Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
Colonial Pipeline Shut Down by Ransomware Attack
May 11, 2021
The Washington Post reported (sub.req.) on May 8 that Colonial Pipeline, which transports 45% of the fuel used on the East Coast, was shut down on May 7 by a ransomware attack.
The attack appears to have been carried out by Darkside, an Eastern European based criminal gang, according to a U.S. official and another person familiar with the matter. Update: The FBI has now confirmed Darkside’s involvement. See further info below.
Federal officials and the private security firm Mandiant are still investigating the matter, they said.
On May 8, Colonial Pipeline released the following statement:
“On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems. Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies.
Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.”
Attackers are increasingly targeting industrial sectors because these firms are more willing to pay up to regain control of their systems, experts say.
“The downtime for industrial companies can cost millions,” said Robert M. Lee, the chief executive officer of Dragos, a major cybersecurity firm that handles incidents in the industrial control sector.
U.S. officials and experts in industrial control security said such attacks are more common than publicly known and that most just do not get reported.
The DarkSide group has hit utility firms before, said Allan Liska, intelligence analyst at the cyber threat research firm Recorded Future. In February, ransomware attacks disrupted operations at two Brazilian state-owned electric utility companies, he said.
“To put it simply, we are on the cusp of a global digital pandemic driven by greed,” former top Department of Homeland Security cyber official Christopher Krebs told Congress last week. He called the ransomware emergency a “digital dumpster fire.”
There is currently no known foreign government nexus to the Colonial Pipeline incident, but the U.S. government has in the past asserted links between Russian spy services and ransomware rings.
A task force of more than 60 experts from industry, government, nonprofits and academia recently urged a series of coordinated actions by industry, government, and civil society. Their recommendations include mandating that organizations report ransom payments and requiring them to consider alternatives before making payments. Governments, they said, could provide support to help firms hold out longer. The recommendations also call for global diplomatic and law enforcement efforts to induce countries from providing safe havens to ransomware criminals.
The implementation of any such framework would certainly be a challenge
Updated May 10:
According to a May 10 report from Reuters, a former U.S. official and two industry sources have said that the group DarkSide is among the suspects.
Cybersecurity experts who have tracked DarkSide said it appears to be composed of veteran cybercriminals who are focused on extracting as much money as they can from their targets.
“They’re very new but they’re very organized,” Lior Div, the chief executive of Boston-based security firm Cybereason.
DarkSide is one of several increasingly professionalized groups of digital extortionists, with a mailing list, a press center, a victim hotline and even a supposed code of conduct intended to spin the group as reliable, if ruthless, business partners.
Experts like Div said DarkSide was likely composed of ransomware veterans and that it came out of nowhere in the middle of last year and immediately unleashed a digital crimewave.
“It’s as if someone turned on the switch,” said Div, who noted that more than 10 of his company’s customers have fought off break-in attempts from the group in the past few months.
DarkSide’s site on the dark web hints at their hackers’ past crimes, claims they previously made millions from extortion and that just because their software was new “that does not mean that we have no experience and we came from nowhere.”
The site also features a Hall of Shame gallery of leaked data from victims who haven’t paid up, advertising stolen documents from more than 80 companies across the United States and Europe.
DarkSide is hard to distinguish from the increasingly crowded field of internet extortionists. Like many others it seems to spare Russian, Kazakh and Ukrainian-speaking companies, suggesting a link to the former Soviet republics.
Div said that what does set them apart is the intelligence work they carry out against their targets beforehand. Typically, “they know who is the manager, they know who they’re speaking with, they know where the money is, they know who is the decision maker,” said Div.
Div said that the targeting of Colonial Pipeline, with its potentially massive consequences for Americans up and down the Eastern seaboard, may have been a miscalculation.
“It’s not good for business for them when the U.S. government becomes involved, when the FBI becomes involved,” he said. “It’s the last thing they need.”
BleepingComputer reported on May 10 that Darkside had issued the following statement:
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment and look for other our motives.
Our goal is to make money, and not creating problems for society.
From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” – DarkSide gang.
Hat tip to Dave Ries for the update.
Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson