Sightline Cyberattack Watch: Colonial Pipeline Profile

May 24, 2021

On Friday May 7, Colonial Pipeline, a privately-held company and one of the largest pipeline operators in the United States, reported that it had been the victim of a large-scale ransomware cyberattack. The effects were immediate: gas shortages and higher prices, and a sense that, once again, America’s utility and energy infrastructure was at risk due to long-standing IoT vulnerabilities. These attacks on industrial and utilities companies continue to grow in frequency and impact, leading industry experts to warn that failing to address key cybersecurity concerns may have even more devastating consequences in future attacks, to both the economy and to critical infrastructure. The rise of modern connected systems with Industry 4.0 has increased efficiency and monitoring for the energy & utility sectors, but those systems, when improperly secured, can become a potential access point for attackers to breach the IT & OT infrastructure.

The rising trend of cyberattacks is not without potential solutions. There are expert recommendations for cybersecurity improvement to address the growing concern within the IoT & manufacturing industry. Sightline Systems CEO & President Brandon Witte says such attacks can be avoided or their impact minimized through the implementation of security-linked system data monitoring across networks, and a strict protocol of data security.

Watch On-Demand: “Vulnerabilities You Never Knew Were There” | Livestream Cybersecurity Webinar with Q&A | Brandon Witte (CEO, Sightline Systems) and EG Pearson (Solution Architect, Unisys)

 Wide-Reaching Impact: For Colonial Pipeline and America

The targeted company, Colonial Pipeline, includes a 5,500-mile transport infrastructure that delivers 100 million gallons (2.5 million barrels) of gasoline, diesel, jet fuel, and oil every day. It accounts for  over 45% of the fuel used on the east coast of the US, from the Gulf Coast in Texas to the New York metropolitan area. To prevent the attack from spreading, Colonial shut down its east coast systems, bringing all pipeline operations to a halt for more than six days. To regain control of their IT & OT systems, Colonial chose to pay $4.4 million bitcoin in ransomware, a controversial decision that went against FBI recommendations.

“It was the right thing to do for the country,” said Colonial CEO Joseph Blount, in remarks reported by the AP:

Was it? Is there a way to prevent such attacks from happening in the future?

Beyond the cost to Colonial, repercussions are still being felt all over the country, by consumers as well as businesses. The week-long shutdown of the pipeline and sluggish return to full capacity caused panic buying by the public, leading to critical gas and fuel shortages across the country: according to Reuters, some states reported that 90% of gas stations were out of fuel. By May 19, a week after the pipeline reopened, 9,500 gas stations currently were still out of fuel, especially on the Mid-Atlantic of the East coast. The price of gas nationwide has risen to its highest levels since 2014, at a national  average of $3.04 per gallon. Citing critical concerns for national security, US President Biden signed a new cybersecurity executive order on May 12 in the aftermath of the pipeline attack, creating new guidelines for the response to such attacks, mandating transparency by companies who have been attacked, and increasing governmental involvement in the aftermath of any exploitation.

DarkSide: The Perpetrator

Most experts agree that the attacker was DarkSide, a criminal organization in Russia and eastern Europe, with possible ties to the Russian government. Experienced in Ransomware as a Service (RaaS) schemes, DarkSide may have collected over $90 million Bitcoin in ransom from past cyberattacks.

Some precise details and a specific timeline of the attack and exploitation are not fully known, but it is believed that DarkSide specifically targeted individual employees, extorted or purchased their credentials, and then used their access to infiltrate the network unchecked and spread malicious scripts throughout the IT & OT infrastructure. They are suspected of using various sophisticated methods to avoid detection of their infiltration, including self-encryption of malicious code within the network. 

RaaS & Affiliate Network Attacks: A Growing Problem

The prevalence and impact of these types of RaaS attacks are rising dramatically, especially in the utilities and energy sectors, but are also increasingly lucrative. RaaS criminal organizations like DarkSide, which specialize in the development of malware and ore ransomware code, also deploy a wide network of affiliate” conspirators, specializing in research, identification of potential targets, procuring access to targeted individual user credentials through outright purchase, extortion, blackmail, and/or phishing. For example, DarkSide has received a known $90 million bitcoin DarkSide has collected from victim organizations, it has reportedly paid $74.7 million to its affiliates, many of whom have links to organized crime organizations. These attacks generate massive ransomware payments to an entire network of co-conspirators.

