A ransomware attack on the Colonial Pipeline, a key portion of the fuel-delivery network in the eastern United States, has not only caused concerns about the potential disruption of the fuel supply, but also about the continued willingness of foreign adversaries to target critical infrastructure.
The attack took place on Friday and the company responded by taking some of its IT and physical systems offline, and as a result its main distribution lines are still offline. The FBI is investigating the incident and the White House has formed an interagency task force to handle the response, which is being led by the Department of Energy.
“On May 7, Colonial Pipeline Company learned it was the victim of a cybersecurity attack and has since determined that the incident involved ransomware. Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring,” Colonial Pipeline Company said in a statement.
While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach. This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week.
Ransomware attacks on enterprises in virtually every sector are an everyday occurrence, and the cybercrime groups behind them have shown a willingness to go after whatever targets they believe will be most profitable. During the pandemic, hospitals and health care providers have been frequent targets, as have organizations involved in vaccine research and distribution. State and local government agencies have fallen victim to ransomware, as have dozens of critical infrastructure organizations over the last few years, but the Colonial Pipeline attack is unique in its targeting and its potential disruptive effects.
“It is the largest cyber attack in terms of the energy infrastructure here in the United States and that is very disruptive,” Robert M. Lee, CEO of Dragos, said in an interview on CNN Monday.
On Monday, the FBI said the DarkSide ransomware was the culprit in the Colonial Pipeline attack.
“The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation,” the FBI said.
“If countries aren’t enforcing the rules and making sure they’re taking care of their criminal sector, there is some culpability."
DarkSide is a relatively new ransomware that emerged in 2020 and the actors who deploy it are typically quite organized and use a custom ransomware executable for each victim, according to an analysis by Digital Shadows researchers. Like all ransomware operators, they go where the money and leverage are and they have been quite successful and active in the last year.
“Targeting pipelines and distribution channels like ths attack on the Colonial Pipeline Co. makes sense - ransomware is about extortion and extortion is about pressure. Impacting fuel distribution gets peoples’ attention right away and means there is increased pressure on the responding teams to remediate the impact,” said James Shank, chief architect, community services, for threat intelligence firm Team Cymru, and a member of the Ransomware Task Force.
“Doing so during a time when the pandemic response has created other distribution and supply chain problems, many of which will require timely and efficient distribution of goods, adds to the pressure. This emphasizes the need for a coordinated effort that bridges public and private sector capabilities to protect our national interests. We can not think of these attacks as impacting private companies only - this is an attack on our country’s infrastructure.”
Ransomware has become a national security concern as foreign adversaries have deployed it against both public and private targets, disrupting business and government operations, and now, the Colonial Pipeline attack shows operators are willing to take the attacks wherever they see a potential profit.
“Cybercriminals have been allowed to run amok while governments have mainly watched from the sidelines, unclear on whether cybercrime is a national security level threat. If there was any remaining doubt on that front, let’s dispense with it now. Too many lives are at stake,” Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, said during a congressional hearing on ransomware last week.
The response from the federal government to the Colonial Pipeline attack will be an interesting test case. In the past, the Department of Justice and Department of the Treasury have issued indictments and financial sanctions against individuals and groups involved in ransomware operations, but those have been in response to cumulative campaigns, not discrete incidents.
“If countries aren’t enforcing the rules and making sure they’re taking care of their criminal sector, there is some culpability,” Lee said.
“There is that symbiotic relationship that the U.S. government would be appropriate to take a look at.”