The Snowball Effect of the Colonial Pipeline Attack

Author: Rhea Jethvani

A single compromised password led to the largest fuel pipeline in the United States being shut down and gasoline shortages across the East Coast.

People rushing to gas stations to fill up plastic bags worth of gasoline? The federal government declaring a state of emergency over one compromised password? Operational technology halted at Colonial Pipeline? The week of May 10th, 2021, was definitely one for the books, after a seemingly small ransomware attack targeting the Colonial Pipeline of America transformed exponentially into a gasoline shortage and a cybersecurity inefficiency that cost a major company $4.4 million.

Petroleum Industry Operational Technology (Photo by Patrick Hendry on Unsplash)

On April 29th, 2021, malicious actors targeted Colonial Pipeline, a midstream Oil and Natural Gas pipeline and storage company, based in Alpharetta, Georgia. Colonial Pipeline transfers refined petroleum products between upstream production sites, downstream refining facilities, and storage sites, for a large majority of the United States.

The cybercriminals behind the attack launched DarkSide, a Ransomware-as-a-Service (RaaS) attack which facilitates the stealing of data, locking of computers, and requesting a ransom. RaaS is a relatively new term used to describe the business model used by ransomware developers. RaaS developers lease ransomware variants similar to ways in which software developers lease Software-as-a-Service and other cloud-based products. This allows for people with little technical knowledge to launch ransomware attacks by simply purchasing/renting the service. According to the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) release, the RaaS developers receive a share of proceeds when a threat actor deploys it.

DarkSide actors typically deploy the ransomware through phishing attacks or the exploitation of remotely accessible accounts, systems, and Virtual Desktop Infrastructures. They initially attack a device as a legitimate user (i.e. through a brute force password attack, phishing attack with a malicious link, or a SQL-injection vulnerability against an organization’s Virtual Private Network infrastructure) so that they can install malicious code on the compromised endpoint. Afterwards, the threat actor escalates privileges to gain access to sensitive information through different tactics, techniques, and procedures (TTPs) such as using a Command and Control infrastructure, downloading and using TeamViewer, or using a backdoor that supports either keylogging, taking screenshots, or executing .NET commands. Finally, the threat actor will encrypt important business processes, request a ransom, and show "proof of life" to leverage the payment. The threat actor will only decrypt the files after the target pays the ransom.

In the case of the Colonial Pipeline attack, hackers gained entry through a Virtual Private Network account that was no longer in use, but could still access the system. This compromised password had either been leaked on the dark web or brute-forced, allowing for a threat actor to obtain the credential and access the server, especially since basic cybersecurity practices (i.e. Multi Factor Authentication) were not being used on the network.

A week later, on May 7th, 2021, at 5 a.m., an employee in the company control room found a ransom note that demanded cryptocurrency payment. By 6:10 a.m., the entire gasoline pipeline system was shut down by the operations supervisor, and it didn’t take much time for the news to spread soon after. The company shutdown led to shortages in fuel across the East Coast and an increase in gasoline prices. The company was forced to pay the $4.4 million ransom and publicly announce the attack in order to have the threat actors release the files.

After public announcements from the company discussing system restart plans and the restoration process, the FBI confirmed DarkSide ransomware was behind the attack. On May 12th, 2021, Colonial Pipeline restored operations and announced fuel delivery timelines to discourage people from "panic buying" gasoline.

On that same day, President Biden signed an Executive Order that requires all federal agencies to use basic cybersecurity practices, sets new security standards for software providers, and demands mandatory breach reporting. After major attacks such as the SolarWinds hack and the University of California system breach, this change was welcomed by the cybersecurity industry. Later in the month, the Department of Homeland Security issued a directive that outlined new cybersecurity requirements specifically for pipeline owners and operators. In addition, the Department of Justice announced that it will address ransomware attacks with the same level of priority as terrorism.

Despite the impacts on the Oil and Natural Gas industry, this attack caused social, political, and economic change that further emphasized the need for cyber hygiene and counter-ransomware Incident Response plans.

References:

1. (2021, May 19). The Colonial Pipeline Ransomware Attack: Everything We Know. Votiro. https://votiro.com/blog/the-colonial-pipeline-ransomware-attack-everything-we-know/
2. Turton, W. & Mehrotra, K. (2021, June 4). Hackers Breached Colonial Pipeline Using Compromised Password. Bloomberg. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
3. Hoffman, M. & Winston, T. (2021, May 11). Recommendations Following the Colonial Pipeline Cyber Attack. Dragos. https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/

• Ryuk Ransomware. Malwarebytes. https://www.malwarebytes.com/ryuk-ransomware/