On May 7, 2021, Colonial Pipeline announced that it had shut down its 5,500 mile pipeline that carries 45% of the East Coast’s fuel supplies. This shutdown was a proactive move by the company to protect its systems against an ongoing ransomware attack.
What Happened?
Colonial Pipeline was the victim of a ransomware attack by the DarkSide group, a relatively new cybercrime group that first began attacks in August 2020. The group is supposedly made up of experienced ransomware operators and operates a Ransomware as a Service (RaaS) business model where they sell access to their malware to other hacking groups.
The initial infection vector for the attack on Colonial Pipeline is unknown pending further investigation. The attack targeted the business side of the organization’s operations but spread to the operations side, resulting in a shutdown of the pipeline’s operations. A week after the attack, the pipeline is still largely offline with a single pipe operating under manual controls.
Implications of the Attack
The Colonial Pipeline attack took down a pipeline that supplies 45% of the fuel to the East Coast. As a result, the US government has declared the incident a national emergency for the duration of the shutdown since it poses a potential threat to national security. The resulting shortages of fuel in some areas and their impacts on logistics and shipping may have wide-reaching business effects.
The Colonial Pipeline attack also demonstrates the capabilities of the DarkSide group to exploit even large organizations. This hacking group is known for highly-targeted attacks reinforced by in-depth research. This enables the group to not only identify potential infection vectors for their malware but also to tailor ransom demands to a company’s resources and target key decision-makers within an organization.
In the week since the Colonial Pipeline attack, the DarkSide group claims to have exploited three more companies, demonstrating that this is not an isolated incident. The DarkSide group is known for employing “double extortion” tactics. Before encrypting a compromised computer, their malware exfiltrates sensitive data from it, and the group threatens to publish this data online if a ransom is not paid.
Like the recent SolarWinds breach, the Colonial Pipeline hack has demonstrated that many organizations are vulnerable to exploitation by sophisticated cyber threat actors. These attacks have prompted a recent executive order on improving the nation’s cybersecurity posture.
How MorganFranklin Can Help
While the exact cause of the Colonial Pipeline attack is not currently known, it is likely that the attackers exploited common attack vectors such as phishing emails, unpatched vulnerabilities, or insecure remote access solutions. These types of vulnerabilities are common and provide the access that ransomware groups require to plant their malware.
Managing the threat of DarkSide and other ransomware groups requires action to identify and close these security holes. MorganFranklin advisors can assist in identifying security gaps and developing and implementing a strategy for remediating them.