The Colonial Pipeline Cyberattack
- May 30, 2021
- Clayton Rice, Q.C.
On May 7, 2021, Colonial Pipeline Co. sustained a ransomware cyberattack disabling the computerized equipment that manages its pipeline. The pipeline carries gasoline, diesel and jet fuel from Texas to New York and services much of the eastern seaboard. It was the largest cyberattack on an oil infrastructure target in the history of the United States. The company paid a ransom of $4.4 million in cryptocurrency within hours of the discovery. The attackers then released a decryption tool that was so slow the company continued to use its own backups to restore the network. On May 12, 2021, Colonial resumed fuel shipments.
In a previous post to On The Wire I discussed the SolarWinds hack as an example of a cyberespionage operation. (here) The main tenet of cyberespionage is secrecy. Cyperspies want to get in and get out – undetected. The object is to view classified information, not steal it. In a follow-up post I discussed the recent indictment returned by a grand jury in the United States District Court for the Western District of Washington in Seattle charging Swiss hacker, Till Kottmann, with conspiracy to access computers without authorization, and identity and data theft. (here) The allegations of theft take the Koffmann indictment outside the domain of cyberespionage and spotlights the distinction between hackers and crackers. Hackers access computer systems to acquire information. Crackers hack systems to do damage or cause disruption. Where, then, does an attack for ransom fit into the paradigm?
2. What is Ransomware?
Ransomware is a type of malware that encrypts a target’s files. It locks them up. The attackers then promise to provide a tool to unlock them for payment. Some ransomware groups have engaged in “double extortion” threatening to also dump the data on the internet unless payment is made. (here) The costs may range from hundreds to millions of dollars payable in cryptocurrency. One of the more common delivery systems is phishing spam sent to a target by email attachment masquerading as a file that should be trusted. When downloaded and opened, it can take over the target’s computer particularly if they have social engineering tools that trick the target into allowing administrative access. More aggressive forms of ransomware, such as NotPetya, associated with the Sandworm group within the Russian military intelligence organization (GRU), exploit security holes to infect computers without having to trick the user. (here) It is the element of extortion that distinguishes ransom heists from hackers and crackers.
3. Colonial and DarkSide
Colonial carries nearly half of the fuel supplies to the U.S. east coast in a 5,500 mile pipeline. When the story broke, concerns immediately arose about potential shortages, closure of airports and other transportation systems, and a jump in prices at the pump. On May 10, 2021, the F.B.I. said the attack was caused by DarkSide ransomware, a strain of computer virus delivered by an eponymous group. (here) On the same day, in a characteristically cryptic post to his blog, security technologist Bruce Schneier of the Harvard Kennedy School described the event as a major story. “This is bad,” he said, “our supply chains are so tightly coupled that this kind of thing can have disproportionate effects.” (here) The early reports indicated that the heist involved 100 gig of data and a threat to publish it – a classic double extortion.
DarkSide first appeared on Russian language hacking forums in August 2020. It has been described as a ransomware-as-a-service platform that approved customers can use to infect targets with ransomware and carry out negotiations for payment. In an update to the DarkSide Leaks blog, discussed by investigative journalist, Brian Krebs, in a post to his blog, the group said: “[W]e do not participate in geopolitics […] Our goal is to make money, and not creating [sic] problems for society.” DarkSide appears to have a code of conduct. It went on to say it only targets large corporations and forbids affiliates from delivering ransomware to healthcare systems, educational institutions, non-profit organizations and government agencies. Mr. Krebs described DarkSide as similar to other ransomware platforms – it adheres to “the current badguy best practice of double extortion” by demanding one sum for the digital key to unlock the encrypted files and another sum in exchange for a promise to destroy any stolen data. (here)
DarkSide has also been described as a double extortionist by Cyberreason, a Boston-based cyber defence platform. The group has been predominately deployed in English speaking countries and seems to avoid targets in former Soviet bloc nations. The ransom demands vary between US$200,000 and US$2,000,000 and, according to the DarkSide website, it has published data stolen from over 40 targets. In addition to the code of conduct, and posturing as a kind of ethical ransomware broker, Darkside maintains that it will donate a portion of its profits to charitable causes, although some of the charities have refused the contributions. (here and here) In a piece titled Welcome to DarkSide – and the inexorable rise of ransomware published in The Guardian edition of May 15, 2021, Professor John Naughton at the University of Cambridge described DarkSide’s ethics as “an interesting new interpretation of ‘corporate responsibility’.” (here)
On May 19, 2021, Colonial announced that its pipeline system was taken offline when it learned of the attack. The decision was then made quickly to pay the ransom. “I know that’s a highly controversial decision,” said Colonial CEO Joseph Blount. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do for the country.” (here and here) Although the F.B.I. discourages organizations from paying a ransom, Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, declined to confirm whether the Biden Administration agrees. “We recognize […] that companies are often in a difficult position as their data is encrypted and they do not have backups and cannot recover the data,” she said. Ondrej Krehel, CEO of the incident response and digital forensics firm LIFARS, agreed with Colonial’s decision. “You want to die or you want to live?’ he asked. “It’s not a situation where you can wait.”
