IOTW: Ransomware Attack Closes Colonial Pipeline

Add bookmark
Lisa Morgan
Lisa Morgan
05/14/2021

Signs point to the fact that it was DarkSide, a Robin Hood-like hacking group who successfully executed a ransomware attack that shutdown the Georgia-based Colonial Pipeline. There are conflicting reports about how the incident will further impact the distribution of U.S. domestic oil to the Eastern states and gas prices. 

Private companies working with U.S. government agencies shutdown the cloud servers from which the attacks on the Colonial Pipeline and 12 other companies were launched. They also retrieved the stolen data that was bound for Russia.

The main pipeline has been closed for several days. While the smaller pipelines were also affected, they were restored first as part of a phased plan. The Pipeline stretches from Texas to the Northeast, delivering about 45% of the fuel consumed by the East Coast.

The Facts

On Friday, May 7, the Colonial Pipeline announced its operations had been halted as a result of a ransomware incident that shutdown the main pipeline and smaller pipelines. Incident response began the day before, on Thursday. 

By Sunday, the smaller lines were operational again. However, the mainline remains down at the time of this writing. Early in the week, President Joe Biden worked with the Department of Transportation to lift oil trucking hour restrictions to keep the gas products flowing. On Wednesday, the White House released an Executive Order on Improving National Cyber Security. The Colonial Pipeline is now fully operational, but not before panic-stricken consumers started hoarding gas and complaining about price gouging.

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

The Colonial Pipeline transports more than 2.5 million barrels a day of diesel, gasoline, jet fuel and natural gas via Gulf Coast pipelines that span more than 5,500 miles.

Reuters reported that the hackers stole more than 100 GB of data and that the FBI and other government agencies had successfully collaborated with private companies to take down the cloud servers the hackers used to steal the data. The ransom amount remains undisclosed and so does Colonial Pipelines' response to the extortion attempt.  

DarkSide claims it does not target schools, hospitals, nursing homes or government organizations and that it donates part of its bounty to charity. The group reportedly demands payment for a decryption key and is increasingly demanding additional payment not to publish stolen data. DarkSide also stated on its website recently that it is not geopolitically motivated.

The Colonial Pipeline attack has been deemed "the worst attack on critical infrastructure to date." 

Lessons Learned

U.S. critical infrastructure has become a popular cyberwarfare target. The weak underbelly has been aging tech and industrial control systems (ICSs) which may lack adequate physical and cyber security.

The problem isn't a new one, but the number of attacks continue to rise.

Quick Tips

No business is immune from a ransomware attack.

  • Limit administrative privileges.
  • Limit the use of hardware and software to authorized hardware and software. While this may not be possible in all organizations, it is important for critical infrastructure organizations.
  • Monitor system, application, network and user behavior for anomalous activity.
  • Do a thorough cybersecurity assessment that involves white hat penetration testing. Critical infrastructure organizations should check for physical and cyber weaknesses.
  • Fortify the soft spots.
  • Have an incident response plan in place that involves operations, finance, legal, compliance, IT, risk management and communications.
  • Patch software as soon as possible.
  • Train and update the workforce on cyber hygiene.
  • If your company is attacked, engage a firm that specializes in forensics. Contact local and federal law enforcement, as appropriate.