Colonial Pipeline Ransomware Attack: Why It Can Happen To Anyone, Anytime, And What You Need To Know About It
Colonial pipeline ransomware attacks made news headlines around the world recently. After shutting down its pipeline network for about a week, Colonial Pipeline hoped that the supply chain would normalize within the next few days after paying $4.4 in ransom. However, a couple of questions remain unanswered. First, are organizations doing enough to protect their CII (Critical Information Infrastructure), and second, should organizations pay the ransom in case of an unfortunate event of a ransomware attack?
Not many people living outside the Southeastern states along the East Coast in the US know about Colonial Pipeline, the most extensive refined products pipeline system for transporting gas and refined oil products in the country, with Mr. Joseph Blount as its CEO. Things changed on the morning of May 7, 2021, when news started filtering out that Colonial Pipeline became the target of a massive ransomware attack costing millions of dollars. Within an hour, the company shut down its entire pipeline infrastructure. The attack once again highlighted the need to protect the critical information infrastructure of the country from cyber adversaries.
(Image Source: Pixabay.com)
The Colonial Pipeline Ransomware Attack – A Summary Of What Happened
The May 7 ransomware attack forced Colonial Pipeline to shut its entire pipeline network that spanned over 5,500 miles and spread across 260 delivery points in 13 US states, including Washington DC. Shutting down pipelines was also a precautionary measure to prevent the cyber attackers from causing more damage to the vulnerable parts of the pipeline network. The shutdown sparked a run on gasoline along the entire Eastern Coast, resulting in gas prices shooting up to their highest levels in six and a half years. The impact was massive, with thousands of gas stations left without fuel for nearly six days.
Despite the FBI's general advice to ransomware victims not to pay any ransom, Colonial Pipeline paid 75 Bitcoins (approximately $4.4 million as of May 7) to malicious actors to obtain the decryption tool to restore access encrypted data and restarting the network systems.
The Source Behind The Attack
The general view is that Russia is behind almost all ransomware attacks in the USA and worldwide. Sources such as Sophos point fingers towards the DarkSide Group (a cybercriminal hacking group that mostly targets its victims using ransomware and extortion), who have not directly claimed responsibility for carrying out the attack. The suspicion rises because there is evidence that the DarkSide Group is in Russia. Cybersecurity experts state that the perpetrator group is Russian because their malware avoids encrypting files in systems where the language is set to Russian.
FBI also confirms that DarkSide is behind this malware attack. However, DarkSide states that it is apolitical and does not have any links with any specific nation. DarkSide has categorically stated that its objective is to make money and not create any disruptions for society.
What Did The Attack Infect?
The attack had its origins on a different day before the actual ransom note was displayed on the Colonial Pipeline network servers. About 100 GB of data was breached from the organization's servers on May 6, 2021. They received the ransom note on the morning of May 7, 2021, asking them to pay the ransom or risk releasing confidential data on the internet.
While Colonial Pipeline emphasized that the attack did not directly impact its operational systems, it decided to shut off the pipeline. The reason was that the picture was not clear, and it wanted to investigate the depth of the attack. This move was a precautionary measure to prevent the infection from migrating to the pipeline operational controls.
Besides shutting off pipeline operations over 5,500 miles, the organization instructed its employees not to log in to the corporate network. Meanwhile, the IT security team made a flurry of phone calls to its top management and federal agencies, starting with the FBI in Atlanta and San Francisco. They also informed a representative of CISA (Cybersecurity and Infrastructure Security Agency) of the attack and the preventive measures initiated.
The shutting down of the oil pipelines stopped gasoline and other fuels like diesel and jet fuel, causing a temporary fuel shortage situation in all the states along the Southeastern coast from Texas to New Jersey. Consumers resorted to panic buying as the shortage entered its fourth day. Many filling stations became dry by May 11, 2021. As a result, the average fuel prices rose to their highest levels since 2012 reaching more than $3 per gallon.
The shortage of jet fuel resulted in American Airlines changing its flight schedules. Several international airports had to resort to alternate suppliers in order to offset the deficiency.
On May 9, 2021, President, Joe Biden, declared an emergency to remove the restrictions on transporting fuel by road and other means instead of pipelines. The Georgia Governor followed suit by announcing an emergency in Georgia on May 10, 2021.
What Was The Resolution?
Ransomware attacks usually have three types of resolutions, as listed below.
- Rebuild The System:In this case, there was no reported incident of the system failing anywhere. Colonial Pipeline shut down its pipeline operations more as a precautionary measure. However, it hired a third-party investigative cybersecurity provider to assess the damage and suggest remedial measures, including rebuilding the system.
- Restore Backup: Colonial Pipeline had its backup data in place. However, it had to investigate the extent of damage before initiating the backup process.
- Pay The Ransom: FBI advises organizations not to pay a ransom because it encourages the threat actors to commit further crimes. Nevertheless, the CEO Joseph Blount decided to pay $4.4 million ransom because he had the nation's interest in mind.
The Preventive Measures Colonial Pipeline Could Have Taken
Though all suspicion point towards DarkSide, no one is sure of what happened. DarkSide could have discovered a vulnerability and used it to access the network. It is unclear if Colonial Pipeline acted proactively in time or the malware had spread from IT towards the operational side already.