4. The Energy Sector Risk
Energy companies have historically kept operational systems that run pipelines or power plants disconnected from the broader internet. This meant that hackers could not easily access the most critical infrastructure. But, increasingly, companies are now installing more sophisticated monitoring and diagnostics software to operate these systems more efficiently. This potentially creates new risks. “Now these systems are all interconnected in ways that the companies don’t always fully understand, ” said Marty Edwards, vice president of operational technology at Tenable, a cyber exposure company. “That provides an opportunity for attacks in one area to propagate elsewhere.” (here)
With the increasing cybersecurity risk in the public sector, the U.S. Department of Homeland Security announced that it is moving to regulate cybersecurity in the pipeline industry for the first time in order to prevent a repeat of the Colonial breach. The Transportation Security Administration, a DHS agency, is expected to issue a directive requiring pipeline companies to report cyber breaches to federal authorities. A set of mandatory rules for safeguarding systems is anticipated. In the past, the TSA only offered voluntary guidelines. Although mandatory cybersecurity standards might mollify some critics, the proposed rulemaking may also draw criticism from lawmakers who say the agency lacks the resources and expertise to take on a larger policing role. (here) The directive is also expected to prompt criticism from private operators concerned about increased government regulation. The American Petroleum Institute said that any new regulations should include “reciprocal information sharing and liability protections.” (here)
5. What has Changed?
Nothing. The news over the past week simply brought back to the headlines another ransomware incident, albeit a failed attempt; while Microsoft announced a phishing campaign that targeted the U.S. Agency for International Development (AID). Both involved Russian cyberactors.
On May 24, 2021, Egor Igorevich Kriuchkov, a Russian citizen, was sentenced to time in custody by U.S. District Judge Miranda Du, in Reno, Nevada, for attempting to pay a Tesla employee $500,000 to install computer malware at the company’s electric battery plant in an attempt to steal corporate secrets for ransom. (here) Mr. Kriuchkov will now be deported. The intrusion was designed as a distributed denial-of-service attack, using junk data to flood the Tesla computer system, while a second intrusion would let co-conspirators extract data from the company’s network and demand ransom with the threat of making information public. Sound familiar?
On May 27, 2021, Microsoft vice president Tom Burt announced that Russian cyberspies had launched a targeted phishing assault on U.S. and foreign government agencies and think tanks. (here) The intrusion used an email marketing account of U.S. AID and targeted about 3,000 email accounts at more than 150 different organizations. It was estimated that a quarter of them are involved in international development, humanitarian aid and human rights work. Microsoft said Nobelium was behind the attack, the same Russian cyberactor behind the SolarWinds breach. The ongoing intrusion evolved out of several waves of spear-phishing campaigns that were detected in January and escalated to the mass mailings during the past week. Sound familiar?
The internet is a dark and dangerous place. The growing number of cybersecurity incidents has led some insurers to raise premiums and others to limit coverage in high risk areas. “[T]he continually increasing frequency and severity of cyberattacks, especially ransomware attacks, have led insurers to reduce cyber coverage limits for certain riskier industry sectors, such as health care and education, and for public entities and to add specific limits on ransomware coverage,” the U.S. Government Accountability Office said in a report released earlier this month. (here and here) According to the White House Council of Economic Advisors, the cost of malicious cyber activity to the U.S. economy in 2016 was between $57 billion and $109 billion. For almost twenty-five years, since 1997, the GAO has designated cybersecurity as a “government-wide high-risk area, and U.S. businesses and other entities continue to face significant cybersecurity risks with the potential for large losses.”