It has been almost 2 weeks since Sangfor wrote about the DarkSide ransomware attack on Colonial Pipeline in the US, and a week since operations were restored, but the after-effects continue. Although gas is again flowing through the largest pipeline in the US, gasoline prices hit a six-year high with a national average of $3.04 USD per gallon this week, as over 10,000 pumps on the eastern half of the country were still without supply. At one-point last week, the price of gasoline reached $6.99 USD due to hoarding and price gouging.
It was also confirmed today that Joseph Blount, CEO of Colonial Pipeline Co., paid $4.4M USD ransom in 75 Bitcoins to the DarkSide group on May 7, the day of the attack. Mr. Blount, after much consideration, likened the ransomware attack to pipeline and refinery shutdowns lasting several days, that occurred during many past strong Gulf Coast hurricanes.
Joseph Blount, CEO of Colonial Pipeline. Photo: PHOTO: COLONIAL PIPELINE CO.
“I know that’s a highly controversial decision. I didn’t make it lightly,” Mr. Blount said publicly today. “I will admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do for the country.”
It may have been the right thing to do for the country, but it did little to help restore operations at Colonial Pipeline. The decryption tool provided after payment was so slow, Colonial Pipeline still had to restore backups of data to restore operations in a timely manner.
Colonial Pipeline’s pipeline system moves gasoline and other fuels from refineries in the US Gulf Coast and other locations over 5,500 miles to customers in the Eastern and Southern United States. The pipeline normally carries over 100 million gallons of fuel per day (45% of all fuel consumed on the eastern half of the US), making it the biggest refined products pipeline in the US, according to the company.
The Colonial Pipeline story is not just about a company recovering from a cyberattack, but also a lesson on how the federal and several state governments acted to contain a national energy crisis.
7 May 2021, 5:30AM: DarkSide ransomware attack was discovered in Colonial Pipeline’s business operations systems, including the customer billing system, when a ransomware note was discovered on a business system. 100 gigabytes of data were also stolen in a double extortion scheme where data is held hostage with threats to leak the stolen data if the ransom is not paid. The mechanisms used to breach and infect systems have not been publicly disclosed as of this date.
7 May 2021, approximately 6:00AM: CEO Joseph Blount was notified of the attack and told that gas pipeline operation systems were not yet affected.
7 May 2021, approximately 6:30AM: Pipeline operations were shutdown to prevent ransomware from attacking operations and control systems. This affected 260 gasoline delivery points across 13 states and Washington, D.C. Employees were instructed not to log into any systems on the corporate network for fear of further spreading ransomware. Colonial Pipeline contacted the FBI’s offices in Atlanta and San Francisco, as well as a representative from the Cybersecurity and Infrastructure Security Agency (CISA), as per their operations protocol. Cybersecurity vendor FireEye was reportedly hired to consult and investigate.
7 May 20201, evening: CEO Blount, after consultation with cybersecurity experts, US government authorities, and their cyber insurance carrier, paid $4.4M USD using 75 Bitcoins to DarkSide group. Ransomware decryption tool was received by Colonial Pipeline.
Recovery operations start. Colonial Pipeline attempts to use the decryption tool to decrypt infected systems, but tool proves to be inefficient and very slow. Colonial Pipeline forced to restore backups if available. US authorities work with Colonial Pipeline to investigate how breach occurred and trace attack back to DarkSide.
10 May 2021: Colonial Pipeline releases announcements “…Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach…,” and “…Line 4, which runs from Greensboro, N.C., to Woodbine, Md., is operating under manual control for a limited period of time while existing inventory is available.”
US Department of Transportation issued exception on hours of operation for transportation of fuel products across the eastern United States, as well as the US Environmental Protection Agency (EPA) issuing waivers to reduce supply disruptions. Transportation hours for gasoline, diesel and jet fuel are normally limited during the day to prevent hazardous accidents during peak driving hours.
North Carolina, South Carolina and Virginia declared states of emergency due to gasoline supply shortages.
12 May 2021: US President Joseph Biden signs an Executive Order on Improving the Nation’s Cybersecurity with the goal of improving US cybersecurity defenses, after a string of cyberattacks on the federal government and private companies, exacerbated by concerns about fuel shortages caused by the attack on Colonial Pipeline.
The order states, incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life."
12 May 2021, 5:10PM: Colonial Pipeline announces restart of pipeline operations and gasoline starts to flow. But it will take several days for the pipeline to fill and delivery supply chain to return to normal. An army of employees are walking or driving along the 5,500-mile length of pipeline to ensure there are no operational issues.
13 May 2021, 4:40PM: Colonial Pipeline announces pipeline operations fully restarted with delivery to all client markets. But it will take several days for the pipeline to fill and delivery supply chain to return to normal.
15 May 2021: Colonial Pipeline tweets all pipeline operations fully normal.
One of the biggest flaws in Colonial Pipeline’s security architecture was that they could not quicky prevent business systems from infecting operational systems, so they had to shut down everything to be sure. Had Colonial Pipeline implemented strong anti-ransom protection, the effects of the attack could have been minimized and contained.
Cyberattacks including ransomware are only going to increase. They will never stop because there is too much profit in it. Worse, attacks are going to be directed more at critical infrastructure because it may be the most vulnerable and the most impactful for ransoms to be paid. More attention and priority are needed to improving infrastructure security worldwide. Yet, little is being done globally or even regionally to secure aging and obsolete infrastructure cybersecurity.
Sangfor protects critical information infrastructure around the world, providing real-time comprehensive security monitoring and protection of critical information infrastructure.
Sangfor Solution for Ransomware based on Sangfor’s award winning Endpoint Secure endpoint protection, the award winning NGAF next-generation firewall and the next generation Cyber Command threat hunting platform is proven to break every step of the ransomware attack chain, providing comprehensive prevention, protection, detection, and response.
Sangfor VDI provides secure virtual desktop environments that facilitate secure ICS and infrastructure operations while preventing both APT/ransomware from attacking and sensitive data from being exfiltrated. In addition, Sangfor's MSS security operation service suites provide users with preventative, monitoring, and incident response services for ransomware prevention and response.
Sangfor reminds users that the best protection against ransomware is prevention. Most files encrypted by ransomware cannot be decrypted so regular preventive measures should include:
To know more about this topic, please join us in this webinar on BrightTalk
Colonial Pipeline is the largest oil product pipeline operator in the United States, and the recent Ransomware attack forced shutdown of all their operations.
This cyber attack is just the latest in a long series of serious ransomware and malware attacks, and we can’t help but envision a world in the not-too-distant future where ransomware attacks impact all our daily lives. Ransomware is booming and now targeting all kind of industries, including critical infrastructure, healthcare and government.
Participate in this webinar to learn more about this recent attack, how it unfolded, its impact and what your organization can do to prevent such cyber-attacks.