People believe that the attack occurred because of engineers accessing the control systems remotely from home using specific software like Microsoft Remote Desktop or TeamViewer. There have been instances of malicious actors accessing network controls remotely. One such incident happened in a water treatment plant in Florida in February 2021 that led to the addition of hazardous chemicals in dangerous proportions to drinking water.
Colonial Pipeline could have taken the following preventive measures to avoid falling victim to the ransomware.
- The organization could have used proper anti-phishing software solutions to prevent the data breach on May 06, 2021. The breach might have occurred because of a system vulnerability or employee lapse. Providing adequate training to employees could also have helped under such circumstances.
- The organization should have introduced critical IT asset management strategies to prevent its employees from operating and controlling the pipeline from remote locations using third-party software and networks.
- Most importantly, cybersecurity awareness, training, and education around following basic cyber hygiene should be encouraged that helps employees to identify and report any suspicious activities.
The Interesting Aspects Of The Colonial Pipeline Situation
The Colonial Pipeline ransomware attack incident brought certain exciting aspects to the fore.
- The rise in prices was not because of the non-supply of fuel, but panic buying resorted to by buyers.
- The cybersecurity firm, Elliptic, identified the cryptocurrency wallet that received the ransom amount on behalf of DarkSide.
- The attack prompted President Joe Biden to declare intense action against the malicious actors behind the attack.
- A day after the Biden threat, DarkSide stated that it lost its money and control over its servers. DarkSide also said they were releasing the decryption tools to all the organizations whose data was held hostage but did not pay the money.
Why Did Colonial Pipeline Pay The Ransom?
The FBI always cautions ransomware victims not to pay the ransom because it encourages them to commit more crimes in the future. However, Joseph Blount preferred to pay the ransom of around $4.4 million for the following reasons.
- Colonial Pipeline was unsure about the extent of damage caused by the ransomware attack. It was unclear about the picture of the breach and hence uncertain about how long it would take to restore the fuel supply.
- The company caters to nearly 45% of the fuel demand for the East Coast. Suspending operations indefinitely could have plunged the affected states into a critical emergency.
- With people resorting to panic buying, gas prices started rising abnormally. It was ironic that a person in North Dakota using gas supplied by refineries in Texas paid less for fuel than their counterparts living in Texas.
Therefore, Joseph Blount took the extreme step of paying the ransom with the nation's and its citizens' interests in mind.
Attacks Similar To Colonial Pipeline Ransomware
The Colonial Pipeline Ransomware proved that no organization, however massive or small, can consider itself immune to cyberattacks. What could happen to Colonial Pipeline with 830 employees could also occur to a small organization with a strength of less than 150.
The Colonial Pipeline ransomware attack reminds one of a few other similar attacks of recent times, such as the two examples mentioned below.
- The Florida Water Treatment Plant Case – In February 2021, malicious actors accessed the network systems at Oldsmar's water treatment facility in Florida remotely using the TeamViewer software. They remotely changed the levels of sodium hydroxide from 100ppm to 11,100ppm to make the water dangerous for people to touch, let alone drink. Fortunately, the employee manning the servers was vigilant enough to notice it and restore normalcy levels before the attempt could affect the water treatment plant.
- Nebraska Medicine Ransomware Case– An unauthorized person gained access to the network systems of Nebraska Medicine, along with The University of Nebraska Medical Center, between August 27 and September 20, 2020, to obtain copies of employee and patient information. However, it could not access the hospitals' EHR. The data breach exposed SS numbers, names, addresses, medical records, lab results, and other confidential data of patients and employees.
The above two cases, along with the Colonial Pipeline ransomware attack itself, drive home the fact that no organization is immune to a cyberattack. Malicious actors try to infiltrate whichever networks they find easy to do so or a critical information infrastructure that can be brought down to cause havoc. A corporate entity like Colonial Pipeline had to face a data breach despite equipped with sophisticated cybersecurity strategies and safeguards. It shows that an SMB with even 25 employees or clients can be equally vulnerable to cyber attacks. Hence, business entities need to be vigilant and act proactively instead of reacting to a cyberattack after it has occurred and the damage done.
- Gallagher, S., Loman, M., Mackenzie, P., & Polat, Y. (2021, May 11). A defender's view inside a DarkSide ransomware attack. Sophos.
- Associated Press. (2021, May 20). Colonial Pipeline Confirms It Paid $4.4m Ransom To Hacker Gang After Attack. The Guardian.
- Eaton, C. & Volz, D. (2021, May 19). Colonial Pipeline CEO Tells Why He Paid Hackers A $4.4 Million Ransom. The Wall Street Journal.
- Morrison, S. (2021, May 19). How A Major Oil Pipeline Got Held For Ransom. Vox.
- Whitney, L. (2021, May 12). How To Prevent Another Colonial Pipeline Ransomware Attack. Tech Republic.
- Radichel, T. (2021, May 16). Colonial Pipeline Hack. Medium.
- Greig, J. (2021, February 9). FBI, Secret Service Investigating Cyberattack On Florida Water Treatment Plant. Tech Republic.
- Drees, J. (2021, February 8). Hackers Hit Nebraska Medical Center, U Of Nebraska With Malware, Steal Patient And Employee Records. Beckers Health IT.