The News: Per Bloomberg reporting, May 13, 2021: “Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on Friday (April 7th), contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.
The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.
Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.” You can read the full Bloomberg report here.
The DarkSide of Colonial’s Ransomware Payment – It Doesn’t Fix the Problem
Analyst Take: On May 7, 2021 Colonial Pipeline was the target of a successful ransomware attack on its digital systems. The company stated the following day that as a precaution they had taken “certain systems offline to contain the threat, which has temporarily halted all pipeline operations, which has affected some of our IT systems.” You can read the complete log of public statements on Colonial’s website here.
We know now that Colonial Pipeline paid approximately $5 million to the attackers within hours of the attack. DarkSide, a Ransomware-as-a-Service operation, and several affiliates have been fingered as the guilty party (which it publicly admitted on its website — yes, they have their own website although there are reports that they have or will shortly disband in the face of global scrutiny).
It’s not completely clear which systems were targeted, but Colonial Pipeline’s statements seem to indicate it was not the operational technology or industrial control systems (ICS) of the pipeline but rather the IT, or information technology, that was breached and locked/encrypted during the attack.
With its IT systems (which are linked to its operational systems) offline and being unable to contain the risk, Colonial Pipeline likely found itself blind to some aspects of its operational systems and was forced to shut down the pipeline until the threat was resolved.
Think of it as driving a vehicle without being able to access the controls, monitor your speed or direction, or see what’s in front of you. Yeah, it’s not good, and the best thing you can do is turn off the car, put it in park, and call a mechanic (or in this case an indecent response and forensic cybersecurity firm).
The Weakest Link Takes Down the Entire System
In a sense, having an IT system that supports an operational system being compromised is a variation of the weakest link attack where a threat actor gains access to an organization’s digital infrastructure by targeting the least secure or most vulnerable component in the ecosystem, often through a partner’s less secure infrastructure.
By penetrating the weakest link, cyber attackers are able to expand their reach laterally into other (more difficult to penetrate) systems up and down the supply chain or distribution network.
This is exactly what happened with Colonial Pipeline, with its IT systems apparently the weakest link. Even if unintentional, this is what the DarkSide breach exposed – a weakness in IT systems disrupted OT systems. In turn, the disruption of its operational systems became a weakness itself, ultimately disrupting the larger ecosystem — the US energy sector. This highlights the extreme vulnerability that exists in the critical infrastructure in the US — by shutting down one component of the supply/distribution system the attack effectively disrupts the upstream/downstream elements as well. You can’t keep producing product if you can’t get the necessary supplies OR if you can’t move the product into distribution.
Unable to move gasoline, diesel, and jet fuel into Colonial’s distribution pipeline, many refineries were forced to either spin down production or stockpile excess products, including on tanker ships in the Gulf.
This type of disruption, particularly if Colonial hadn’t paid as quickly as they did, could have had a significant disruptive effect on upstream (extraction) operations as well as the larger petrochemical sector, which relies on oil and refinery byproducts as source materials. Even still, the disruptive effect of the shutdown, which lasted only 5 days, is likely to be felt even longer. But don’t let the concept of mere days fool you, the risk of this type of event is still significant.
Massive Systems Fail Spectacularly
Consider the larger cause-effect nature of the interconnected processes of today, and the risk of having a single, and not very redundant, core. Limited gasoline supplies have resulted in distribution truck routes being reworked to manage limited supplies. Limited supplies have forced consumer drivers to alter both local and long-distance plans, which in turn has impacted the ancillary industries that rely on/service interstate traffic, as well as resulted in a run on what limited supplies existed before the shutdown.
Even oil tankers that have been rerouted and repurposed (through a Jones Act waiver) will have impacted port activity and potentially slowed distribution of products they would otherwise be transporting (though not on the scale of the Ever Given’s Suez Canal debacle which disrupted global shipping and resulted in a new plan to widen the canal).
It’s tempting to think of this disruption as only impacting the energy/fuel industry, but the actual extended impact and risk to individuals and our economy are likely more extensive and subtle than many would expect.
This is Both a Technology AND a Behavioral Issue
Was the Colonial Pipeline ransomware attack a big one? Yes, it was. Does the impact extend beyond the oil and gas industry? Absolutely. And are we still vulnerable to this type of attack? Most definitely, and the potential economic and security risks are only going to increase as other threat actors learn from DarkSide’s attack and replicate or expand (with more devious motives) in the future.
As noted above, this attack doesn’t appear to have been on Colonial’s pipeline itself or the IoT sensors, industrial control systems, or other operational technologies that keep things flowing. This attack was on the IT infrastructure — the networking, compute, and storage systems the company relies upon for its corporate business, and therein lies the issue. Critical infrastructure should not be this easy to take down, nor should a failure in IT systems be allowed to force the shutdown of OT systems, and vice versa.
