The Colonial Pipeline hack was not the first domino to fall in a world-ending spate of sudden attacks on America’s critical infrastructure, according to several cybersecurity experts.
It was more likely the product of sloppy internal security practices and a textbook hack-and-pay gone wrong, they said.
The FBI says that DarkSide, a group relatively new to the ransomware scene, is behind the attack. Signs point to this being a case of a bungled extortion plot, rather than the coordinated work of hackers intent on compromising America’s energy grid.
Whatever the motivation, the impact was real.
The federal government issued an emergency declaration for 17 states and the District of Columbia after the country’s largest fuel pipeline went down. Gasoline price hikes and shortages were reported across the U.S., though the supply crunch is likely more to do with panic buyers heading to the pump than the attack itself. Colonial paid nearly $5 million as a ransom to unlock its systems, a sourced familiar with the situation told CNBC, confirming earlier reports.
While the episode has laid bare how vulnerable America’s critical infrastructure is to cybercriminals, it does not mean we’re suddenly facing a new risk of widespread shutdowns. Ransomware attacks like this are common, but they typically don’t aim to knock infrastructure offline. It appears as if DarkSide, like most attackers, was motivated by financial gain rather than compromising America’s supply of gas.
The attack drew new government attention to the surge in ransomware attacks and spurred President Joe Biden to sign an executive order Wednesday, with an aim to strengthen its cyberdefenses.
“Depending on the U.S. government response to [the Colonial Pipeline attack], it could really make other groups say, ‘Hey, we’re not going to target these sectors at all,'” said Rick Holland, chief information security officer at Digital Shadows, a cyberthreat intelligence company.
A common attack
While the effects of this hack were dire, the type of attack was not new or unique in any way. In fact, ransomware attacks — where criminals install software that freezes or locks computer systems until a company pays them a ransom, usually in bitcoin or another cryptocurrency — happen all the time.
“Everyone is reporting on this ransomware attack because it affects the networks involving an oil pipeline,” said Katie Nickels, director of intelligence at the cybersecurity firm Red Canary.
“The thing that is interesting for myself and a lot of other cybersecurity professionals is that these ransomware attacks have been going on for years. And it seems like this one, just because it involved critical infrastructure in the U.S., has struck a particular nerve.”
In the last year and a half in particular, there has been a rapid uptick in these types of attacks, said former CIA case officer Peter Marta, who now advises companies about cyber risk management as a partner with law firm Hogan Lovells.
We are in the middle of a ransomware epidemic right now.
Peter Marta
Partner, Hogan Lovells
“To your average person, this is big news,” said Marta. “But when I heard about it, it wasn’t even a blip on the radar. … There is a lack of understanding that we are in the middle of a ransomware epidemic right now.”
But even as the number of cyberattacks balloons, the number designed to cripple systems is small, said Sergio Caltagirone, who spent eight years working as an analyst for the National Security Agency, where he was responsible for finding, tracking, and countering the world’s most sophisticated cyberthreats.
“In the industrial space, the number of cyberattacks which have been designed to cripple industrial systems like water, power, oil, and gas … are even much, much, much, much, much smaller,” continued Caltagirone, who also was a director of threat intelligence at Microsoft and is now vice president of threat intelligence at Dragos, an industrial cybersecurity firm.
“The highest likelihood of an actual major disruptive event like this occurring again in the future is through inadvertent attacks like this.”
Sloppy defenses
America’s physical infrastructure generally tends to be vulnerable, and pipelines are especially hard to defend. While this is not good news, it’s been the case for years — and attackers have long known it. Last week’s attack does not change that or reveal any new information.
Leo Simonovich, head of industrial cybersecurity at Siemens Energy, told CNBC that part of the problem is that as oil and gas companies connected physical assets like pipelines with digital software and applications, they essentially just bolted digital solutions on top of aging assets.
“This creates a situation where it’s hard to detect threats in time for them to be stopped and — in some cases – even apply basic hygiene measures to protect yourself,” Simonovich said.
