The cyberattack on the Colonial Pipeline system was impossible to “keep on the lowdown” as industrial attacks of limited scale often are. The shutdown of a 2.5 million B/D system of 5,500 miles of pipeline spanning from the US Gulf Coast to the East Coast does not go unnoticed. And early unconfirmed reports of a ransom payment made to decrypt the seized data intensified the spotlight on the incident. (Continental CEO Joseph Blount confirmed a $4.4-million payment on 19 May.)
During what surely was a crisis management nightmare involving not only Colonial but also the US Department of Energy, Department of Transportation, Federal Bureau of Investigation (FBI), Federal Energy Regulatory Commission, Department of Homeland Security (DHS), and the Pipeline and Hazardous Materials Safety Administration (all agencies thanked by Colonial in a 15 May tweet), the information made public has heightened concerns about the security of data and critical infrastructure globally.
Foremost is the escalation in the multiple layers of bad actors involved in a single attack.
The FBI identified the ransomware-as-a-service (RaaS) DarkSide, which it has been investigating since October 2020. Criminal partners conduct attacks and then share the proceeds with the ransomware developers. The agency released a flash alert about DarkSide on 10 May with indicators of compromise and mitigation measures once infected.
“Mitigation measures once infected.” The alert may have come too late for Colonial, whose business network was hit rather than its operational technology (OT) networks that control the pipeline. To contain the damage, it took down its own OT network. An example supporting this action of last resort occurred last year when a ransomware attack on an unidentified natural gas company’s business networks moved into its control systems at a compression facility, halting operations for 2 days, according to a DHS alert. DHS said the company did not have a plan to respond to a cyberattack.
A report by FireEye, a cybersecurity firm that confirmed its hiring by Colonial, said since initially surfacing in August 2020, the creators of DarkSide and its partners have infiltrated organizations in more than 15 countries. Affiliates retain a portion of each ransom fee, ranging from 25% for fees less than $500,000 to 10% for fees greater than $5 million.
Ransomware operators are masters in extortion and are using new tactics to widen their net of exploitation. In April, the DarkSide operators said in a press release that they were targeting organizations listed on the NASDAQ and other stock markets and were willing to give stock traders advance notice of upcoming attacks to allow them to reap profits when stock prices dropped as a result of the breach, according to FireEye. In another example, an attacker obtained the victim’s cyber insurance policy’s coverage limits and used that knowledge during ransom negotiation, refusing to lower the ransom fee.
What this means for organizations is that their boards should assess the full spectrum of risk from prevention to detection as a business risk and have a plan in place to execute when an attack occurs. The investment required may be far less than the increasingly exorbitant ransom fees and the costs associated with the theft or destruction of data and disruption to the business.