An Insider’s Look at the Colonial Pip …

It had the makings of a typical ransomware attack — likely set off through a phishing scam, resulting in the wrong people getting their hands where it didn’t belong. But the outcome of the Colonial Pipeline ransomware attack was beyond typical.

In a LinkedIn Live session with former CISA Assistant Director John Felker, the Data Connectors Community gained the unique insight on what was likely happening behind the scenes, both in the Colonial boardroom and in the government offices.

The session, titled “Reflections on the Colonial Pipeline Ransomware Attack,” took a comprehensive look at the timeline of events surrounding the attack, as well as a deep-dive in the actions of the perpetrators, the DarkSide hacking group.

“Despite the impact, this was a pretty run-of-the-mill ransomware incident. (DarkSide) acted like many ransomware actors act,” Felker said.

Watch the full interview.

And while it’s still unclear which aspect of the business the breach affected, Felker said it made sense to take steps to shut down. “There were elements along the way that caused some concern in part of the pipeline company to shut down the pipeline,” he said.

The evidence shows that the attack took place in the back-office — not to the control system of the pipeline. Shutting down the pipeline operations allowed the organization to insulate the attack and prevent the hackers from getting even further into the control system, Felker said.

“They were shutting down the pipeline operations itself out of abundance of caution so that there wasn’t any lateral movement into the control system, that then could have conceivably caused more stress than it did on the system.”

The attack, from Russian-speaking hacking group DarkSide, raises more questions about the origin of the attack. The group, which offers “ransomware-as-a-service” — with a fairly extensive portfolio of recent attacks.

DarkSide, which has recently decided to cease operations, has forced a public reputation as a sort of Robin Hood among hackers — from offering donations of ransomed cash to non-profits, and ensuring they’re not infiltrating medical, educational, nonprofit, funeral services, and governmental targets.

“They want to make it sound like they’re good guys, when actually, they’re criminals,” Felker said. Ultimately, Colonial reported the incident to the FBI who in-turn reported to CISA.

“There was noise in the media that made it sound like Colonial wasn’t as forthcoming as they could have or should have been. I think it goes back to the dramatic impact that the breach cost,” he said. “Because of the political impact and the impact overall of this particular breach, I suspect we’ll see a change in regulation that requires more timely reporting.”

Looking for a better sense of what happened in the boardroom and what conversations took place among law enforcement? Watch the full interview with John Felker.