When the first reports of the ransomware attack on the Colonial Pipeline began to appear, it was natural to assume the worst. A state-backed actor had finally grown bold enough to make a direct attempt on United States utilities, in this case a critical fuel pipeline that runs for 5,500 miles and supplies coastal states from Texas up along the East Coast to New York.
After several days of investigation by the FBI, a new for-profit ransomware gang called DarkSide has been fingered. But DarkSide has issued a statement shifting the blame for the ransomware attack to “an affiliate,” indicating that the actual culprit may have been a hapless ransomware-as-a-service customer that may not have had much idea of what it was doing.
Fuel pipeline shutdown causes gas shortages in several states
The DarkSide group first appeared around August of 2020, both executing its own highly targeted attacks on English-speaking companies and running a ransomware-as-a-service business for less sophisticated cyber criminals.
While not particularly dangerous or advanced as compared to other ransomware gangs, DarkSide made news for its “ethical” posturing. It issued press releases promising to keep ransomware attacks away from vulnerable targets such as hospitals and non-profit agencies, and offered victims “friendly” terms including a professional-sounding live chat. It even offered to send donations to several charities, though these were declined.
It appears that DarkSide was not extending its code of ethics to its clients, according to a public statement made by the group after the FBI named it in the media: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives … Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Grant Geyer, Chief Product Officer for Claroty, says that it shouldn’t be too surprising that a potentially unsophisticated ransomware-as-a-service client was able to do so much strategic damage to a nation’s utilities: “Unfortunately, the cyber attack against Colonial Pipeline is only a teaser of the future of cyber attacks. As cyber criminals and foreign adversaries seek opportunities for financial gain and power projection, our national critical infrastructure is an easy target. Industrial environments are operating with infrastructure that commonly maintains obsolete technology that can’t be patched, and staff that frequently are not as cyber savvy as they need to be to keep attackers at bay. This leads to a situation where cyber security risk levels are below acceptable tolerances, and in some cases organizations are blind to the risk. One additional risk factor of pipelines is that they are highly distributed environments, and the tools that are used to enable asset operators remote connectivity are optimized for easy access and not for security. This provides attackers opportunities to sneak through cyber defenses as we saw in the water utility attack in Oldsmar, Florida earlier this year … Among critical infrastructure sectors, energy is especially at risk. Our researchers have found that the energy sector is one of the most highly impacted by industrial control system (ICS) vulnerabilities, and it experienced a 74% increase in ICS vulnerabilities disclosed during the second half (2H) of 2020 compared to 2H 2018.”
DarkSide claims that it never intended to cause a disruption of this nature or size with its ransomware attacks. Colonial Pipeline completely shut down its operations on May 7 after discovering the ransomware attack, which included halting its fuel deliveries along the Gulf Coast and Eastern Seaboard. Consumers started feeling the pain at the pump on May 10 as a number of gas stations in multiple states ran completely dry of fuel. Colonial Pipeline has implemented manual operations to get gas out but does not expect regular supply to be restored for about a week, during which time the southeastern states will be hit particularly hard by shortages and an expectation of panic buying.
Ransomware attack appears to be for-profit, no strong ties to nation-state threat actors
DarkSide has some known links to Russia; its operators have been seen speaking the language, have email and IP addresses linked to the country, and it includes a number of Russian for-profit organizations among its list of targets that are off-limits due to its supposed ethical code. However, there is presently no direct evidence that it is affiliated with Russian intelligence and the Biden administration has said that it does not believe there is a link in the fuel pipeline attack.
DarkSide ransomware attacks are known to exfiltrate the data of targets and threaten to post it publicly if the ransom is not paid. That appears to have happened here as investigation sources report that about 100 gigabytes of data was stolen from the fuel pipeline’s IT network during the two-hour period prior to the ransomware lockout, but a threat of a public leak has yet to emerge.
There are dissenting theories, of course. Mike Hamilton, former CISO of Seattle and CISO of government cybersecurity firm CI Security, believes that the Biden administration’s early conclusions may not tell the full story: “Current reporting suggests that this is a group that is new, but composed of experienced members. The ransomware itself is not that novel – there is a good technical explanation here. What seems to set this group apart is the research they conduct before compromising a victim – so they know the reporting structure, who in the organization makes decisions and who handles finances. If that is true, it is unlikely that this event is an artifact of the “spray and pray” type of attack and was highly targeted. That diminishes the theory that this gang is just the “dog that caught the car”, as this was an entirely intentional act … While there may be an actual financial motive, the (likely) Russian government may be testing the waters here, using a criminal foil to ascertain whether the US will “draw the line” between what is criminal and what is an act of aggression.”
The ransomware attack is still under investigation by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Following the incident, CISA executive assistant director Eric Goldstein told reporters that ransomware is an ongoing threat to organizations of all sizes in all industries and encouraged everyone to strengthen security postures. The attack on the fuel pipeline almost immediately followed an announcement of a proposed federal “ransomware task force” that would bring together various federal agencies in partnership with private tech and security firms to address the growing threat.
Ransomware attack disrupting fuel supplies
Though the government is strongly indicating that the attack on the fuel pipeline is not state-backed, the timing is particularly disruptive. It comes just ahead of the usual summer season of peak demand, one that is expected to be particularly high as Americans plan vacations and travel after a year of coronavirus restrictions. The Colonial Pipeline transports some 2.5 million barrels of gasoline each day to mostly eastern and southern coastal states, serving both private and commercial customers. It is also relied upon by airports in these states which includes some of the largest hubs in the country, such as Hartsfield-Jackson International Airport in Atlanta and Nashville International Airport in Tennessee. Some of these airports have resorted to trucking or even flying in fuel from other sources in order to remain fully operational during the supply shortage.
The ransomware attack impacts fuel supplies to nearly every state on the coast of the US from east Texas up to New Jersey; Tennessee also relies on a branch of the fuel pipeline that comes in from neighboring Georgia. Florida is the lone exception among these coastal states as it draws gasoline directly from Gulf Coast refineries via tanker ship rather than from the fuel pipeline. The Houston area of Texas may be impacted, but the rest of the state (including the Dallas-Fort Worth International Airport) is supplied by fuel from different sources. Experts are anticipating that there may be significant gas price spikes if the issue drags out for longer than a week.