The cyberattack that at the beginning of May targeted and caused the shutdown of the Colonial Pipeline, the largest fuel pipeline in the US, was a powerful example of the threat posed by the rising number of ransomware attacks, and the detrimental effect they can have not only on businesses but on national critical infrastructure.

The attack

The cyberattack was first discovered on May 7th, just before 5:30 am, when a control room employee came across a ransom note explaining that hackers had exfiltrated and encrypted 100 gigabytes of material from Colonial’s shared internal drive, and were now demanding a payment of $4.4 million (75 Bitcoins) to obtain the decryption key. By 6:10 am the entire pipeline had been shut down in order to contain the attack and prevent it from spreading to other parts of the network, especially to the pipeline’s operational controls. This was the first time the pipeline was shut down entirely in its 57 years history. While some smaller lateral lines still remained operational, the main lines were kept offline, therefore halting the delivery of supplies for almost a week. Considering that Colonial Pipeline provides almost 45% of the East Coast’s fuel, transporting over 100 million gallons of fuel per day, the halting of operations impacted vast areas of the US. Following the attack, concerns over the shortage of fuel supplies led to panic-buying by citizens, which resulted in significantly higher fuel prices, in addition to long queues and shortages in gas stations spanning from Washington DC to Florida.

It appears that the hackers had already gained access to Colonial Pipeline’s network on April 29th through a virtual private network, as a result of a single compromised password of an account no longer in use, but that could still be used to access the network. The cybersecurity consultants investigating the cyberattack later found this password in a collection of compromised passwords, suggesting that a Colonial employee might have re-used the same password on a different account that ended up being hacked. It appears that the Colonial account did not use multifactor authentication, which is currently used as a standard by the company in most of its operations. The cybersecurity firm performed an exhaustive search in order to discover how far in the network the hackers had pushed themselves, and how close they got to compromising the system of computers that control the flow of gasoline across the pipeline. While it appears that the hackers managed to access the company’s information technology network, there is no evidence that critical systems were breached. With the help of the cybersecurity firm, Colonial added new detection tools in order to monitor for unauthorised accesses and alert the company in the event of a new attack. There is no evidence of the presence of hackers in the network prior to April 29th, and no evidence to suggest the hackers tried to re-gain access following the first successful attack. After the appropriate checks were carried out, both on the computer networks, and on the physical structure of the pipeline, the latter was re-opened on 10th May, although the full delivery schedule did not resume immediately.

DarkSide

The investigation carried out by the cybersecurity firms partnered with Colonial led to the discovery of the threat actor responsible, which was later officially confirmed by the FBI as being the cybercriminal group DarkSide. Cybersecurity researchers have been aware of the group for some time, and speculate that the cybercriminals could be Russian as they have not previously targeted companies in Russian-speaking countries, and as their software does not encrypt computer systems that are set in the Russian language. DarkSide was first spotted in August 2020, when the group announced its new ransomware operation on their domain in the Tor network. Within this press release, the cybercriminal group disclosed this is not their first criminal operation, as they had previously worked with other partners. DarkSide is one of the latest examples of ransomware-as-a-service, a business model in which the developers of the ransomware lease the latter to affiliates who can then carry out attacks using the already-developed malware, and pay part of their earnings to the developers. In their press release DarkSide announced their ethical principles, stating that their operations will never target critical bodies like the government, hospitals, schools, non-profit organisations and funeral services. It added that the targets of their attacks are specifically selected to ensure they have the financial capability to pay the ransom, the price of which is also set depending on what the targeted company can afford. The cybercriminal group also acts as a corporation, since in addition to the press releases, they offer customer support to affiliates when using their malware, and even offer support to ransomware victims should they have questions. In its ransomware operations, the cybercriminal group not only encrypts the target information, but harvests it as well, as a form of double-extortion. In fact, if the victimised organisation refuses to pay the ransom, not only will it not obtain the key to decrypt files, but the stolen information will also be published on the hacker group’s leak website for everyone to see.

The aftermath of the attack

Following the cyberattack, DarkSide released a statement suggesting their involvement in the attack, and ensuring that more caution will be used in the future when their affiliates select their targets, in order to minimise social consequences. The operators also highlighted that their cybercriminal group is apolitical and not tied to any government, and their sole motivation is financial.

On 8th June Colonial Pipeline’s CEO appeared in front of a Senate committee to recount the first instances of the cyberattack, and to explain how the company responded. Joseph Blount confirmed that the attack was first discovered on May 7th when an employee found the ransom note, and the decision was made to take the pipeline offline in order to contain and isolate the attack. The CEO confirmed to the Senate of Homeland Security that the cybercriminals’ access vector was a VPN account no longer in use and not protected by multifactor authentication. It was also confirmed that the $4.4 million ransom was paid to the cybercriminal group the day after the attack, in order to obtain the decryption key and make the pipeline operative as soon as possible. FBI officials have for long tried to discourage ransomware victims from paying cybercriminals, as this renders the crime profitable and leads to a higher number of attacks. However, ransomware payments have yet to been banned by the FBI, who fears this action will not have a significant effect, and will lead to lower rates of reporting of cyberattacks by victims.

The day before Colonial’s CEO appeared in front of the committee, the FBI announced it had identified the virtual currency wallet belonging to DarkSide, which contained Colonial’s ransom payment. The FBI was able to seize the money via a court order, and recover 63 of the original 75 Bitcoin payment. Considering the significant decrease in the value of Bitcoin since the payment, the amount of money recovered is currently worth around $2.26 million. The FBI declined to discuss in detail how it was able to access the virtual wallet.

The cyberattack brought new attention to the threat posed by ransomware. President Joe Biden stated there is no evidence that the attack was sponsored by the Russian government, suggesting that DarkSide’s claim of being an apolitical group might be truthful. The Biden administration is currently putting a higher degree of pressure on the private sector to upgrade their cybersecurity protocols, and is debating how to respond to the growing use of cryptocurrency in financial crimes.

Reference list

https://www.theguardian.com/technology/2021/may/19/colonial-pipeline-cyber-attack-ransom

https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

https://www.theverge.com/2021/6/5/22520297/compromised-password-reportedly-allowed-hackers-colonial-pipeline-cyberattack

https://www.bbc.co.uk/news/business-57050690

https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/

https://www.wired.com/story/ransomware-gone-corporate-darkside-where-will-it-end/

https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/

https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack

https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/

https://www.bleepingcomputer.com/news/security/us-recovers-most-of-colonial-pipelines-44m-ransomware-payment/

https://www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html

https://www.cnbc.com/2021/06/07/us-recovers-some-of-the-money-paid-in-the-colonial-pipeline-ransom-officials-say.html

https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html