This financial reality is perhaps most clearly reflected by DarkSide itself, which has publicly stated their intent and motivation as an organization, writing on their website: “our goal is to make money, not create problems for society”. 

IOT Cybersecurity: Threats to the Global Infrastructure

While this attacks impact may be viewed by many as an unfortunate but isolated incident, it shows a much deeper security threat within the industry that many experts worry could be exploited with even more devastating results. The Ransomware Task Force (RTF), a dedicated group of technology companies, governmental agencies, and cybersecurity insiders, says that these cyberattacks are actively ruining lives and causing vast impact to society and the economy. In the space of a few years, RTF commented, “ransomware has become a serious national security threat and public health and safety concern”.

One critical factor in the rise In an op-ed for Foreign Policy, Jason Bordoff of Columbia University, concludes that the “Colonial attack is a reminder of well-known cybersecurity risks to the energy system” and that with the rise of Industry 4.0, “risks to oil and gas may well rise not only as attackers become increasingly sophisticated but as the industry increasingly turns to tools of artificial intelligence and digitalization to increase production and reduce costs”. While the exact breach source location has not been confirmed, Colonial Pipeline is known to have a sophisticated IoT system filled with monitoring and control mechanisms and network connected devices. We do know that the company is already involved in a US House committee inquiry, and facing at least one lawsuit over potential security vulnerabilities.

How Do We Defend Against These Attacks?

Defending against these types of attacks requires advanced systems and ever-watchful digital defenses, but that doesn’t mean that they are unavoidable by companies in the future. According to Sightline CEO Brandon Witte, such attacks can be avoided and their impact minimized through the use ofzero trust” networks and micro-segmentation. In partnership with Unisys Corporation, Sightline has introduced SIAS, which combines two state-of-the-art solutions into one, providing manufacturers with easy-to-use yet powerful security to better protect their environments.

“SIAS brings zero trust, cloaking, encryption, and micro segmentation to network management in an easy-to-use package.” says Witte.  “Leveraging SIAS helps organizations reduce their attack footprint, which minimizes the scope and impact of attack exploitations such as this one.”

“At the end of the day, they can’t attack and exploit what they can’t see.”


Cybersecurity Webinar

Attack Profile:

Target: Colonial Pipeline

Industry: Oil & Gas, Critical Infrastructure

Date: 05/07/2021

Type of Attack: Ransomware

Demand: Demand of at least $4.4 mil bitcoin, confirmed by Colonial to have been paid

Suspected Perpetrator: DarkSide, a ransomware as a service (RaaS) criminal organization based in Russia Eastern Europe with suspected nation state ties, as well as a network of criminal co-conspirator affiliates

Method of Attack: 

  • Reported targeting of employes and extortion/purchase of user credentials
  • Unchecked access throughout the network and of IT & OT systems
  • Anti-detection mechanisms reportedly used, including script self-encryption

Immediate Impact: 

  • Colonial has confirmed payment of $4.4 million in Bitcoin ransomware
  • Company forced to shut down all of its 5,500 miles of pipeline for multiple days
  • Took over 6 days for operations to fully resume
  • Has impacted already soaring gas & fuel prices around the country

“At the end of the day, they can’t attack what they can’t see”

Brandon Witte

CEO & President, Sightline Systems

Watch Our Livestream Discussion + Q&A Recording: Vulnerabilities You Never Knew Were There

Last week’s terrifying pipeline ransomware attack is just the latest cyber attack to make the news and show the growing cyber threat to the manufacturing, industrial & utility sectors. Many teams think they know exactly where attacks could attempt to infiltrate, but this rising threat and recent attacks show clearly: there are vulnerabilities that are being overlooked in the IOT cybersecurity world.

Not so coincidentally, but certainly timely, Sightline & Unisys hosted a free livestream webinar on May 26th in which we will be provided more important information on this attack and expert guidance on how these attacks occur and can be prevented. Even if you think you know where all of your organization’s vulnerabilities are, you may want to consider watching to learn about those you might just be missing.