Colonial Pipeline Hack no must panic about infrastructure assaults
A woman fills gas cans at a Speedway gas station on May 12, 2021 in Benson, North Carolina. Most of the stations in the area along I-95 have run out of fuel after hacking the Colonial Pipeline.
Sean Rayford | Getty Images
According to several cybersecurity experts, the Colonial Pipeline hack wasn’t the first domino to be caught in a global spate of sudden attacks on America’s critical infrastructure.
Rather, it was the product of sloppy internal security practices and a failed textbook hack-and-pay, they said.
The FBI says DarkSide, a group relatively new to the ransomware scene, was behind the attack. Evidence suggests that it is more of a botched blackmail plan than the coordinated work of hackers trying to jeopardize the American energy grid.
Whatever the motivation, the effect was real.
The federal government issued an emergency statement for 17 states and the District of Columbia after the country’s largest fuel pipeline went down. Gasoline price hikes and bottlenecks have been reported in the US, although the supply crisis is likely to have more to do with panic buyers on the way to the pump than the attack itself. Colonial paid nearly $ 5 million in ransom to unlock its systems, a source familiar with the situation told CNBC, confirming previous reports.
While the episode made it clear how vulnerable America’s critical infrastructure is to cybercriminals, that doesn’t mean we are suddenly at a new risk of widespread shutdowns. Such ransomware attacks are common, but typically do not aim to take the infrastructure offline. It seems like DarkSide, like most attackers, was motivated by financial gains rather than hurting American gas supplies.
The attack drew the new administration’s attention to the rise in ransomware attacks and spurred President Joe Biden to sign an executive order on Wednesday to strengthen his cyber defense.
“Depending on the US government’s response to [the Colonial Pipeline attack]Other groups could really say, “Hey, we’re not going to address these sectors at all,” said Rick Holland, chief information security officer at Digital Shadows, a cyberthreat intelligence company.
A common attack
While the effects of this hack were dire, the nature of the attack was in no way new or unique. In fact, ransomware attacks continue to occur, in which criminals install software that freezes or locks computer systems until a company pays them a ransom, usually in Bitcoin or some other cryptocurrency.
“Everyone is reporting this ransomware attack because it affects the networks that include an oil pipeline,” said Katie Nickels, director of intelligence at cybersecurity firm Red Canary.
“The interesting thing for me and many other cybersecurity experts is that these ransomware attacks have been going on for years. And it seems that just because it affected a critical infrastructure in the US, this attack hit a special nerve.”
In the past year and a half in particular, there has been a rapid increase in this type of attack, said former CIA case officer Peter Marta, who is now a partner in law firm Hogan Lovells advising companies on cyber risk management.
We are in the middle of a ransomware epidemic right now.
Partner, Hogan Lovells
“This is big news for the average person,” said Marta. “But when I heard about it, it wasn’t even a slip on the radar. … There is a lack of understanding that we are in the middle of a ransomware epidemic right now.”
Despite the number of cyber-attack balloons, the number of balloons designed to cripple systems is small, said Sergio Caltagirone, who served as an analyst for the National Security Agency for eight years, where he was responsible for finding, tracking and combating the world’s biggest problems sophisticated cyberthreats.
“In the industrial sector, the number of cyberattacks designed to cripple industrial systems like water, electricity, oil and gas is much, much, much, much less,” continued Caltagirone. He is Microsoft’s director of threat intelligence and now Vice President of Threat Intelligence at Dragos, an industrial cybersecurity company.
“The highest likelihood that an actual major disruptive event like this will recur in the future is such accidental attacks.”
America’s physical infrastructure in general is fragile, and pipelines are particularly difficult to defend. It’s not good news, but it’s been for years – and attackers have known it for a long time. Last week’s attack did nothing to change that or reveal any new information.
Leo Simonovich, head of industrial cybersecurity at Siemens Energy, told CNBC that part of the problem is that oil and gas companies that connect physical assets like pipelines to digital software and applications are essentially just digital solutions to aging Assets screwed up.
