Colonial Pipeline Ransomware Attack: Everything You Need To Know

The real-world consequences of a successful cyberattack have been clearly highlighted this week with the closure of one of the US’ largest pipelines due to ransomware. 

ZDNet Recommends

Here’s everything we know so far. 

On Friday, May 7, Colonial Pipeline said that a cyberattack forced the company to proactively close down operations and freeze IT systems after becoming the victim of a cyberattack. 

This measure “temporarily halted all pipeline operations” and cybersecurity firm FireEye, which operates the Mandiant cyberforensics team, was reportedly pulled in to assist. 

What is Colonial Pipeline?

Founded in 1962 and headquartered in Alpharetta, Georgia, privately-held Colonial Pipeline is one of the largest pipeline operators in the United States and provides roughly 45% of the East Coast’s fuel, including gasoline, diesel, home heating oil, jet fuel, and military supplies. 

The company says that it transports over 100 million gallons of fuel daily across an area spanning Texas to New York.

How did the Colonial Pipeline ransomware attack happen?

There are few concrete details on how the cyberattack took place, and it is likely that this will not change until Colonial Pipeline and the third-party company brought in to investigate have concluded their analysis of the incident. 

However, what appears to have happened is a ransomware outbreak, linked to the DarkSide group, that struck Colonial Pipeline’s networks. 

The oil giant said it “proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems.”

Colonial Pipeline’s latest update, published on Monday 10, said that remediation is ongoing and each system is being worked on in an “incremental approach.”

“This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week,” the company added. 

In a further update, Colonial Pipeline said that one line is operating under manual control while supplies of gas are “available.”

“While our main lines continue to be offline, some smaller lateral lines between terminals and delivery points are now operational as well. We continue to evaluate product inventory in storage tanks at our facilities and others along our system and are working with our shippers to move this product to terminals for local delivery.”

Why does the Colonial Pipeline ransomware attack matter?

colonial-pipeline-system-map.jpg

As shown in the company’s operations map, by taking out the systems supporting and managing pipeline operation and fuel distribution, vast swathes of the US have been impacted. 

At the time of the attack, supply shortage concerns prompted gasoline futures to reach their highest level in three years. Demand has risen, but drivers are being urged not to panic buy, as this could impact prices that have already increased due to the pipeline disruption by six cents per gallon in the past week. 

With normal operations not expected to resume until, at best, the end of the week, we are likely to see fluctuations — and potentially further price increases — in fuel supplies across impacted areas in the US. 

US President Biden has also been briefed on the event. If anything highlights just how serious a cyberattack has become, it is this. 

See also: Ransomware just got very real. And it’s likely to get worse

Will there be gas shortages?

screenshot-2021-05-11-at-15-49-47.png

Patrick De Haan

Late Tuesday evening, White House press secretary Jen Psaki said the US government is “monitoring supply shortages in parts of the Southeast,” as reported by The Independent, and “are evaluating every action the Administration can take to mitigate the impact as much as possible.”

In other words, it is possible. Disruption to the supply lines for potentially a full week, or more, could lead to supply problems for consumers, aviation, and the military — especially if the security incident incites the former to panic-buy. Some gas stations have already begun running dry. 

Have any agencies become involved?

FMCSA

To keep supplies flowing, the USDOT Federal Motor Carrier Safety Administration (FMCSA) issued a Regional Emergency Declaration on Sunday 9, easing standard restrictions on the land transport of fuel and the permissible working hours of drivers. 

“FMCSA is issuing a temporary hours of service exemption that applies to those transporting gasoline, diesel, jet fuel and other refined petroleum products to Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia,” the agency said

The FBI
The US Federal Bureau of Investigation (FBI) is also aware of the incident. On May 10, the law enforcement agency said:

“The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation.”

Who is DarkSide?

DarkSide is a Ransomware-as-a-Service (RaaS) group that offers its own brand of malware to customers on a subscription basis. The ransomware is currently in version 2. 