This attack targeted the company’s traditional information technology network, not its operational technology network — that is, the systems that move valves, start and stop pumps, measure things, and so on. Colonial Pipeline made the call to shut down its OT network and pipeline after discovering the breach, not DarkSide.
That’s standard practice, but it does not mean that the OT network itself was vulnerable, Simonovich says. “With this attack, and in other attacks, operators end up shutting down their whole OT production, because they can’t be certain about what’s been impacted by the attack or how to respond.”
Cybercriminals likely learned nothing new this past week. Pipelines are very different from each other, because they are purpose built. An attack against one specific type of fuel pipeline won’t necessarily lead to an attack against another.
Moreover, because intruders typically like to learn about their victims’ networks before launching an attack, there are typically multiple opportunities for defenders to find and stop the ransomware attack chain before it gets to the point of data exfiltration and encryption.
“A network just doesn’t wake up one morning and get ‘ransomwared’ out of nowhere,” said Nickels. “It has to go through a whole attack chain. … There are so many opportunities for defenders to stop this ransomware.”
A lot of times ransomware gets in via a phishing email or a network connection that isn’t secured with two-factor authentication. Nickels says simple hygiene techniques can stop that initial access.
A network just doesn’t wake up one morning and get ‘ransomwared’ out of nowhere.
Katie Nickels
Director of intelligence, Red Canary
“I think there’s a lot of fear out there and a lot of people are freaked out … but it is possible to detect these ransomware intrusions early on,” continued Nickels. “It’s very doable to detect these operators. … You can find them and stop them before it gets that bad.”
Having sufficient manpower in place is key, and one place where there’s room for improvement.
“The TSA admitted back in 2017, they had six full-time personnel responsible for overseeing the security of 2.7 million miles of pipelines. That’s something that gives me cause for concern,” said Neil Chatterjee, a commissioner on the Federal Energy Regulatory Commission, the agency that oversees the critical security of the electric grid.
CNBC reached out to Colonial Pipeline to ask about a vacant “Manager, Cyber Security” job that’s been posted on the company’s jobs portal for over thirty days.
Colonial Pipeline wrote in an email to CNBC that “the cybersecurity position was not created as a result of the recent ransomware attack.” Instead, it said, the position was part of its ongoing recruitment efforts. “This is a role that we have been looking to add in an effort to continue building our current cyber security team.”
Unwanted side effects
Many signs indicate that DarkSide didn’t want things to play out this way.
The organization claims to care a lot about its reputation. DarkSide has cultivated a “Robin Hood” image and touts a code of conduct in which the hackers claim they won’t target hospitals, nonprofits, and – notably – governments.
“Our goal is to make money and not creating problems for society,” DarkSide wrote on its website.
The statement, which contained spelling and grammatical errors, went on to claim that the organization is not political and “does not participate in geopolitics.”
“It hurts the overall brand for DarkSide, and DarkSide is very brand aware,” said Holland. “They want to have a very positive brand as far as: ‘If you pay us, we’ll actually decrypt for you. We’ll destroy the data that we’ve stolen from you.'”
“They did not intend for this to be the outcome of the attack, but it occurred because of the complexity of the systems,” Caltagirone said.
While Nickels said it is too early to know for sure, she did say that DarkSide, in its 10-month history, has typically targeted organizations that don’t pose as much of a national security concern.
In a sense, Holland says, the attack backfired — the U.S. government is now a lot more focused on the threat than it used to be, and Biden has promised to “disrupt and prosecute” members of DarkSide.
“There are enough victims to extort without having to go after these types of critical infrastructure,” said Holland. “I think there could be some targeting changes, where they go after other groups that are not going to strike the ire of the U.S. government and every agency possible.”
On Wednesday, the hacker group said it had already attacked three more companies since the attack on Colonial Pipeline. One of the companies is based in the United States, one is in Brazil and the third is in Scotland. None of the three appears to engage in critical infrastructure.