The Colonial Pipeline Ransomware
Large-scale Ransomware attacks have been a major problem for many years and cybersecurity companies have always warned about the dangers that this type of cyberthreats represents. One such recent large-scale Ransomware campaign is a prime example of just how devastating Ransomware could be – two days ago (on Saturday), the Colonial Pipeline company, one of the largest US fuel suppliers, was hit by a massive Ransomware attack causing the shutting down of parts of the company’s operation.
The company is responsible for carrying diesel fuel, gasoline, and natural gas over 5,500 miles, from Texas to New Jersey.
On Sunday, the company released a statement in which it confirmed that a Ransomware virus has compromised its network and, in order to contain the damage, Colonial Pipeline shut down major parts of its operation.
According to Rob Lee, the CEO of Dragos, an infrastructure-security focused company, this is the most serious hit caused to the US energy system by a cyberattack. He points out that in 2020 approximately 40 percent of the electricity in the US was produced through the burning of natural gas, which is more than any other electricity source. Rob Lee argues that this attack could have severe consequences for the power grid of the US if the threat isn’t quickly taken care of.
There have been many warnings from cybersecurity companies and researchers regarding state-sponsored hacking attacks that represent acts of cyberwar, but the current Ransomware hit doesn’t seem to be sponsored by any state. Instead, the attack appears to be a form of private initiative focused primarily on financial profit.
According to Lee, the last seven or eight months have seen a significant increase in the frequency of similar cyberattacks using Ransomware which only comes to show just how big of a threat this form of malware is.
The statement from Colonial Pipeline says that an investigation has been launched in an attempt to determine the nature and scale of the attack. According to a report from Reuters, the FireEye cybersecurity firm has responded to the incident and is working together with Colonial Pipeline to unravel the details of the attack. Currently, it is suspected that the Darkside hacker group is behind the attack. A report from Cyberreaseon – a cybersecurity company – Darkside is responsible for compromising over 40 organizations and has made ransom demands that range from $200,000 to $2,000,000.
This Ransomware attack isn’t an isolated case but yet another symptom of a rapidly growing and expanding ransomware epidemic that has successfully compromised the networks of hospitals, law enforcement databases, municipal systems, and more.
According to Lee, there has been a significant increase in the Ransomware attacks that target critical industrial control and infrastructure networks with the goal to gain compromise sensitive, high-value targets. A successful attack on critical industry-sector infrastructure targets means that the victim would most likely be forced to give in to the ransom demands due to the need to quickly restore the normal operation of the infrastructure and the serious damage that could be caused should the operations not be restored in time.
There are many similar examples from recent years that show how Ransomware hackers have shifted their sights towards the industry sector. Back in 2019, Momentive, Hexion, and Hydro Norsk all got hit by Ransomware. Also, last year it was discovered that a special Ransomware variant named Ekans has been developed to specifically target and cripple systems responsible for industrial control. There have even been similar instances of gas pipeline operators getting targeted before the current incident: towards the end of 2019, a group of hackers infiltrated a US company that transports natural gas – that incident wasn’t as sizeable as the current one, but it’s still an example of a preceding attack on a pipeline company.
In that previous instance of Ransomware attack on a gas supplier, CISA reported that the criminals gained access to the operational technology systems of the attacked company as well as to its IT systems.
In the current incident with the Colonial Pipeline company, it is not yet known whether the hackers have managed to gain access to any systems that may allow them to control the physical state of the pipeline equipment or to cause the creation of hazardous environment and conditions. Still, according to Joe Slowik, a security researcher at the Gigamon cyber-security company, even a mere infiltration of the IT network of the pipeline company could be enough of a reason for a major shut-down of large portions of the company’s operations as a precautionary measure. According to Slowik, this was the correct response from the pipeline operator since once the IT network is infiltrated, there could no longer be proper control and monitoring over the physical environment and operations of the pipeline.
According to Rob Lee, attacks that actually reach, compromise, and take over the operational technology of the targeted companies are much more rare than those that simply infiltrate the IT networks. However, he says that this type of more dangerous attacks has been becoming more frequent in recent years with the main goal being the total disruption of the operations of the targeted victim company/organization. One of the factors that allow such attacks to be more successful is that companies have started connecting their operational technology to the Internet in order to improve efficiency and add more automation to their operations. While this could be really helpful if implemented correctly, it also opens many risks that are inherent to the Internet as a whole so higher and stricter security standards need to in place to ensure safety.
Currently, there are recommendations for a public-private partnership to help protect against similar attacks in the future. However, such a solution would require a number of government agencies to be brought into the private sector. Additionally, one other thing to be considered is that many of the most dangerous hacking groups originate from countries where cybercriminals are rarely prosecuted and sometimes even collaborate with the countries’ governments in acts of state-sponsored hacking attacks. Still, the only correct answer remains a closer collaboration between private companies and the US government to help bolster the cyberdefences of the infrastructures that represent high-priority targets for such hacking groups.