On 07 May 2021, a ransomware attack impacted the network of the US energy operator Colonial Pipeline disrupting operations and the wider oil supply chain.  Colonial Pipeline distributes almost half of the oil-related fuels on the American East Coast, making this ransomware attack the latest incident targeting critical infrastructure in the United States. The attack additionally highlights the potential for cybercriminal adversaries to disrupt business processes and impact critical functions.

Digital Shadows (now ReliaQuest) is closely monitoring the developments associated with this cyberattack and will update this blog as new details emerge. For the moment, we will explore what we know so far, review associated security recommendations, and discuss the attribution to DarkSide.

Colonial Pipeline Map
The pipeline spans more than 5,500 miles between Texas and New Jersey (Source: Colonial Pipeline)

A ransomware attack impacts Colonial Pipeline

On 07 May 2021, the company learned that it was the victim of a cybersecurity attack that has been confirmed as involving ransomware according to a Colonial Pipeline press release. The attack happened on Friday, a typical day for malicious activity as cybercriminals aim to exploit the weekend when security teams are not at total capacity. Details about the tactics used by the attackers are still unknown. However, as a result of the ransomware campaign, Colonial temporarily halted all its activities and began working with security and forensic professionals to restore its IT infrastructure. 

In the meantime, the US Department of Transportation has released emergency legislation to relax rules on oil transportation by land to mitigate the supply disruptions caused by the ransomware attack. This move comes at a sensitive time to meet fuel demands worldwide and reduce the burden on strained refineries in Texas.

DarkSide ransomware confirmed as responsible

On 10 May 2021, the US Federal Bureau of Investigation issued a statement confirming attribution of the Colonial Pipeline attack to the DarkSide ransomware group. DarkSide emerged back in August 2020 and was created by several ransomware operators willing to make the “perfect product” to meet their needs. The malware initially didn’t differ enormously from its counterparts from a technical standpoint; instead, their corporate-like approach to the ransomware business represented at the time a unicum for the threat landscape.

The known tactics, techniques, and procedures (TTPs) linked with the attack align with what Digital Shadows (now ReliaQuest) previously observed from this ransomware group. Given previous DarkSide operations, it is realistically possible that the attackers gained entry to the Colonial Pipeline networks by buying remote access from Initial Access Brokers (IABs). These “men-in-the-middle” cybercriminals provide ransomware organizations with a rich pool of victims to target. According to our research Initial Access Brokers: An Excess of Access, Remote Desktop Protocol (RDP) was the most common access vector advertised in 2020 by IABs. 

Consequently, it is realistically possible that the ransomware group that attacked Colonial Pipeline might have exploited a similar method to access the targeted environment. Digital Shadows (now ReliaQuest) previously mapped these campaigns to MITRE if you’re interested in how compromised RDPs help cybercriminals gain unauthorized access to systems.

Latest DarkSide press release
Latest DarkSide press release

Interestingly enough, on 10 May 2021, DarkSide published a press release on its data leak website claiming that they are not affiliated with any government and are solely financially motivated. This statement comes after increased allegations that this group operates from Russia, an assessment based on DarkSide’s victims’ pool, and some linguistic peculiarities that suggest that its operators are native Russian speakers.

Security recommendations and mitigation strategies

This incident is a topical reminder of the risks connected with business disruption at the level of critical national infrastructure. The increasing convergence of Information Technology (IT) and Operational Technology (OT) can put critical infrastructure at risk of being targeted by malicious cyber actors, both state-sponsored and criminally organized. Evaluating the benefits, risks, and costs associated with connecting OT to the internet should be a key priority for the stakeholders involved. Additionally, employing appropriate preventative measures can go a long way in detecting and mitigating these attacks quickly and accurately.

Some key recommendations include keeping OT systems off the internet and intermittently bringing them online only for critical actions, such as patching and updating. Having a thorough emergency response plan and a trained staff to respond to potential attacks can also significantly impact how these incidents are handled. 

Traditional cyber hygiene measures apply too— regularly backing up data, segmenting the network, and implementing multi-factor authentication are some of the key activities that security professionals will need to take into account. Additionally, maintaining visibility in the OT environment is critical to detect, mitigate, and respond to potential threats. See the latest National Security Agency (NSA) advisory for more detailed defensive strategies about connected Operational Technology.

Conclusive Remarks on the Colonial Pipeline Attack

Attacks against critical national infrastructure are among the most current cyber threats faced by governments and organizations worldwide. These attacks can potentially have severe effects on a massive number of individuals, businesses, and institutions. Consequently, ensuring early detection and quick remediation of these threats should be a key priority for everyone involved.

The recent attack against the Oldsmar water treatment facility that was observed back in April raised awareness of cyber attacks against critical national infrastructure. In that case, an attacker gained unauthorized access to that water treatment facility and attempted to increase the level of sodium hydroxide, thankfully existing fail safes were inplace and the water treatment facility operators reduced levels to normal before the fail safes had to step in.

The ransomware operation against Colonial Pipeline is another crucial reminder of the potential risks involved with this kind of attack. Luckily, no physical harm was directly caused by this cyber operation; however, the potential for business and energy distribution disruptions is great enough to pose a threat to US national security.

Digital Shadows (now ReliaQuest) will continue to monitor the situation and update this blog as further details are uncovered. In the meantime, you can stay up to date on the latest threat intelligence events by viewing our Cybercrime and Dark Web Research articles.