Sightline Cyberattack Watch: Colonial Pipeline Profile

May 24, 2021

On Friday May 7, Colonial Pipeline, a privately-held company and one of the largest pipeline operators in the United States, reported that it had been the victim of a large-scale ransomware cyberattack. The effects were immediate: gas shortages and higher prices, and a sense that, once again, America’s utility and energy infrastructure was at risk due to long-standing IoT vulnerabilities. These attacks on industrial and utilities companies continue to grow in frequency and impact, leading industry experts to warn that failing to address key cybersecurity concerns may have even more devastating consequences in future attacks, to both the economy and to critical infrastructure. The rise of modern connected systems with Industry 4.0 has increased efficiency and monitoring for the energy & utility sectors, but those systems, when improperly secured, can become a potential access point for attackers to breach the IT & OT infrastructure.

The rising trend of cyberattacks is not without potential solutions. There are expert recommendations for cybersecurity improvement to address the growing concern within the IoT & manufacturing industry. Sightline Systems CEO & President Brandon Witte says such attacks can be avoided or their impact minimized through the implementation of security-linked system data monitoring across networks, and a strict protocol of data security.

Watch On-Demand: “Vulnerabilities You Never Knew Were There” | Livestream Cybersecurity Webinar with Q&A | Brandon Witte (CEO, Sightline Systems) and EG Pearson (Solution Architect, Unisys)

The targeted company, Colonial Pipeline, includes a 5,500-mile transport infrastructure that delivers 100 million gallons (2.5 million barrels) of gasoline, diesel, jet fuel, and oil every day. It accounts for  over 45% of the fuel used on the east coast of the US, from the Gulf Coast in Texas to the New York metropolitan area. To prevent the attack from spreading, Colonial shut down its east coast systems, bringing all pipeline operations to a halt for more than six days. To regain control of their IT & OT systems, Colonial chose to pay $4.4 million bitcoin in ransomware, a controversial decision that went against FBI recommendations.

“It was the right thing to do for the country,” said Colonial CEO Joseph Blount, in remarks reported by the AP:

Was it? Is there a way to prevent such attacks from happening in the future?

Beyond the cost to Colonial, repercussions are still being felt all over the country, by consumers as well as businesses. The week-long shutdown of the pipeline and sluggish return to full capacity caused panic buying by the public, leading to critical gas and fuel shortages across the country: according to Reuters, some states reported that 90% of gas stations were out of fuel. By May 19, a week after the pipeline reopened, 9,500 gas stations currently were still out of fuel, especially on the Mid-Atlantic of the East coast. The price of gas nationwide has risen to its highest levels since 2014, at a national  average of $3.04 per gallon. Citing critical concerns for national security, US President Biden signed a new cybersecurity executive order on May 12 in the aftermath of the pipeline attack, creating new guidelines for the response to such attacks, mandating transparency by companies who have been attacked, and increasing governmental involvement in the aftermath of any exploitation.

DarkSide: The Perpetrator

Most experts agree that the attacker was DarkSide, a criminal organization in Russia and eastern Europe, with possible ties to the Russian government. Experienced in Ransomware as a Service (RaaS) schemes, DarkSide may have collected over $90 million Bitcoin in ransom from past cyberattacks.

Some precise details and a specific timeline of the attack and exploitation are not fully known, but it is believed that DarkSide specifically targeted individual employees, extorted or purchased their credentials, and then used their access to infiltrate the network unchecked and spread malicious scripts throughout the IT & OT infrastructure. They are suspected of using various sophisticated methods to avoid detection of their infiltration, including self-encryption of malicious code within the network. 

RaaS & Affiliate Network Attacks: A Growing Problem

The prevalence and impact of these types of RaaS attacks are rising dramatically, especially in the utilities and energy sectors, but are also increasingly lucrative. RaaS criminal organizations like DarkSide, which specialize in the development of malware and ore ransomware code, also deploy a wide network of “affiliate” conspirators, specializing in research, identification of potential targets, procuring access to targeted individual user credentials through outright purchase, extortion, blackmail, and/or phishing. For example, DarkSide has received a known $90 million bitcoin DarkSide has collected from victim organizations, it has reportedly paid $74.7 million to its affiliates, many of whom have links to organized crime organizations. These attacks generate massive ransomware payments to an entire network of co-conspirators.

This financial reality is perhaps most clearly reflected by DarkSide itself, which has publicly stated their intent and motivation as an organization, writing on their website: “our goal is to make money, not create problems for society”. 

IOT Cybersecurity: Threats to the Global Infrastructure

While this attack’s impact may be viewed by many as an unfortunate but isolated incident, it shows a much deeper security threat within the industry that many experts worry could be exploited with even more devastating results. The Ransomware Task Force (RTF), a dedicated group of technology companies, governmental agencies, and cybersecurity insiders, says that these cyberattacks are actively ruining lives and causing vast impact to society and the economy. In the space of a few years, RTF commented, “ransomware has become a serious national security threat and public health and safety concern”.

One critical factor in the rise In an op-ed for Foreign Policy, Jason Bordoff of Columbia University, concludes that the “Colonial attack is a reminder of well-known cybersecurity risks to the energy system” and that with the rise of Industry 4.0, “risks to oil and gas may well rise not only as attackers become increasingly sophisticated but as the industry increasingly turns to tools of artificial intelligence and digitalization to increase production and reduce costs”. While the exact breach source location has not been confirmed, Colonial Pipeline is known to have a sophisticated IoT system filled with monitoring and control mechanisms and network connected devices. We do know that the company is already involved in a US House committee inquiry, and facing at least one lawsuit over potential security vulnerabilities.

How Do We Defend Against These Attacks?

Defending against these types of attacks requires advanced systems and ever-watchful digital defenses, but that doesn’t mean that they are unavoidable by companies in the future. According to Sightline CEO Brandon Witte, such attacks can be avoided and their impact minimized through the use of “zero trust” networks and micro-segmentation. In partnership with Unisys Corporation, Sightline has introduced SIAS, which combines two state-of-the-art solutions into one, providing manufacturers with easy-to-use yet powerful security to better protect their environments.

“SIAS™ brings zero trust, cloaking, encryption, and micro segmentation to network management in an easy-to-use package.” says Witte.  “Leveraging SIAS™ helps organizations reduce their attack footprint, which minimizes the scope and impact of attack exploitations such as this one.”

“At the end of the day, they can’t attack and exploit what they can’t see.”