According to IBM X-Force, the malware, once deployed, steals data, encrypts systems using Salsa20 and RSA-1024 encryption protocols, and executes an encoded PowerShell command to delete volume shadow copies.

SecureWorks tracks them as Gold Waterfall and attributes the group as a Russian-speaking past affiliate of the REvil ransomware RaaS service. 

A decryptor for DarkSide malware on Windows machines was released by Bitdefender in January 2021. In response, the group said the decryptor was based on a key previously purchased and may no longer work as “this problem has been fixed.” 

Update 13.44BST: Bitdefender told ZDNet that the decryption tool, unfortunately, does not work with the latest version of DarkSide malware. 

“We’re constantly working on new versions of our tools as cybercriminals fix vulnerabilities that make decryption possible,” the firm added.

While believed to be relatively new to the ransomware scene, first spotted in the summer of 2020, DarkSide has already created a leak website used in double-extortion campaigns, in which victim companies are not only locked out of their systems, but also have their information stolen. 

If these organizations refuse to pay up, stolen data may be published on the platform and made available to the public. 

DarkSide isn’t just content in making money from ransomware demands, however, as the group has indicated it will happily work with competitors or investors before leaks are published.

“If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares,” the group says. 

Read on: DarkSide explained: the ransomware group responsible for Colonial Pipeline cyberattack

Perhaps unusually, however, DarkSide also appears to be trying to cultivate a Robin Hood and good-guy image — stealing from the rich (the so-called ‘big game’ targets) and giving a portion of the criminal proceeds to charity. 

Charities reportedly offered donations in stolen Bitcoin (BTC) have, so far, refused to accept them. 

The RaaS service operators have also tried to distance themselves from the incident by vaguely implying it was a customer at fault and that the cyberattack doesn’t fit the DarkSide ethos.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives,” DarkSide said on May 10. “Our goal is to make money, and not creating problems for society. We [will] introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

What happens next?

As a group known to double-extort victims, Colonial Pipeline could be the next company to face the threat of the leak of data unless they give in to blackmail and pay the attackers. It may be, however, that DarkSide could choose not to pursue this usual tactic due to the aforementioned “social” problems caused by the ransomware. 

Bloomberg says that during the attack, over 100GB in corporate data was stolen in just two hours. 

As of May 11, Colonial Pipeline has not been added to the DarkSide leak site.  

This appears to be one of the largest and most successful cyberattacks on a critical component of a country’s infrastructure to date — but it is not the first. 

In February, a cyberattacker attempted to add dangerous levels of a chemical to a city in Florida’s drinking water system, and back in 2016, the city of Kieve, in Ukraine, lost all power for an hour due to Industroyer malware.   

If the prospect of fuel shortages, the invoking of emergency powers, and the briefing of a president is anything to go by, we may see a more urgent review of cybersecurity procedures and practices in the US soon — and perhaps the implementation of severe punitive actions to companies that do not maintain a strong security posture. 

However, cyberthreats continue to evolve and, either way, this is unlikely to be the last time we see such severe social disruption caused by cyberattackers just in it for the money. 

“This incident is not the first and will definitely not be the last, as US critical infrastructure spans across an entire continent and relies on engineers in remote places to log in and perform maintenance when needed,” Bitdefender commented. “It is common for ransomware operators to probe networks for such points of entry or even to buy phished credentials to remote desktop instances that they can use to mount an attack. Critical infrastructure is becoming increasingly appealing to ransomware operators — particularly those who are involved in Ransomware-as-a-Service schemes.”

Update 11/5 17.05 BST: The company’s website experienced downtime, but Colonial Pipeline insists it is “unrelated to the ransomware.” The firm said on Twitter:

“We are experiencing a temporary service disruption to our corporate website, and unrelated to the ransomware. We continue to make progress on our system restart plan, and will provide an update when our website is restored.”

In a follow-up, the company apologized for the “temporary service disruption.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

more coverage

READ MORE HERE