The cyber attack on the Colonial Pipeline indicative of a ransomware attack and has since been described as the most significant and successful attack on US Energy Infrastructure to date.
Its immediate target was Colonial’s business computer systems and is expected to delay the supply of product to the Eastern Coast of the United States for a week at this early stage.
- Register your interest for our senior executive lunch: Translating cyber risk into business impact for boards (No IT Vendors or consultants, please)
Colonial Pipeline operates approximately 8,000 kilometres of pipeline, and transports approximately 100 million gallons of fuel per day. The pipeline extends across 14 states and services seven airports. It is considered as the main fuel supply line to the East Coast.
Currently reports indicate that U.S. gasoline future jumped more than 3 percent to US$2.217 per gallon, the highest in 2 years, as trading opened earlier this week. Brent Crude was up by US76 cents, 1.1%, at US$69.04 per barrel by midnight last Monday. U.S. West Texas Intermediate futures rose by US70 cents, 1.1%, at US65.60 per barrel.
The delays for Colonial are expected to last at least a week, according to the company.
The attack was alleged to have been an act performed by the DarkSide Cyber Criminal Group, known and subject to current FBI investigations. The FBI is now investigating this latest incident.
The anatomy of attack indicates it was sophisticated, highly targeted, and the techniques deployed were able to defeat the existing security controls.
Cyber Security firm FireEye has been engaged to conduct post incident response and investigation with the intent to assist Colonial in restoring critical systems and resume activities. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) and the Transportation Security Administration are involved in the investigation.
The immediate effects experienced by Colonial were a forced shut-down of their Administrative Network, causing disruption and isolation of affected systems hit with the ransomware.
It is anticipated that there will be a 5-day shutdown resulting in limitation to supply of jet fuel required by the major airports. The Department of Energy is monitoring the potential impacts to the nation’s energy supply. Additional delays in delivery could see outages at fuel terminals and flow on effects to suppliers and consumers.
In a statement Colonial said they shut down the the pipelines as a precaution. This action would enable the necessary incident response mechanisms and procedures to be activated and specialist teams deployed to identify key areas affected, contain the spread and impact of the attack, and to rollout additional safeguards and counter measures.
The incident has been identified as a criminal attack and primary focus is on the group known as Darkside.
The DarkSide ransomware attack campaigns are recognisable for their use of stealthy techniques, especially in the early stages. The group conducts careful reconnaissance and takes steps to ensure that their attack tools and techniques can evade detection on monitored devices and endpoints.
While their initial entry vectors vary, their techniques are more standardised once inside, and their endgame is sophisticated and efficient according to Varonis, a Data Security & Insider Threat Detection company
DarkSide’s aim is to deliver a range of negative business impacts including; Financial loss, Unintended Access, Brand or Image Degradation, Data Breach Compromise, Unauthorised Access, Theft, User Data Loss, Brand Damage, and ultimately to extort a ransom.
Its operators customise the ransomware executable for a specific company they are attacking, indicating that they customise each attack for maximum effectiveness. The ransomware executes a PowerShell command that deletes Shadow Volume Copies on the system. DarkSide then proceeds to terminate various databases, applications, and mail clients to prepare for encryption.
The significance of this attack weighs on two key factors. The first being an attack directly targeting Energy Critical Infrastructure, a target of high value and strategic importance to the nation, and the second, the nature and style of the attack indicates a persistent rise in the threat of ransomware being used to target US Infrastructure and Government facilities and services.
Opinions expressed by senior government officials suggest inadequate preparation and attention towards hardening of critical infrastructure against these types of attacks. Insiders believe another problem was a significant resourcing of personnel in the Transport Security Administration to attend to the problem and to scale upwards to the growing threat and its sophisticated activities.
The immediate pressure to the Biden Government is to escalate debate and settle on achievable funding towards cyber security. The growing trends of cyber-attack targeting indicate that the nation’s critical energy networks and systems are subject to an increasing range of threats from cyber-attacks.
The US Government has declared a state of emergency over the weekend in response to the attack and it’s effects upon crucial supply of fuel throughout its networks.
The declaration is destined to support emergency conditions creating a need for immediate transportation of gasoline, diesel, jet fuel, and other refined products and to provide relief.
The FBI have confirmed that the compromise of the Colonial Pipeline was made responsible by the Darkside ransomware gang which they know to be based in Russia. The FBI at this stage is not reporting indications that the gang acted on behalf of the Russian government.
US Intelligence will continue to explore any ties to nation-state actors as stated by the US Deputy National Security Advisor, Anne Neuberger, on Monday at the White House to reporters.
Image credit: Photo by Rodion Kutsaev on Unsplash