Latest news on Colonial Pipeline cyber attack
Background: On May 6, a cyber attack from the Russian-based threat actor group “DarkSide” caused the shutdown of the Colonial Pipeline, a 5500-mile oil transfer system that runs from Texas to New Jersey. The pipeline provides some 45% of the oil supplies used on the U.S. east coast, delivering 100 million barrels of oil daily to 13 U.S. states and the District of Columbia.
The cyber attack was not against the pipeline infrastructure itself; rather, it targeted the information systems and services that support the pipeline. As IT staff worked to contain the attack against Colonial’s back office, many parts of the operational technology (OT) network were shut down as a precaution against the spread of the malware, thereby causing the massive service disruption.
According to multiple reports, the May 6 attack involved the theft of some 100 GB of data, as well as the encryption of compromised systems. This “double extortion” attack is a growing trend in the cybercrime industry. DarkSide’s motives behind the attack were clear: “Our goal is to make money, and not creating problems for society,” they wrote in a dark web blog post shortly after the attack.
Current Status: Colonial has been delivering regular status bulletins via Twitter. The pipeline resumed full service on May 15, ending a hectic week of production delays, lineups for gas, and rollercoaster fuel pricing usually only seen during hurricane season. However, while oil deliveries have resumed, business operations for Colonial are still disrupted as system restoration continues; as late as May 17, Colonial’s website remained down.
Ransom Payment: Facing a massive disruption to the economy and the public infrastructure, Colonial reportedly chose to pay a ransom of 75 bitcoins in cryptocurrency – the approximate equivalent of $5-million (US) – to decrypt their affected systems. Colonial then discovered that the unlocking system provided by DarkSide was slow and inefficient, forcing Colonial to seek assistance from government and third-party resources to assist with data recovery and system restoration. The business decision to succumb to extortion will come under scrutiny: many fear that capitulating to ransom demands only invites further cyber attacks.
Regulatory and Governmental Response: The attack on vital services has renewed the push to improve cybersecurity in core infrastructure operations. CISA and the U.S. Department of Energy are accelerating their efforts to provide industry guidelines on cybersecurity to help prevent future incidents. U.S. President Joe Biden made an official statement from the White House on May 13 outlining the measures taken by the government, and signed an executive order that “calls for federal agencies to work more closely with the private sector to share information, strengthen cybersecurity practices, and deploy technologies that increase reliance against cyberattacks.”
Hackers Disband: The threat attackers who allegedly conducted the attack are now reportedly out of business. The DarkSide assault on Colonial prompted law enforcement to direct hosting services to block access to DarkSide’s blog, payment servers, and denial-of-service servers. Subsequently, an unidentified party (again, presumably law enforcement), withdrew all funds from DarkSide servers – including both DarkSide resources and their clients’ money. According to a report on krebsonsecurity.com, the disruption has forced DarkSide to announce that they are discontinuing their operations and that they intend to release decryption codes to all victims currently under attack who have not paid ransoms.
Ireland healthcare under attack
Ossian Smyth, the Irish minister responsible for public procurement and e-government services, has described the current situation in Ireland as “possibly the most significant cybercrime attack on the Irish State” ever recorded.
On May 13, Ireland’s Health Service Executive (HSE), which is responsible for healthcare and social services across the entire country, suffered a “significant” ransomware attack. In response, the HSE was forced to shut down all of its systems as a precaution in order to prevent the further spread of malware. The Irish Department of Health (DOH) was also attacked with similar ransomware at the same time.
Numerous outpatient appointments are being cancelled or re-scheduled due to the outage, as hospitals scramble to operate manual backup processes and to focus on emergency cases. HSE said that the country’s ambulance services and COVID-19 vaccination program were unaffected by the incident and are operating normally. However, if the crisis drags into Monday or beyond, there are growing fears that more services will be disrupted or cancelled.
The prime minister of the Republic of Ireland, Micheál Martin, has insisted Ireland will not pay any ransom to the hackers, who are suspected to be the same DarkSide group responsible for attacks on Colonial Pipeline and Toshiba over the past week.
Officials have hinted that they have gathered a significant amount of information about the attack, though the specific variety of ransomware involved has not been disclosed, nor has there been a statement regarding how the malware breached the computer networks at HSE and the DOH.
HSE’s Chief Executive Officer Paul Reid confirmed that the attack was “significant” and “human operated,” but indicated that no ransom demand had yet been received. This may be due to the disruptions to DarkWeb’s own operations after their servers were locked and financial resources drained late last week in response to the Colonial Pipeline attack.