23 May 2021

Colonial Pipeline Cyberattack Follows Years of Warnings

By BRAD D. WILLIAMS

WASHINGTON: The cyberattack that shut down the major East Coast pipeline for gas and other fuels comes after years of repeated warnings to industry — some as recent as the past two weeks. The attack has had the greatest impact ever on US critical infrastructure, cybersecurity experts say.

Details are still emerging. Colonial Pipeline, which owns and operates the pipeline, issued a statement today saying it is dedicating “vast resources to restoring pipeline operations quickly and safely. Segments of our pipeline are being brought back online in a stepwise fashion… and this takes time.” The statement said the company’s goal is to restore pipeline service by the end of the week.

The Department of Energy is leading the federal government response, according to Colonial and sources familiar with the incident. DoE did not immediately respond to a request for comment.

Cybersecurity company FireEye is also said to be assisting Colonial with incident response. Seeking comment from the company, Breaking Defense was referred to Colonial’s statement.

“We are disappointed, though unsurprised, to learn of the cyberattack that shut down 5,500 miles of pipeline operated by Colonial Pipeline,” Sen. Angus King and Rep. Mike Gallagher said in a joint statement today. King and Gallagher co-chaired the Cyberspace Solarium Commission.

“This interruption of the distribution of refined gasoline and jet fuel underscores the vulnerability of our national critical infrastructure in cyberspace and the need for effective cybersecurity defenses, including a robust public-private collaboration to protect both the pipeline system and electric grid, as well as the infrastructure of the telecommunications and financial services systems,” the lawmakers said.

Sen. Mark Warner, who chairs the Senate Select Committee on Intelligence, said: “While we expect companies to secure their infrastructure, these continued breaches only reinforce the need for a cohesive and cooperative partnership between the government and private companies that operate our nation’s critical infrastructure.” As Breaking D readers know, Sen. Warner is working on new legislation to require cyber incident reporting for the private sector.

The cyberattack began last Thursday, when a cybercriminal group called DarkSide stole a large amount of company data. Sources did not specify the type of data. The White House today confirmed DarkSide was behind the cyberattack.

The attackers followed up on Friday by deploying ransomware on Colonial’s IT networks. Government officials and security sources today confirmed it appears to be DarkSide malware. Importantly, the ransomware did not reach Colonial’s operational technology (OT) networks, according to Anne Neuberger, deputy national security adviser for cyber and emerging technology, in a White House press briefing today. OT networks include the hardware and software that enable pipeline physical components to function, such as valves.

Nonetheless, the cyberattack on Colonial’s IT systems forced the company to preemptively shut down OT networks to prevent potential spread, which brought fuel transport from Texas to New Jersey to a screeching halt on Friday. The pipeline carries gas, jet fuel, and other refined products that supply a large part of the East Coast, according to Colonial’s website.

The shutdown prompted the Department of Transportation yesterday to issue an emergency “hours of service exemption” for transporting fuel along the East Coast. The move is intended to temporarily lift restrictions on moving gas, diesel, jet fuel, and other refined petroleum products to minimize supply constraints, especially in the event of a prolonged pipeline shutdown.

Whenever a cyberattack against critical infrastructure occurs, many quickly assume a foreign government is likely involved, which is why DarkSide’s alleged involvement is remarkable. DarkSide is a ransomware-as-a-corporation group, sometimes called ransomware-as-a-service (RaaS), that first became known last year. As cybercriminals, DarkSide seeks a profit from its activities.

DarkSide is believed to operate out of Eastern Europe, with elements potentially inside Russia, according to security researchers. Although some cybercriminal groups are alleged to operate as a proxy for the Russian government, security researchers have not to date discovered any direct link between DarkSide and the Russian government.

However, the Russian government often allows such cybercriminal groups to operate with impunity inside Russia — as long as they do not target Russian victims, according to security experts. Indeed, security researchers who have reverse-engineered DarkSide’s malware “found [it] will check device language settings to ensure they don’t attack Russia-based organizations. They have also answered questions on Q&A forums in Russian and are actively recruiting Russian-speaking partners.”

DarkSide issued a statement online today that denied any connection to the Russian government. Breaking Defense is not linking directly to the statement as a security precaution for readers. The statement read, in part, “We are apolitical, we do not participate in geopolitics. …Our goal is to make money, and not creating problems for society.”

There is no evidence right now that the Russian government was involved in this cyberattack, according to administration officials and security sources familiar with the incident.

Because of DarkSide’s business model as RaaS, it’s possible that one of DarkSide’s “affiliates” conducted the Colonial cyberattack using DarkSide’s ransomware. This possibility complicates attribution.

In an unusual move for a ransomware group, DarkSide issued a “press release” last August that explained who it is and how it operates. Among other things, the “press release” said the group is offering a new “product” on the market, which it developed using profits earned from its previous work with other ransomware groups. DarkSide said it takes time to “carefully analyze [victims’] accountancy and determine how much you can pay based on your net income.” The release noted, “We only attack companies that can pay the requested amount, we do not want to kill your business.”

During its short existence, the group has become known for its large ransoms, which can range from $200,000 to $2 million, according to security researchers. It’s unknown right now what the ransom request for this incident is or whether Colonial paid. The US government discourages victims from paying ransoms.

The Colonial cyberattack is not the first on US pipelines. Last year, CISA detailed a cyberattack that targeted an unnamed energy pipeline operator.

American officials have been warning industry and the public about the threat for years. For example, NSA recently issued an advisory calling for critical infrastructure owners to review their OT security, highlighting the threat of OT-IT connected networks and OT-Internet connections. That Colonial preemptively shut down OT networks after its IT networks were infected indicates its IT and OT systems could be connected. There is no indication right now that Colonial’s OT networks were ever connected directly to the Internet.

Just two weeks ago, a public-private group dubbed The Ransomware Task Force issued a report warning of the growing national security and economic implications of ransomware, given cyber actors’ evolving targets to include critical infrastructure. In a virtual event announcing the report, DHS Secretary Alejandro Mayorkas said, in what now seems a prescient speech, “Ransomware is a national security threat.”

King and Gallagher said the Colonial incident highlights the significance of two Solarium recommendations. “First, as mandated by the FY 2021 National Defense Authorization Act, the federal government must understand the potential cascading effects of attacks that disrupt the conveyance of critical goods and services and prepare plans to ensure Continuity of the Economy.”

“Second,” they continued, “the Colonial Pipeline disruption is a clear example of the need to create a new social contract between the federal government and systemically important critical infrastructure.”

No comments: