A recap on the Colonial Pipeline ransomware attack

We interrupt this week’s scheduled Q&A on data collection and identification of suspicious activity to talk about the May 7th breach of Colonial Pipeline.

While it’s easy to slip into a mode of fear, uncertainty, and doubt (just take a look at the gas stations on the East Coast), my intent is to provide some knowledge and education around the global threat that is ransomware.

So what exactly happened with Colonial Pipeline?

On May 7th, Colonial Pipeline Co., which delivers roughly 45% of the refined fuel products to the East Coast through its 5,500 mile pipeline, reported that it has been successfully attacked by a Ransomware-as-a-Service (RaaS) hacking group called DarkSide.

RaaS functions very similar to Software-as-a-Service where the hacking group pays affiliates to extort websites and organizations. DarkSide provides the ransomware, and the affiliates carry out the attack. The affiliates are usually recruited based on their skillsets or approach the RaaS organization because of their fame in the market - really, no different than your hiring practices. Once the attack is successful and the ransom is paid, the RaaS organization pays the affiliates a percentage.

Like most ransomware groups, DarkSide has a double-pronged attack method (remember those attack vectors we talked about last week?). First, they breach and install ransomware on as many systems as possible before being noticed. Then they encrypt the systems and hold them hostage while demanding the first ransom for a decryption key. While that is going on, the second phase commences by the data from those systems being exfiltrated and analyzed for impact. A second ransom is then requested on the “promise” to destroy the data and files that were copied. If the ransom is not met, the data will be made public. 

Over 100GB of data was successfully exfiltrated during the attack and although we don’t know how many and what types of systems were affected by the attack, we do know that Colonial preemptively shut down their normal Information Technology (IT) systems, their Operational Technology (OT), and their Industrial Control Systems (ICS) which controls their pipelines. 

Why did Colonial take their infrastructure offline?

When our COO, Eric Cowperthwaite, analyzed the situation, he brought up a few great points, “I believe they took everything offline because they 1) Didn’t know exactly what was infected and what was clean and 2) Didn’t want any risk of damage, fires, leaks, etc in the pipelines. This is the very conservative approach and certainly seems to be the correct one and while it did cause a lot of issues on the East Coast, if those systems were compromised, it could have been disastrous on a completely different level.”

It isn’t apparent right now if Colonial has a security operations service provider (MSSP or MDR). A good MDR service provider, collecting event data throughout their network and quickly analyzing it, can make recommendations to improve network security before the attack happens, provide Indicators of Compromise to the client to block known attacks at firewalls and IDS/IPS, see the attack as it happens in near real-time, provide response in near real-time to stop or slow the attack, and finally support the client with containment and eradication. 

How does ransomware work and could this have been avoided?

Ransomware attacks take advantage of vulnerabilities within a security program, including both human and information systems. There are, generally, two possible attack vectors (there’s that magic word) for ransomware. One is email phishing and the other is exploiting vulnerabilities in the target’s information technology. In both vectors, if technology vulnerabilities are patched, it makes it much more difficult to successfully execute a ransomware attack. 

One of the interesting things about DarkSide is that once the ransom is paid, the organization is promised the decryption keys for the servers, a guarantee that the data would not be released, and a detailed report of the attack, how they gained entrance, and tips for improving network security and protecting against other hackers. While Milton doesn’t actively try to prevent ransomware attacks, such as a Crowdstrike, for instance, we do ingest data from all sources within our client’s network and can “see” the attack happening and help our client to respond in real time. And with our newly announced Expert Services, we can find opportunities for breaches ahead of them actually occurring and suggest improvements - a much cheaper option than a $30M ransomware attack.

If you’re interested in learning more about our work with organizations in the utility industry, feel free to reach out and let us prove our effectiveness with a 15-day complimentary Proof of Value.

Until next week - stay safe!