Pipeline Ransomware Shows Dangers of Unsecured Infrastructure

The ransomware attack against the Colonial Pipeline is the latest incident targeting critical infrastructure in the United States with severe potential in terms of business continuity and energy disruption.

The May 7 attack happened on Friday, a busy day for cybercriminals as organizations are typically more vulnerable over the weekend, and the nearly week-long outage has resulted in massive disruption to markets along the east coast of the United States.

After learning of the attack, Colonial proactively took certain systems offline to contain the threat, an action which temporarily halted all pipeline operations and affected some IT systems.

The company finally brought its entire pipeline system back online late Thursday, May 13, following days of shuttered filling stations and rising gas prices.

“This incident is a topical reminder of the importance of the risks connected with business disruption at the level of critical national infrastructure,” said Stefano De Blasi, threat researcher at Digital Shadows. “The increasing convergence of IT and operational technology (OT) can put critical infrastructure at risk of being targeted by malicious cyber actors.”

Although attribution hasn’t been confirmed yet, it is realistically possible that this ransomware group gained entry to the Colonial Pipeline networks by buying remote access from other dark web vendors, known as initial access brokers (IABs), given previous DarkSide operations.

The popularity of these “men-in-the-middle” of cybercrime has been growing steadily in the past months and now provides a constant pool of potential victims to ransomware groups aiming to expand their operations.

Additionally, as remote desktop protocol (RDP) has been the most observed access vector advertised by these actors, it is realistically possible that DarkSide exploited a similar method to gain entry to Colonial Pipeline.

Evaluating Risk to Prevent Attacks

De Blasi said evaluating the benefits, risks and costs associated with connecting OT to the internet should be a key priority for the stakeholders involved.

“Additionally, employing appropriate preventative measures can go a long way in detecting and mitigating these attacks in a timely and accurate manner,” De Blasi said.

Some other key recommendations include keeping OT systems off the internet and intermittently bringing them online only for critical actions, such as patching and updating.

Having a thorough emergency response plan and a trained staff to respond to potential attacks can also significantly impact the way these incidents are handled, and maintaining visibility in OT environments is critical to detect, mitigate and appropriately respond to potential threats.

Traditional cybersecurity hygiene measures apply too – backing up your data, segmenting the network and implementing multi-factor authentication are some of the key activities that security professionals will need to consider.

“Attacks against critical national infrastructure are certainly among the most pressing cyber threats faced by governments and organizations worldwide,” De Blasi said. “Their potential to ripple severe effects on a massive number of individuals, businesses, and institutions means that these attacks should be a key priority for everyone involved.”

Peering Into the DarkSide

Nathan Einwechter, director of security research at Vectra, explained DarkSide, the group purported to be behind the Colonial Pipeline attack, are well known for their level of sophistication and the intentional, slow progression they make through a network, sometimes taking days or weeks to capture and control as many resources and data as possible prior to going destructive.

Einwechter noted that despite this, nothing within their tooling or tactics is particularly new or novel – these are the same tools, techniques and methods we’ve seen for years even if they take specific care to avoid more modern security controls, like endpoint detection and response (EDR).

“Given we have the tools and knowledge within industry today to identify these attacks while they’re still developing within our networks, enabling us to mitigate the sort of catastrophic impact we’re observing now, we need to ask ourselves: Why do we keep seeing these attacks play out successfully?” he asked.

Dirk Schrader, global vice president of security research at New Net Technologies (NNT), called the attack, and the broader consequences, a “global call to action” in all critical infrastructure sectors.

“For Colonial itself, it remains to be seen whether they failed at the essential cyber hygiene–which means they were a rather easy target–or they did well in cybersecurity and the attackers had to use sophisticated methods for the attack,” he said. “Based on known facts and insights, it rather seems that Colonial missed on the essentials.”

He pointed out that some of the web servers in their infrastructure showed old vulnerabilities dating back to 2010, according to a Shodan search.

“In addition, there is quite a [large] amount of knowledge about the DarkSide ransomware family, [so organizations should] be prepared for it,” Schrader noted. “The group behind DarkSide is known to spent at least two weeks inside the infrastructure before starting to encrypt devices, something which is confirmed by the fact that the attacker extracted about 100G of data from Colonial. So, at least the detection capabilities need some improvement.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy