According to the statement of the US Department of Transportation, the US government declared a state of emergency after the largest fuel pipeline was hit by a ransomware attack. The Colonial Pipeline delivers about 45% of the fuel used along the Eastern seaboard. The FBI has confirmed that hacking group DarkSide is behind the attack.
According to the Wall Street Journal report, Colonial Pipeline’s CEO Joseph Blount confirmed that they paid $4.4 Million in ransom to the hackers. After the payment, the company received a decryption tool from the hackers to restore its network.
Dave Russell, VP of Enterprise Strategy at Veeam
This specific incident is somewhat like an actual disaster recovery situation. Imagine the heightened stress and the large volume of data that is required, not to mention that the response is most likely all hands on deck with every possible person being on active call to assist.
So far, all of these things, large amount of data, organisational stress, heavy usage of infrastructure, and of course unexpectedly putting the DR plan into actual use, sound like challenges, but what one would expect with a DR activity. Cyberthreats, unlike traditional DR are different because the backup data needs to be inspected to verify that it is clean from infection.
It could be that the ransomware or malware has compromised or believed to have compromised systems that are still up and running. So, now there is a delay in understanding if a standing system should be rebuilt and all data restored, etc.
If a datacentre has poorly defined response plans, backup success issues and poor performing recovery infrastructure, then these things are going to exacerbate an already challenging situation.
Some possible ways to address these challenges:
- Follow the 3-2-1-1-0 rule and best practice to ensure recoverability from cyberthreats. This concept calls for 3 or more copies of data on 2 or more different types of media, 1 of which is offsite, 1 copy of which is offline, air-gapped or immutable to ensure backup data is free from infection, and the 0 is to ensure that your backups are valid so that when you go to restore data that your recovery will be successful.
- Test your recovery ahead of an incident. This is where automation can be very helpful, and using a DR solution that help automatically test and verify recovery plans can be very helpful in validating recovery plans and in performing the actual recovery.
- Leveraging a backup solution that is optimised for instant recovery of vital data, mounting data from the backup repository vs restoring data, can get critical systems up and running sooner.
Stefan Schachinger, Product Manager, Network Security – IoT, OT, ICS at Barracuda
The series of severe cybersecurity attacks in 2021 is not stopping. Just a few months after a critical attack on US water supplies, critical infrastructure has been hit again, this time the Colonial Pipeline has been attacked and is currently out of service.
Details of the attack are not known yet, and typically will not be published until the situation is resolved. According to international news agencies, the gang behind the attack has been identified as Darkside. The way Darkside operates clearly shows, it is a professional criminal organisation, although they trying to sell themselves as the cybersecurity Robin Hoods on their website.
We assume the colonial pipeline, the biggest US pipeline system connecting oil supplies in Texas with New York, has been attacked through an insecure remote access. The pandemic and our limited mobility in the last year have been a driver for remote accesses from home.
Unfortunately, as we have seen from other security incidents on operational technology, OT, many of the systems have not been secured properly. When critical infrastructure is hit, and millions of barrels oil have to be carried on trucks, that really hurts. Contrary to the smaller sized security incidents we have seen recently, taking the biggest pipeline of the US down has a significant and long-lasting impact on the economy.
13,000 average sized fuel tankers a day would be necessary to compensate the blocked pipeline, the result will be fuel prices increasing and economic growth slowing down. That demonstrates the escalating priority of cybersecurity in OT environments. Not many attacks on traditional IT systems would have such an impact on the economy.
While Colonial pipeline have engaged security experts and law enforcement to assist with the remediation, Darkside has threatened them to publish the stolen data, so they might have to pay anyways. Cleaning up internal systems after a ransomware attack is very important to avoid remaining backdoors which could be used again.
A working backup is the last line of defence in that case and that is why we recommend two separate the backup system from the production systems. But recently more and more organisations behind ransomware attacks threatened their victims to publish data on the Internet, so they are not just encrypting anymore. Now depends how dedicate that data is.
Remote accesses are not insecure per definition but require proper security measures such as encryption and multifactor authentication. Employees and external maintainers should have access to the required systems only, not to the entire network. Zero Trust Network Access, ZTNA, solutions can help to implement a controlled but easy to use remote access to systems only. VPNs clients address more sophisticated requirements, but remote accesses must be authenticated and encrypted properly. Organisations should also implement a layered defence strategy, with multiple technical hurdles that keep attackers and malicious software out.
Segmentation between IT and OT systems and micro-segmentation within the OT network is a key principle to contain an attack once a piece of malicious software has found a way in. And there are many ways for attacks, remote access is just one of it, email is still the most popular attack vector, and there are many other possibilities. Bear in mind social engineering targeted on humans can become a problem as well. Security is always a combination of multiple technical and organisational measures. For organisations in critical infrastructure and industry, where even short outages can cause significant damage, cybersecurity is an insurance that comes at a much lower cost.
Peter Grimmond, International CTO, VP Technical Sales at Veritas Technologies
They say that data is the new oil, but it may now also be correct to say that, without data, there would be no oil. The truth of digital transformation is that we are all much more vulnerable than we used to be.
The more that hospitals, traffic management systems, policing or, in this case, fuel supplies, rely on data, the greater the impact that hackers can have by interfering with it. And this has driven the explosion in ransomware that we have seen over recent months: the more impact that a hacker can have, the more likely their victims are to pay to get their systems back online.