“This creates a situation where it is difficult to identify threats in time so they can be stopped and, in some cases, even to take basic hygiene measures to protect yourself,” Simonovich said.
This attack was targeted at the company’s traditional information technology network, not the corporate technology network – the systems that move valves, start and stop pumps, measure things, and so on. Colonial Pipeline called for the OT network and pipeline to be closed after the vulnerability was discovered, not DarkSide.
That’s standard, but that doesn’t mean the OT network itself was vulnerable, says Simonovich. “In this and other attacks, operators stop all of their OT production because they are unsure what is affected by the attack or how to react.”
Cyber criminals likely haven’t learned anything new in the past week. Pipelines are very different from one another because they are built specifically for this purpose. Attacking one type of fuel line does not necessarily result in an attack on another.
Since intruders tend to want to know about their victims’ networks before an attack is launched, there are usually several options for defenders to find and stop the ransomware attack chain before it gets to data exfiltration and encryption.
“A network just won’t wake up one morning and become ‘ransomware’ out of nowhere,” said Nickels. “It has to go through a whole chain of attacks … There are so many ways for defenders to stop this ransomware.”
Often ransomware arrives via phishing email or a network connection that is not secured with two-factor authentication. According to Nickels, simple hygiene techniques can prevent this initial access.
A network just doesn’t wake up one morning and becomes ransomwared out of nowhere.
Intelligence Director, Red Canary
“I think there is a lot of fear out there and a lot of people are freaking out … but it is possible to spot these ransomware attacks early on,” continued Nickels. “Detecting these operators is very doable … you can find them and stop them before it gets that bad.”
Sufficient workforce is the key and a place where there is room for improvement.
“The TSA admitted back in 2017 that six full-time employees were responsible for overseeing the safety of 2.7 million miles of pipelines. That gives me cause for concern,” said Neil Chatterjee, commissioner for the Federal Energy Regulatory Commission. the agency that oversees the critical security of the power grid.
CNBC reached out to Colonial Pipeline to inquire about a “Manager, Cyber Security” job that has been posted on the company’s job portal for over 30 days.
Colonial Pipeline wrote in an email to CNBC that “the cybersecurity position was not created as a result of the latest ransomware attack”. Instead, the position is part of the ongoing recruiting efforts. “This is a role that we wanted to add to further expand our current cyber security team.”
Unwanted side effects
Lots of evidence suggests that DarkSide didn’t want things to play out this way.
The organization claims to care deeply about its reputation. DarkSide has maintained a “Robin Hood” image and touted a code of conduct in which the hackers claim they are not going to crack down on hospitals, nonprofits and – especially – governments.
“Our goal is to make money and not create problems for society,” wrote DarkSide on its website.
The statement, which contained spelling and grammatical errors, went on to claim that the organization was not political and “does not participate in geopolitics”.
“It hurts the whole brand for DarkSide, and DarkSide is very brand conscious,” said Holland. “They want to have a very positive brand on: ‘If you pay us, we’ll actually decrypt it for you. We’re going to destroy the data we stole from you.'”
“They did not intend that this would be the result of the attack, but it was because of the complexity of the systems,” said Caltagirone.
While Nickels said it’s too early to know for sure, she said that in its decade-long history, DarkSide has typically targeted organizations that raise fewer national security concerns.
In a way, Holland says, the attack failed – the US government is now much more focused on the threat than it used to be, and President Biden has promised to “disrupt and prosecute” members of DarkSide.
“There are enough victims to blackmail without having to worry about this type of critical infrastructure,” said Holland. “I think there could be some targeted changes that will persecute other groups that won’t attract the wrath of the US government and any agency.”
The hacking group announced on Wednesday that it had attacked three other companies since the attack on the Colonial Pipeline. One of the companies is based in the USA, one in Brazil and the third in Scotland. None of the three seem to be concerned with critical infrastructure.