In an incident which highlights the potential vulnerability of critical national infrastructure to cyber attacks, on 7 May, US oil pipeline operator Colonial Pipeline shut down its network in a defensive response to a ransomware attack against the company’s IT system. The US government has since issued emergency legislation to allow the transportation of fuel by road. The pipeline is a key part of the US’s energy infrastructure and supplies 45% of the east coast's supply of diesel, gasoline and jet fuel. Industry experts have warned that the incident could impact fuel prices if left unresolved for a protracted period.
Join the Darkside
An unnamed US official reported that the attack was carried out by the “Darkside” ransomware group, known for its ransomware-as-a-service (Raas) affiliate program whereby it rents out software to other groups. The group had previously stated that it would not attack hospitals, school or governments but may have crossed a line with its latest attack due to the potential large-scale economic consequences. Its software avoids attacks against systems using Russian language settings. Representatives are known to communicate in Russian.
Not uncommonly for ransomware groups, Darkside publishes a “blog” on which they name and shame victims in a bid to exert further pressure to pay ransoms. The blog recently suggested that they would offer insider information to corrupt traders to short the stocks of companies which they had attacked, anticipating a fall in share price. It is not known whether the group was using this same technique to profit from the potential for rises in prices of petroleum products.
The political impact of the attack
Unlike many financially-motivated attacks, this incident will likely have consequences beyond simply the profitability of the company if there is a long-term impact on supply. Industry analysts suggest that if distribution is halted for more than three days, impacts will be felt. At the time of writing, the likelihood of this was unclear.
Fuel distribution is part of the US’s critical national infrastructure (CNI) and long-term impacts on the operations of the pipeline will have economic impact on a high number of sectors and businesses, dependent on fuel to operate effectively. While incidents against CNI have occurred prior to this, emergency legislation being enacted does suggest that this attack has caused greater disruption than previously seen.
Attacks by ransomware groups against critical national infrastructure have been observed before. In 2019, the Portuguese energy company Energias de Portugal (EDP) was targeted, resulting in operations ceasing and in February last year, the US government issued warnings over ransomware attacks against pipeline operators, citing a spear-phishing attack which led to attackers accessing operational technology (OT) which controls machinery and eventually led to operations being shut down for two days. The Colonial Pipeline is an important asset for the east coast. However, it remains to be seen the overall impact of the attack which will largely be dependent on the crisis planning and response that the business has put in place to ensure redundancy.
The attack revealed on Friday will inevitably provoke further concern from Washington, but also other governments around the world tackling this issue. A report from the US-based Ransomware Task Force (RTF) published last month called for an enhanced international response to this growing threat. Its recommendations included an increased role of the intelligence community in tackling the issue, improvement of cybersecurity standards, and encouraged a collaborative role of insurers to create “war-chests” to pursue civil action and financial recovery against attackers. this incident will provide another impactful data point for US legislators pushing for a more robust, federally led response to the ransomware threat.
For businesses concerned about this incident, we have provided below some general guidance around the techniques typically used by this group and some good-practice advice around securing systems to avoid and minimise ransomware attacks.
Advice for businesses operating in critical national infrastructure (CNI) can be found from the National Cyber Security Centre (NCSC) CNI Hub and the US Cybersecurity and Infrastructure Security Agency (CISA) section of the website.
MDR Cyber provide ransomware readiness audits for businesses, which include tailored and intelligence-led security testing. Conducting these audits allows businesses to understand their exposure specifically to financially-motivated ransomware groups, their tactics, techniques and procedures and the key defensive measures that they should take to prevent and prepare for the consequences of attacks.
Compromised valid credentials and technical exploits against public-facing servers
The Darkside group are known to target public-facing external infrastructure, including the use of valid, compromised credentials to access remote access tools, increasingly used by businesses to support homeworking following the COVID-19 pandemic. They are also known to use technical exploits against vulnerable servers and deploy remote desktop protocol (RDP) and use it over the Tor network to achieve persistence, carefully avoiding computers with endpoint detection and response (EDR) security measures.
Once the attackers are inside the network, they typically use the Cobalt Strike beacon tool to establish secondary command and control. The group use a variety of other well-known tools to scan, run commands and obtain credentials such as Mimkatz and PsExec. The attackers have been seen to carefully gather information about their targets, mapping out networks until they had collected sufficiently elevated privileges to ensure their continued control. As with most human-operated ransomware attacks, the group exfiltrates data for increased extortion leverage against their victims. To improve their chances of a payout, the group also identify and encrypt backup systems. The ransomware is also programmed to delete shadow volume copies, decreasing opportunities for technical recovery without paying the ransom demand and obtaining the key.
Key defensive measures
- To defend against attacks from Darkside and other ransomware groups, businesses are reminded to mandate two-factor authentication on remote access tools and implement strong password security policies to help reduce the risk of hostile actors gaining access to systems in the first place.
- Security teams should also review the use of privileged credentials and system and device segregation make sure that malicious actors cannot access the entirety of your network if they gain access via a single compromised password.
- Access to different systems and data should be segmented where possible and employees should only have access to the data needed to perform their role – this will, in turn, prevent malicious actors from accessing the breadth of your systems.