WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 15, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
On 07 May 2021, a ransomware attack impacted the network of the US energy operator Colonial Pipeline disrupting operations and the wider oil supply chain. Colonial Pipeline distributes almost half of the oil-related fuels on the American East Coast, making this ransomware attack the latest incident targeting critical infrastructure in the United States. The attack additionally highlights the potential for cybercriminal adversaries to disrupt business processes and impact critical functions.
Digital Shadows (now ReliaQuest) is closely monitoring the developments associated with this cyberattack and will update this blog as new details emerge. For the moment, we will explore what we know so far, review associated security recommendations, and discuss the attribution to DarkSide.
On 07 May 2021, the company learned that it was the victim of a cybersecurity attack that has been confirmed as involving ransomware according to a Colonial Pipeline press release. The attack happened on Friday, a typical day for malicious activity as cybercriminals aim to exploit the weekend when security teams are not at total capacity. Details about the tactics used by the attackers are still unknown. However, as a result of the ransomware campaign, Colonial temporarily halted all its activities and began working with security and forensic professionals to restore its IT infrastructure.
In the meantime, the US Department of Transportation has released emergency legislation to relax rules on oil transportation by land to mitigate the supply disruptions caused by the ransomware attack. This move comes at a sensitive time to meet fuel demands worldwide and reduce the burden on strained refineries in Texas.
On 10 May 2021, the US Federal Bureau of Investigation issued a statement confirming attribution of the Colonial Pipeline attack to the DarkSide ransomware group. DarkSide emerged back in August 2020 and was created by several ransomware operators willing to make the “perfect product” to meet their needs. The malware initially didn’t differ enormously from its counterparts from a technical standpoint; instead, their corporate-like approach to the ransomware business represented at the time a unicum for the threat landscape.
The known tactics, techniques, and procedures (TTPs) linked with the attack align with what Digital Shadows (now ReliaQuest) previously observed from this ransomware group. Given previous DarkSide operations, it is realistically possible that the attackers gained entry to the Colonial Pipeline networks by buying remote access from Initial Access Brokers (IABs). These “men-in-the-middle” cybercriminals provide ransomware organizations with a rich pool of victims to target. According to our research Initial Access Brokers: An Excess of Access, Remote Desktop Protocol (RDP) was the most common access vector advertised in 2020 by IABs.
Consequently, it is realistically possible that the ransomware group that attacked Colonial Pipeline might have exploited a similar method to access the targeted environment. Digital Shadows (now ReliaQuest) previously mapped these campaigns to MITRE if you’re interested in how compromised RDPs help cybercriminals gain unauthorized access to systems.
Interestingly enough, on 10 May 2021, DarkSide published a press release on its data leak website claiming that they are not affiliated with any government and are solely financially motivated. This statement comes after increased allegations that this group operates from Russia, an assessment based on DarkSide’s victims’ pool, and some linguistic peculiarities that suggest that its operators are native Russian speakers.
This incident is a topical reminder of the risks connected with business disruption at the level of critical national infrastructure. The increasing convergence of Information Technology (IT) and Operational Technology (OT) can put critical infrastructure at risk of being targeted by malicious cyber actors, both state-sponsored and criminally organized. Evaluating the benefits, risks, and costs associated with connecting OT to the internet should be a key priority for the stakeholders involved. Additionally, employing appropriate preventative measures can go a long way in detecting and mitigating these attacks quickly and accurately.
Some key recommendations include keeping OT systems off the internet and intermittently bringing them online only for critical actions, such as patching and updating. Having a thorough emergency response plan and a trained staff to respond to potential attacks can also significantly impact how these incidents are handled.
Traditional cyber hygiene measures apply too— regularly backing up data, segmenting the network, and implementing multi-factor authentication are some of the key activities that security professionals will need to take into account. Additionally, maintaining visibility in the OT environment is critical to detect, mitigate, and respond to potential threats. See the latest National Security Agency (NSA) advisory for more detailed defensive strategies about connected Operational Technology.
Attacks against critical national infrastructure are among the most current cyber threats faced by governments and organizations worldwide. These attacks can potentially have severe effects on a massive number of individuals, businesses, and institutions. Consequently, ensuring early detection and quick remediation of these threats should be a key priority for everyone involved.
The recent attack against the Oldsmar water treatment facility that was observed back in April raised awareness of cyber attacks against critical national infrastructure. In that case, an attacker gained unauthorized access to that water treatment facility and attempted to increase the level of sodium hydroxide, thankfully existing fail safes were inplace and the water treatment facility operators reduced levels to normal before the fail safes had to step in.
The ransomware operation against Colonial Pipeline is another crucial reminder of the potential risks involved with this kind of attack. Luckily, no physical harm was directly caused by this cyber operation; however, the potential for business and energy distribution disruptions is great enough to pose a threat to US national security.
Digital Shadows (now ReliaQuest) will continue to monitor the situation and update this blog as further details are uncovered. In the meantime, you can stay up to date on the latest threat intelligence events by viewing our Cybercrime and Dark Web Research articles.