What Happened in the Colonial Pipeline Ransomware Attack

Yet another major cyber-attack has derailed public services, making breaking news over the weekend of May 8-9th 2021. This time, it was a major US fuel pipeline. The Colonial Pipeline, which runs from Texas to New York, supports 45% of the East Coast’s fuel supply, carrying 2.5 million barrels a day and went offline following the cyber-attack by the criminal hacker organization DarkSide. The remorseful hackers have officially stated that they had no intention of “creating problems for society” but rather were aiming to make a quick buck.

Regardless of their intentions, Darkside’s hackers effectively took down critical infrastructure for several days. The incident is one of the largest ever disruptions in US energy infrastructure. How could this happen? How could a critical American pipeline be infiltrated and interrupted so easily?

What happened in the Colonial Pipeline Cyber Attack

The hacker organization DarkSide has appeared to claim responsibility for the ransomware attack which caused the Colonial Pipeline to shut down as a precaution. In a statement on the group’s website which refers only to “the latest news”, DarkSide asserts “our goal is to make money, and not creating problems for society” which suggests that the cybercriminals’ planned attack did not go as planned.

Upon discovering the ransomware infiltration, Colonial Pipeline took the proactive measure of shutting down its network – interrupting service – in order to avoid any more serious consequences. A server used by the criminal organization was found to hold important Colonial Pipeline data and other files.

For ransomware hackers, the objective is simple: make money. The average ransom paid by victim organizations in Europe, the US, and Canada has almost tripled from $115,123 in 2019 to $312,493 in 2020. Add to this the value of stolen and leaked data which can be sold across the Dark Web and ransomware attacks become a lucrative endeavor. To date, Colonial Pipeline has paid $4.4 million to recover some of its data.

What are the repercussions of the Colonial Pipeline shutdown?

If nothing else, this major incident has exposed just how vulnerable the energy and utilities industry’s infrastructure is to cyber-attack and disruption. Especially following closely on the heels of the attack on a Florida water treatment facility in which hackers attempted to poison the city’s water supply. With highly sensitive data and critical infrastructure, the energy sector is both extremely sensitive and extremely valuable to hackers.

What’s more, the Colonial Pipeline cyber-attack have clear market impacts. Downtime in a fuel pipeline has greater consequences than other industries, potentially impacting financial markets, fuel-dependent business sectors (including airlines and transport), and millions of individuals. Colonial was forced to shut its 5,500 mile (8,850 km) pipeline, disrupting the distribution of gasoline, diesel, and jet fuel to the entire northeast, and it’s not expected to fully reopen for days. Crude oil prices have already increased since the news broke.

How did the pipeline cyber-attack happen – and could it have been prevented?

The DarkSide group operated through a ransomware attack. This type of malware is used to infiltrate a target IT infrastructure, self-elevate privileges to access the most sensitive and valuable data, and then encrypt it, blocking the owners from their own data and demanding a ransom payment in order to regain access.

The DarkSide group is unofficially understood to operate out of Russia, and given the current state of the world we can assume that they used remote access to gain entry into Colonial Pipeline’s system. With the COVID-19 crisis still ongoing, the vast majority of companies are still working remotely. Some employees are forced to use unsecured networks and remote access tools (such as VNC, TeamViewer, etc.), especially in OT environments. These unsecured remote connections are a major vulnerability – and liability – for organizations. Most likely, they leveraged a vulnerable remote entry point to compromise a critical target, and then used their self-appointed elevated privileges to move laterally across the IT infrastructure to steal and encrypt the most valuable data.

It has been proven time and time again that remote access and insufficiently secured endpoints are the main vectors of cybersecurity risk for any organization. This has only been magnified by the COVID-19 crisis with its rapid shift to remote work and digital transformation for companies who were not prepared or secured.

How can critical infrastructure organizations like Colonial Pipeline prevent cyber-attacks?

Organizations in all sectors, but especially those in the OT and energy industries, should focus on two key imperatives:

  • Secure endpoints by applying the Principle of Least Privilege
  • Secure remote access through strong privilege user management and identity authentication

If Colonial Pipeline had implemented a Least Privilege-backed policy, the hackers would never have been able to leverage stolen credentials to enact privilege escalation and access sensitive data and systems. Even remote access connections would have required multi-factor authentication and validation through a Privileged Access Management system to ensure that only those with the right permissions at the right time could access systems, and even privileged users only have access to the bare minimum.

What’s more, an Endpoint Privilege Management solution would have stopped any ransomware in its tracks. Robust EPM solutions block any process or application attempting operations that are disallowed – such as encryption – regardless of the user’s privilege level, rendering ransomware impotent.

Today, remote access to IT infrastructure is critical to the continuity of production and service. Maintaining business productivity and protecting against catastrophic consequences of a breach or disruption is crucial, particularly in OT environments. However, it can be complicated to secure complex, heterogeneous networks of tools and systems, and VPN technology is no longer sufficient. Introducing control over privileged access and activity is paramount, with complete visibility and traceability to ensure that privileged actions are authenticated, authorized, and blocked for rapid incident response.