileges organisations will help prevent lateral movement between hosts. This will help limit the effectiveness of even complex attacks.

Detecting supply chain attacks, such as the Mimecast compromise, will always be difficult. An organisation may be able to detect this sort of activity through heuristic detection methodologies such as the volume of emails being accessed or by identifying anomalous IP traffic. However, the actor frequently uses malicious infrastructure located within the target organisation’s own country, likely in an effort to frustrate detection efforts.

Organisations should ensure sufficient logging (both cloud and on premises) is enabled and stored for a suitable amount of time, to identify compromised accounts, exfiltrated material and actor infrastructure. Mail retention and content policies should also be implemented to reduce the amount of sensitive information available upon successful compromise. Particularly sensitive information, including information relating to network architecture and network security, should be safeguarded appropriately.

As part of Microsoft’s ‘Advanced Auditing’ functionality, Microsoft have introduced a new mailbox auditing action called ‘MailItemsAccessed’ which helps with investigating the compromise of email accounts. This is part of Exchange mailbox auditing and is enabled by default for users that are assigned an Office 365 or Microsoft 365 E5 license or for organisations with a Microsoft 365 E5 compliance add-on subscription.

With ‘MailItemsAccessed’ enabled, administrators are able to identify almost every single email accessed by a user, giving organisations forensic defensibility to help assert which individual pieces of mail were or were not maliciously accessed by an attacker.