Veritas has shown how bad the situation has become over the last year, finding that 64% of global businesses have failed to evolve their security policies fast enough to keep pace with their digital transformation projects. As a result, 61% of utilities companies who have experienced an attack have paid at least part of the ransom – that compares with just 44% for the publishing industry but goes up to 79% for the healthcare sector.
Earlier this month, a ransomware taskforce called on the President of the US to, amongst other things, designate ransomware as a national security concern and a threat to critical infrastructure. The same document called for regulators of critical infrastructure to incentivise ransomware risk management.
Veritas welcomes this and believes that the only way to break the cycle of ransomware is for businesses managing critical infrastructure to focus on protecting their data, rather than mitigating the cost of paying ransoms.
If organisations can bring their protection and availability solutions up to speed with their transformation projects then they will be better able to simply spin alternative IT environments, with clean versions of their data, that enable them to quickly return to providing their critical services without the need to engage with the hackers.
Chester Wisniewski, Principal Research Scientist, Sophos
To make sure your business is protected from attacks like this moving forward, Sophos recommends working your way from the outside in, thinking like an attacker:
- Analyse all public facing assets, ensure they are patched and require multi-factor authentication for any remote access.
- Ensure your demilitarised zone, DMZ is isolated from the LAN and servers are locked down to not run PowerShell, unauthorised binaries (RClone, etc), and are fully patched in the shortest time possible, ideally less than five days
- Run advanced endpoint protection on all assets, especially servers. Many of the most advanced attackers will never interact with a desktop or laptop computer. Instead, they focus on servers as they are least likely to be patched on time and running proper security tools
- Monitor all of your logs and sensors for anomalous activity and follow up on alerts and suspicious activity with an investigation into how that could have occurred. With no user interaction, every server alert is an indication of compromise
- Have backup and disaster recovery plans at the ready so you know what to do if part of your infrastructure needs to go offline during an investigation
Ram Narayanan, Country Manager at Check Point Software Technologies Middle East
It has been suggested that Ryuk ransomware is behind the attack on Colonial Pipeline. Ryuk, with more than 2000 victims in 2021, is by far one of the most successful ransomwares of recent years. While the US is one of Ryuk’s favourite markets, it is also targeting the UAE and there have been six attacks by Ryuk on UAE organisations so far this year.
Lior Div, CEO and Co-Founder, Cybereason
Cyberattacks are not indefensible, it simply means the adversary is capable. But a capable adversary is not an excuse for failing to protect customers at such a massive scale, or to downplay that failure by glorifying the assumed prowess of the attackers.
The SolarWinds and Microsoft Exchange Server attacks were unparalleled in their scope, successfully infiltrating and compromising virtually every US government agency and a wide array of medium and large private sector companies. The Colonial Pipeline attack reinforces the need to update legacy systems running today’s critical infrastructure networks. How the Biden administration responds to the broader and more wide-scale attacks will be a part of the administration’s legacy.
If the public and private sectors can work together to solve complex cybersecurity issues, and at the same time accurately identify the threat actors and bring them to account for their actions, it will go a long way in reversing the adversary advantage and enable defenders to retake the high ground. There is also another significant opportunity here as well to cooperate on a global scale to develop extradition laws that enable cybercrimes and cyber espionage to be prosecuted more effectively.
Marty Edwards, VP of OT Security at Tenable
Cyberattacks are a real and present danger to critical infrastructure around the world and, by extension, every single consumer. If reports are accurate, the Colonial Pipeline incident has all of the markings of a possible ransomware attack that began in the IT environment and, out of precaution, forced the operator to shut down operations.
Ransomware has been a favoured attack vector of cybercriminals because of its effectiveness and return-on-investment. That is precisely why bad actors have recently set their sights on critical infrastructure. Shutting down operational technology environments can cost hundreds of millions of Dollars which forces providers to outweigh the costs.
We should not underestimate these groups. Many of them now have help desks, technical support, payroll processing and subcontractors. They are essentially full-fledged criminal corporations operating in the digital world. While it is unknown how this attack played out, it is yet another reminder of the increasing threats to critical infrastructure we all rely on.
Ammar Enaya, Regional Director – METNA, Vectra AI
Increasingly, the risk of strategic disruption or destruction of a nation’s critical infrastructure is not measured by its proximity to an adversary’s airfield or carrier group but is measured by the degree to which its connectivity to the outside world is insufficiently safeguarded. Alarm bells from credible voices in the security industry have been ringing for critical infrastructure for much of the last decade.
Unfortunately, this is an area overrun by sprawling and difficult to manage technical debt, with variable levels of awareness and sophistication on behalf of parties directly responsible for its safeguard. As this is an area of national, strategic importance addressing it requires national, strategic vision, execution, and the relentless pursuit of consequence and accountability until the risks are mitigated – if there are leaders still asleep at the wheel on this one, they need to wake up or step aside.
DarkSide, the group purported to be behind the Colonial Pipeline Attack, are well known for their level of sophistication and the intentional, slow progression they make through a network to capture and control as many resources and data as possible prior to going destructive, sometimes taking days or weeks.
Despite this, nothing within their tooling or tactics is particularly new or novel – these are the same tools, techniques, and methods we have seen for years even if they take specific care to avoid more modern security controls, like Endpoint Detection and Response, EDR.
This a developing story. Bookmark this link for all the latest updates.