A colonial pipeline that contains and supports 45% of the fuel consumed on the U.S. East Coast, on Saturday said it halted operations due to a ransomware attack, this is another situation highlighting how vulnerable infrastructure is to cyber attacks. Colonial Pipeline is the largest refined products pipeline in the U.S, involved in transferring 100 million gallons and more from Houston to New York Harbor.
On May 7th 2021, the Colonial Pipeline Company discovered they were the victims of a serious cybersecurity attack. The company released a statement explaining this unfortunate situation. Cybersecurity professionals assisting with the investigation linked the attack to a ransomware strain called DarkSide. An analysis of the ransomware published by Cybereason earlier in April 2021 reveals that DarkSide has a pattern of being used against targets in English-speaking countries, while avoiding entities located in former Soviet Bloc nations.
The operators behind the ransomware also recently switched to an affiliate program in March, wherein threat actors are recruited to spread the malware by breaching corporate network victims, while the core developers take charge of maintaining the malware and payment infrastructure.
DarkSide, which commenced operations in August 2020, has published stolen data from more than 40 victims to date. It’s not immediately clear how much money the attackers demanded or whether Colonial Pipeline has paid. A separate report claimed that the cybercriminals behind the attack stole 100GB of data from its network.
As we stated in a previous blog, ransomware is growing at a concerningly fast rate. Ransomware is ever evolving, and the latest cyber attack comes as a coalition of government and tech firms in the private sector, called the Ransomware Task Force, released a list of 48 recommendations to detect and disrupt the rising ransomware threat, in addition to helping organizations prepare and respond to such attacks more effectively.
Potentially damaging interruptions targeting utilities and critical infrastructure have witnessed a surge in recent years, fueled in part by ransomware attacks that have increasingly jumped on the double extortion bandwagon to not only encrypt the victim’s data, but exfiltrate the information beforehand and threaten to make it public if the ransom demand is not paid.
Last February, CISA issued an alert warning of increasing ransomware infections affecting pipeline operations subsequently an attack that hit an undisclosed natural gas compression capacity in the country, this led to the company shutting down for two days.
Securing pipeline infrastructure has been an area of focus for
the Department of Homeland Security, assigned CISA in 2018 to oversee the Pipeline Cybersecurity Initiative (PCI), this focuses on identifying and addressing developing threats and execute security procedures to safeguard and defend over 2.7 million miles of pipelines responsible for transporting oil and natural gas in the U.S. The agency’s National Risk Management Center (NRMC) has also published a Pipeline Cybersecurity Resources Library in February 2021 to “provide pipeline facilities, companies, and stakeholders with a set of free, voluntary resources to strengthen their cybersecurity posture.”
This ransomware attack against Colonial Pipeline’s networks has provoked the U.S. Federal Motor Carrier Safety Administration (FMCSA) to issue a regional emergency declaration in 17 states and the District of Columbia (D.C.). The declaration provides a temporary exemption to Parts 390 through 399 of the Federal Motor Carrier Safety Regulations, allowing alternate transportation of gasoline, diesel, and refined petroleum products to address supply shortages stemming from the attack. The states and jurisdictions in the Emergency Declaration are Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, and Virginia.
The exemptions, which aim to alleviate any shortages or supply disruptions that may arise due to the shutdown, are expected to be in effect until the end of the emergency or June 8th 2021.
The development comes as the U.S. Federal Bureau of Investigation (FBI) confirmed the disruption of one of the country’s largest pipelines over the weekend was orchestrated by Darkside ransomware. The vicious cyberattack forced the company to shut down 5,500 miles of fuel pipeline from the Texas city of Houston to New York harbor, raising concerns about the vulnerability of the U.S. energy infrastructure to cyberattacks.
The U.S. government stated there was no indication that Russia was involved in the Colonial Pipeline ransomware attack, the operatives of the DarkSide ransomware issued a statement, vowing it intends to vet the companies its affiliates are targeting going forward to “avoid social consequences in the future.” They stated they are apolitical and do not participate in geopolitics, they also explained that their goal is to make money and not create problems within and for society.
The adversary, which is alleged to have leaked data pertaining to at least 91 organisations since commencing operations in August 2020, functions as a ransomware-as-a-service scheme, in which partners are roped in to expand the criminal enterprise by breaching corporate networks and deploying the ransomware, while the core developers take charge of maintaining the malware and payment infrastructure. Affiliates typically receive 60% to 70% of the proceeds, and the developers earn the rest.
Alongside internal data from victims of the pipeline incident, there are also other oil and gas companies such as Forbes Energy Services and Gyrodata, both of which are based in Texas published on the DarkSide’s data leak site. According to cybersecurity professionals, DarkSide is believed to be the handiwork of Carbon Spider (aka Anunak, Carbanak, or FIN7), whose high-level manager and systems administrator was recently sentenced to 10 years in prison in the U.S.
More than 7% of petrol stations in Virginia and 5% in North Carolina were out of fuel yesterday as demand jumped 20%, tracking firm GasBuddy said. Yesterday the government stepped in to issue an emergency fuel disclaimer that will last one week, intended to help alleviate any shortages.
The Environmental Protection Agency (EPA) said the move, which relaxes some rules usually applied to fuel, would run until 18 May in Pennsylvania, Virginia, Maryland, and Washington DC. In addition, Georgia suspended sales tax on petrol until Saturday. North Carolina was among the numerous states that declared a state of emergency and momentarily delayed vehicle fuel regulations “to ensure adequate fuel supply supplies throughout the state”. While the pipeline outage is having short-term consequences in some regions, some experts believe the longer term impact will be small.
The Colonial Pipeline incident is the latest cyberattack to confront the U.S. government in recent months, following the SolarWinds hacks and the exploitation of Microsoft Exchange Server vulnerabilities.