Colonial Pipeline hack no cause for panic about infrastructure attack

A woman fills gas cans at a Speedway gas station on May 12, 2021 in Benson, North Carolina. Most stations in the area along I-95 are without fuel following the Colonial Pipeline hack.

Sean Rayford | Getty Images

The Colonial Pipeline hack was not the first domino to fall in a world-ending spate of sudden attacks on America’s critical infrastructure, according to several cybersecurity experts.

It was more likely the product of sloppy internal security practices and a textbook hack-and-pay gone wrong, they said. 

The FBI says that DarkSide, a group relatively new to the ransomware scene, is behind the attack. Signs point to this being a case of a bungled extortion plot, rather than the coordinated work of hackers intent on compromising America’s energy grid. 

Whatever the motivation, the impact was real.

The federal government issued an emergency declaration for 17 states and the District of Columbia after the country’s largest fuel pipeline went down. Gasoline price hikes and shortages were reported across the U.S., though the supply crunch is likely more to do with panic buyers heading to the pump than the attack itself. Colonial paid nearly $5 million as a ransom to unlock its systems, a sourced familiar with the situation told CNBC, confirming earlier reports. 

While the episode has laid bare how vulnerable America’s critical infrastructure is to cybercriminals, it does not mean we’re suddenly facing a new risk of widespread shutdowns. Ransomware attacks like this are common, but they typically don’t aim to knock infrastructure offline. It appears as if DarkSide, like most attackers, was motivated by financial gain rather than compromising America’s supply of gas.

The attack drew new government attention to the surge in ransomware attacks and spurred President Joe Biden to sign an executive order Wednesday, with an aim to strengthen its cyberdefenses.

“Depending on the U.S. government response to [the Colonial Pipeline attack], it could really make other groups say, ‘Hey, we’re not going to target these sectors at all,'” said Rick Holland, chief information security officer at Digital Shadows, a cyberthreat intelligence company.

A common attack

Sloppy defenses

America’s physical infrastructure generally tends to be vulnerable, and pipelines are especially hard to defend. While this is not good news, it’s been the case for years — and attackers have long known it. Last week’s attack does not change that or reveal any new information.

Leo Simonovich, head of industrial cybersecurity at Siemens Energy, told CNBC that part of the problem is that as oil and gas companies connected physical assets like pipelines with digital software and applications, they essentially just bolted digital solutions on top of aging assets.

“This creates a situation where it’s hard to detect threats in time for them to be stopped and — in some cases – even apply basic hygiene measures to protect yourself,” Simonovich said.

This attack targeted the company’s traditional information technology network, not its operational technology network — that is, the systems that move valves, start and stop pumps, measure things, and so on. Colonial Pipeline made the call to shut down its OT network and pipeline after discovering the breach, not DarkSide.

That’s standard practice, but it does not mean that the OT network itself was vulnerable, Simonovich says. “With this attack, and in other attacks, operators end up shutting down their whole OT production, because they can’t be certain about what’s been impacted by the attack or how to respond.”

Cybercriminals likely learned nothing new this past week. Pipelines are very different from each other, because they are purpose built. An attack against one specific type of fuel pipeline won’t necessarily lead to an attack against another.

Moreover, because intruders typically like to learn about their victims’ networks before launching an attack, there are typically multiple opportunities for defenders to find and stop the ransomware attack chain before it gets to the point of data exfiltration and encryption.

“A network just doesn’t wake up one morning and get ‘ransomwared’ out of nowhere,” said Nickels. “It has to go through a whole attack chain. … There are so many opportunities for defenders to stop this ransomware.”

A lot of times ransomware gets in via a phishing email or a network connection that isn’t secured with two-factor authentication. Nickels says simple hygiene techniques can stop that initial access.

Unwanted side effects

“It hurts the overall brand for DarkSide, and DarkSide is very brand aware,” said Holland. “They want to have a very positive brand as far as: ‘If you pay us, we’ll actually decrypt for you. We’ll destroy the data that we’ve stolen from you.'”

“They did not intend for this to be the outcome of the attack, but it occurred because of the complexity of the systems,” Caltagirone said.

While Nickels said it is too early to know for sure, she did say that DarkSide, in its 10-month history, has typically targeted organizations that don’t pose as much of a national security concern.

In a sense, Holland says, the attack backfired — the U.S. government is now a lot more focused on the threat than it used to be, and Biden has promised to “disrupt and prosecute” members of DarkSide.

“There are enough victims to extort without having to go after these types of critical infrastructure,” said Holland. “I think there could be some targeting changes, where they go after other groups that are not going to strike the ire of the U.S. government and every agency possible.”

On Wednesday, the hacker group said it had already attacked three more companies since the attack on Colonial Pipeline. One of the companies is based in the United States, one is in Brazil and the third is in Scotland. None of the three appears to engage in critical infrastructure.

Source link

Leave a Reply

%d bloggers like this: