Colonial Pipeline FAIL: Ransomware Gang Threatens Gas Supplies

Carrying almost half of the east coast’s road and jet fuel, the Colonial Pipeline is critical infrastructure—of that there’s no doubt. But ransomware scrotes have stolen and encrypted 100 GB of data, crippling the pipeline’s operation.

One must presume that Colonial’s owner did a piss-poor job of securing the pipeline’s industrial controls. Why is this stuff even accessible via the internet?

Prepare for inflated gas prices, long lines at the pumps and canceled flights. In today’s SB Blogwatch, we angrily buy a used Nissan Leaf.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 3FA.

Something-Something DarkSide

What’s the craic? Raphael Satter reports—“Ransom group linked to Colonial Pipeline hack is new but experienced”:

Russian”
Who precisely is behind the disruptive intrusion into Colonial Pipeline hasn’t been made officially known and digital attribution can be tricky. … A former U.S. official and two industry sources [say] the group DarkSide is among the suspects.

DarkSide is one of a number of increasingly professionalized groups of digital extortionists, with a mailing list, a press center, a victim hotline and even a supposed code of conduct intended to spin the group as reliable, if ruthless, business partners. … It also has a public relations program … inviting journalists to check out its haul of leaked data and claiming to make anonymous donations to charity

In some ways DarkSide is hard to distinguish from the increasingly crowded field of internet extortionists. Like many others it seems to spare Russian, Kazakh and Ukrainian-speaking companies, suggesting a link to the former Soviet republics.

How big is the problem? Mary-Ann Russon adds—“fuel pipeline cyber-attack”:

100 GB of data”
The Colonial Pipeline carries 2.5 million barrels a day – 45% of the East Coast’s supply of diesel, gasoline and jet fuel.

Oil market analyst Gaurav Sharma [said] a lot of fuel was now stranded at refineries in Texas: “Unless they sort it out by Tuesday, they’re in big trouble. … The first areas to be impacted would be Atlanta and Tennessee, then the domino effect goes up to New York.” He said oil futures traders were now “scrambling” to meet demand, at a time when US inventories are declining, and demand – especially for [gasoline] for cars – is on the rise as consumers return to the roads and the economy recovers.

Multiple sources have confirmed that the ransomware attack was caused by a cyber-criminal gang called DarkSide, who infiltrated Colonial’s network on Thursday and took almost 100 GB of data hostage. … After seizing the data, the hackers locked the data on some computers and servers, demanding a ransom on Friday. … They are threatening to leak it onto the internet.

And Richard Stiennon boggles thuswise—“Of Pipelines And Cybersecurity”:

Confidence”
Shutting down a pipeline that feeds 45% of the Northeast’s fuel requirements is a big step. On one hand, it shows that Colonial understands the risks. On the other hand, it shows that Colonial Pipeline does not have 100% confidence in their operational systems’ cybersecurity defenses.

Yikes. Gravis Zero redirects the blame:

Inevitable”
Corporations that get ransomware’d are not the victims here, they are in fact the perpetrators. What they did was neglect security to such an extent that they have no backup plan.

Their systems could not be restored quickly from backups and they didn’t put money into ensuring the software they use was bulletproof. This kind of attack is inevitable and they did nothing to prepare for it.

Although jtchang sees the silver lining:

Might actually make us all safer”
In a twisted sort of way I am happy to see these types of ransomware attacks making headlines. Before it was much harder to quantify how much a breach might cost but with ransomware you get a fuzzy lower bound. Also the prevalence of these attacks might actually make us all safer in the long run.

So management might now pay attention? Nope, presumes jake:

The truth”
Presumably the ****wits in charge had the pipeline’s SCADA connected the TehIntraWebTubes at large, so management could impress their friends when fondling their iFad down at the club. It’s going to get worse, until said ****wits in charge realize that when an actual IT professional tells them “that is not today, has never been, and cannot ever be made safe, UNLESS we re-design The Internet from the ground up, from scratch,” it’s actually the truth, not an excuse to get out of working.

It’s like a disaster movie. So says Powercntrl:

Hollywood”
How about … don’t connect critical systems to the internet? Why is that so hard to understand?

Back in ’95, Hollywood released [Hackers—an] absurd movie where both the protagonists and antagonist accomplish ridiculous feats of “hacking” on infrastructure that, at the time, was typically not connected to the internet. Based on how poorly real-world technological implementations have been at avoiding fictional 90s Hollywood movie pitfalls, I fully expect if there’s ever a dinosaur park, the dinosaurs will escape and start eating people.

[And] just wait until Tesla gets hacked and the hackers push out an update which bricks ’em all. It seems like an absurd trope from a dumb Hollywood movie, until it happens.

What to do? David Walsh—@WalshonMergers—wants to make your tax dollars work:

Fund CISA”
Part of the current infrastructure plan should be to further fund CISA to shore up the least secure, easiest to hack … targets:
* Hospitals
* Power
* Local government/schools.

But to do what? sky_rw offers this handy analogy:

Armored door”
We have major vulnerabilities to key infrastructure components. Publicly exposing these helps harden them.

9/11 added a ton of security theater and fear, but it also resulted in armored doors on airplane cockpits. I’d like to see the armored door of the energy infrastructure implemented.

Meanwhile, who can we blame? Ranger thinks it doesn’t matter:

Gas stations”
Iran, Russia, China, North Korea, cybercriminals? Or some … guy who lives in his mom’s basement? But don’t worry. Your local gas stations will jack up the price of fuel even if they aren’t affected.

And Finally:

MFA FTW

Hat tip: David Pescovitz

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Dzmitry Dudov (via Unsplash)

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 418 posts and counting.See all posts by richi