Over the past decade, our own research has shown time and time again that one of the most significant barriers organizations face in the implementation of operational technologies is the lack of coordination between OT and IT teams. In fact, it’s not uncommon for operational teams to specify and select the technologies they require but then heavily rely upon IT for implementation and ongoing operational management — sort of a “here’s a new technology we’ve selected for YOU to implement and manage” — approach.
Inevitably, operational technologies, and the massive amounts of sensor, event, and control data they generate, end up woven into IT systems, where operational data can be analyzed and leveraged to create valuable insights for corporate management teams. But when IT systems, which are typically much more exposed to the public universe than operational systems, are compromised OT systems are also at risk.
What Do IT and OT Leaders Need to Learn from the Colonial Pipeline Attack?
There are many lessons to be learned here — and quickly. Not only do we need to do a better job of security IT systems, but we need to seriously rethink the process of how OT systems are supported, including a much greater level of coordination between IT/OT teams to ensure both a high level of security and a strong continuity of operations (COOP) process in the event of a system-wide (or IT) disruption.
This may entail a complete rethink on risk mitigation and what it means to be secure, the isolation of critical systems that are too big to fail, and the mandatory adoption of a much stronger security posture for critical infrastructure organizations that prioritizes for security not profits and includes minimum standards with incentives/penalties if warranted.
Is this (about to be) the new normal?
Actively hunting down DarkSide (as the FBI and private firms such as FireEye have acknowledged) or placing a bounty on them (as some have suggested) doesn’t itself get to the root of the Ransomware-as-a-Service risk or the expected growth of this industry (yes, it is an industry).
Further, we’re witnessing the rapid expansion of ransomware software offerings beyond data encryption/locking into other areas such as data theft and/or manipulation. Imagine the impact on an organization if recovered data has been altered and/or lost its integrity.
Should organizations pay ransom? No business leader or government official wants to take a “pro pay” stance, but it gets paid often enough that the incentive is there. There’s also the issue of paying not for safer technologies or business behavior but for Cyber Insurance which is another behavior we need to address as this is NOT a long-term solution to countering the risk/cost of a cyberattack.
My colleague Shelly Kramer and I dug even deeper into this topic during our Cybersecurity Shorts series on the Futurum Tech Webcast this past week. If you’d like to watch or listen, you’ll find it here:
And if you’d like to watch or listen to the entire Cybersecurity Shorts episode, you’ll find it here:
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
More Insights from Futurum Research:
Shelly Kramer: And, with that, we’re going to pivot a little bit, we’re going to move on from Colonial Pipeline, and we’re going to talk about DarkSide, and ransomware as a service offering by DarkSide.
It’s interesting, because DarkSide is a threat actor group, and they’re kind of a small group in the big scheme of threat actors out there. And, they are in the money business, they’re only after profit, they have a ransomware as service offering that’s available on their website. It’s available probably through the dark web, I would imagine. So, a hacker, that’s part of the DarkSide group, can go in and can say, “I want to target such and such an organization, and I want to buy this ransomware as a service offering from DarkSide”. And, DarkSide, as you said, they’re a business, they have employees, they have operating expenses. They are a for-profit business, and this is part of what they sell, ransomware as a service.
And, when this attack happened, DarkSide came out and said, “Our bad, we’re just in this for the money, we never had any intention of handicapping a nation’s infrastructure. We’ll do a better job of vetting our customers in the future.” And, following the attack, DarkSide actually said, and this is a quote from something they published, “From today, we introduce moderation and check each company that our partners want to encrypt, to avoid social consequences in the future.” So, it was indeed a very big, “Oops”. I think that you mentioned that Colonial supplies about 45% of the liquid fuel used in the South, in the Eastern US, so this was a very critical piece of infrastructure, and a pretty big hack.
But, the thing that was interesting to me here… And as I said, DarkSide is kind of a small player in the ransom industry as a whole, there are much bigger organizations out there. What DarkSide does is, and they’re not the only ones I’ve mentioned to offer ransomware as a service, they rent out their malware to other hackers who then launch the attacks. And… I cannot remember, I had some information on another group that’s actually bigger, but I can’t remember the name of it.
Fred McClimans: REvil.
Shelly Kramer: That’s it, REvil, absolutely.
Fred McClimans: Yeah, precursor to DarkSide. They share some commonalities in their code.
Shelly Kramer: They do. So, I don’t think that people realize that just like all of us, our companies utilize various service offerings all the time, you can also buy ransomware as a service offering. And, that is kind of a big deal.
Fred McClimans: It is. It’s a huge deal.
Shelly Kramer: It is a huge deal.