Colonial Pipeline attack has implications for Australia
A disruptive ransomware attack reported on Saturday against Colonial Pipeline, the US East Coast’s largest gasoline, diesel and natural gas distributor, continues and is already impacting oil and gas delivery, precipitating a rise in fuel prices for consumers.
The FBI has confirmed that DarkSide, a Russian cybercrime gang, is responsible for the attack. DarkSide is alleged to have been involved in other attacks against US companies since it surfaced last August, but this is the first known attack to impact a US-based critical infrastructure provider and interrupt its services.
Colonial Pipeline published a statement confirming a ransomware attack against its IT systems, and that it “proactively” took its systems offline in order to contain the threat. As of Sunday, Colonial Pipeline said it was working on a restart plan, and lateral lines between terminals and delivery points were operational; all four of its main lines were still down.
“Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimise disruption to our customers and those who rely on Colonial Pipeline,” the company said in its prepared statement.
Precious few details have been made available by Colonial Pipeline, which at first acknowledged only a cyber attack against its IT systems before updating its statement to confirm a ransomware attack.
Ransomware is a scourge to enterprises worldwide. These attacks are largely opportunistic, but a growing number of them have targeted specific high-value companies across industries. Ransomware recovery costs, meanwhile, are expected to double this year to nearly $2 million on average per incident, according to security company Sophos.
DarkSide, meanwhile, has been carrying out high-value, targeted ransomware attacks. The group’s attacks not only encrypt critical systems, but also steal data before locking down servers. It has netted millions through attacks and partnerships with ransomware outfits, according to published reports. Those reports paint DarkSide as a gang that seeks out only victims capable of paying exorbitant ransom demands. The group reportedly does not target healthcare organisations, education or government agencies. It extorts victims with threats of publishing data stolen in attacks if a ransom demand is not met.
It should be noted that attribution in cyber attacks is often a challenge. Experts attempt to match tactics, techniques and procedures (TTPs) uncovered during forensic investigations to specific threat actors. Some attackers, however, share malware, exploits and other artefacts that can be fingerprinted in an investigation, making attribution a less-than-exact science.
This is the most impactful known attack against US critical infrastructure. Oil and gas delivery on the East Coast will be impacted the longer the shutdown continues with gasoline and home heating oil prices are expected to rise, putting further stress on the sector. CNBC reports that gasoline futures are up 1.28% and heating oil futures up 0.73%; West Texas Intermediate crude futures, the US oil benchmark, is already up 61 cents, CNBC said. A shutdown of 10 days or longer, for example, would force refineries to slow production and would impact prices and profits industry-wide.
Advice for the Australian sector
It’s unknown how the Colonial Pipeline was attacked. Ransomware attacks are increasing in sophistication; some threat actors rely on phishing emails to lure victims to sites hosting a malware download that would infect computers or servers with ransomware. Other intrusions may involve a different attack vector that includes an exploit of vulnerable software or the use of stolen credentials that allows an attacker access to critical systems.
DarkSide has been known to target domain credentials, an effective and dangerous tactic associated with what Microsoft calls human-operated ransomware attacks. Hallmarks of human-operated ransomware attacks include lateral network movement and harvesting of data along the way to compromising domain credentials. An attacker in possession of Active Directory admin or domain credentials would have extensive admin-level privileges across servers and workstations, as well as service accounts.
Such a privileged attacker would have the run of any system on a domain, being able to access critical databases and drop further exploits or malware such as ransomware. Many ransomware attacks have turned into full-blown extortion, with threat actors stealing data and threatening to publicly leak sensitive company documents online if ransom demands are not met. This is also a DarkSide TTP.
Within operational technology (OT) environments, such as those in oil and gas and other critical infrastructure, legacy equipment is frequently front and centre. While these systems are old, they are reliable, and ensure the availability and safety coveted within industrial operations. As more OT networks and industrial control systems (ICS) are converged with IT systems and managed centrally, critical systems that were once air-gapped now have some exposure to the internet. Thus, a vulnerable legacy Windows system overseeing industrial processes would now be accessible from outside the OT network if not configured properly or segmented from the business network.
Further complicating matters is the fact that some of this obsolete technology can’t be patched, and all too often this technology is maintained by staff that frequently are not as cyber savvy as they need to be to keep attackers at bay. This leads to a situation where cybersecurity risk levels are below acceptable tolerances, and in some cases organisations are blind to the risk.
One additional risk factor of pipelines is that they are highly distributed environments, and the tools used to grant asset operators remote connectivity are optimised for easy access, rather than security, providing attackers opportunities to sneak through cyber defences.
Among critical-infrastructure sectors, energy is especially at risk. Claroty’s researchers have found that the energy sector is one of the most highly impacted by ICS vulnerabilities, and it experienced a 74% increase in ICS vulnerabilities disclosed during the second half (2H) of 2020 compared to 2H 2018.
The Biden administration, meanwhile, has begun pressing government and critical-infrastructure operators to improve cybersecurity within electricity utilities, recently announcing a 100-day push to begin this process. The incentive-heavy plan has a large focus on locking down the supply chain and shoring up vulnerabilities in critical infrastructure. Given that much of the critical infrastructure in the US is privately owned, these types of public–private partnerships are going to be crucial to closing any security gaps.
Claroty Edge and enhanced Continuous Threat Detection said to give faster, easier, more flexible...
Digital monitoring system collects and tracks data from conveyor belts to provide real-time...
Cybercriminal group takes large toll on major US infrastructure using ransomware.