By: Ravie Lakshmanan
Colonial Pipeline, which carries 45% of the fuel consumed on the U.S. East Coast, on Saturday said it halted operations due to a ransomware attack, once again demonstrating how infrastructure is vulnerable to cyberattacks.
“On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack,” the company said in a statement posted on its website. “We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”
Colonial Pipeline is the largest refined products pipeline in the U.S., a 5,500 mile (8,851 km) system involved in transporting over 100 million gallons from the Texas city of Houston to New York Harbor.
Cybersecurity firm FireEye’s Mandiant incident response division is said to be assisting with the investigation, according to reports from Bloomberg and The Wall Street Journal, with the attack linked to a ransomware strain called DarkSide.
“We are engaged with Colonial and our interagency partners regarding the situation,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “This underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats.”
Darkside ransom noteAn analysis of the ransomware published by Cybereason earlier in April 2021 reveals that DarkSide has a pattern of being used against targets in English-speaking countries, while avoiding entities located in former Soviet Bloc nations.
The operators behind the ransomware also recently switched to an affiliate program in March, wherein threat actors are recruited to spread the malware by breaching corporate network victims, while the core developers take charge of maintaining the malware and payment infrastructure.
DarkSide, which commenced operations in August 2020, has published stolen data from more than 40 victims to date. It’s not immediately clear how much money the attackers demanded or whether Colonial Pipeline has paid. A separate report from Bloomberg alleged that the cybercriminals behind the attack stole 100GB of data from its network.
Rising Threat of Ransomware
The latest cyber attack comes as a coalition of government and tech firms in the private sector, called the Ransomware Task Force, released a list of 48 recommendations to detect and disrupt the rising ransomware threat, in addition to helping organizations prepare and respond to such attacks more effectively.
Potentially damaging intrusions targeting utilities and critical infrastructure have witnessed a surge in recent years, fueled in part by ransomware attacks that have increasingly jumped on the double extortion bandwagon to not only encrypt the victim’s data, but exfiltrate the data beforehand and threaten to make it public if the ransom demand is not paid.
Based on data gathered by Check Point and shared with The Hacker News, cyberattacks targeting American utilities jumped by 50% on average per week, from 171 at the start of March to 260 towards the end of April. What’s more, over the last nine months, the monthly number of ransomware attacks in the U.S. nearly tripled to 300.
“Furthermore, in recent weeks an average of 1 in every 88 Utilities organization in the U.S. suffered from an attempted Ransomware attack, up by 34% compared to the average from the beginning of 2021,” the American-Israeli cybersecurity firm said.
In February 2020, CISA issued an alert warning of increasing ransomware infections impacting pipeline operations following an attack that hit an unnamed natural gas compression facility in the country, causing the company to shut down its pipeline asset for about two days.
Securing pipeline infrastructure has been an area of focus for the Department of Homeland Security, which in 2018 assigned CISA to oversee what’s called the Pipeline Cybersecurity Initiative (PCI) that aims to identify and address emerging threats and implement security measures to protect more than 2.7 million miles of pipelines responsible for transporting oil and natural gas in the U.S.
The agency’s National Risk Management Center (NRMC) has also published a Pipeline Cybersecurity Resources Library in February 2021 to “provide pipeline facilities, companies, and stakeholders with a set of free, voluntary resources to strengthen their cybersecurity posture.”