As if pulled from a tabletop exercise, a ransomware attack has crippled the supply of gas throughout the Eastern United States. Panic and anxiety are spreading as gas prices are rising and stations are shutting down for lack of supply.
The pipeline, which crawls along the east coast from Southeast Texas up to New York, is a primary supplier of gasoline and jet fuel for the region. Colonial confirmed the attack in a news release on Saturday, May 8; it prompted them to take certain systems offline “to contain the threat” – which, in turn, halted the operations of the pipeline, the statement said.
The Alpharetta, Georgia-based Colonial Pipeline hired FireEye Mandiant to launch an investigation on the nature and scope of the attack, and they also engaged federal law enforcement and related authorities. The Department of Energy headed up the government response, their May 9 statement said.
ASIDE: Confidential sources tell us that Colonial has been less -than super cooperative with law enforcement. Perhaps this brings about the suggestions we have seen by the US House of Representatives subcommittee on Cybersecurity, Infrastructure Protection, & Innovation to suggest the need for legislation that requires collaboration among victim organizations and agencies.
The full reach of the Colonial Pipeline. Mississippi, Alabama, Georgia and the Carolinas have been greatly affected by this attack. (Source: Colpipe.com)
INDUSTRY PERSPECTIVES
The attack on the Colonial Pipeline is a page out of the worst-case scenario book that keeps most CISOs awake at night. It is a reminder that their daily work to create cultures of security throughout their organizations is working. After all, a role that is notably missing from Colonial Pipeline’s executive team page: a Chief Information Security Officer.
In their just-posted blog on the topic, Venu Vissametty, VP of Security Research at Attivo Networks, highlighted the perpetrators of the attack as the DarkSide ransomware group as per the FBI confirmation, and pointed out the group’s methods, which lead to “Active Directory enumeration, identify paths to high-privilege targets and deploy ransomware organization-wide.”
Read the full blog post here on Attivo’s site.
Following the post, Vissametty discussed with Data Connectors what organizations could learn from such an attack. He pointed out the importance of implementing tools for protecting these valuable assets.
“The biggest lesson to learn from this attack is that organizations need to protect their Active Directory. It is a treasure trove of information and left inadequately protected can result in loss of Domain control,” he said. “With loss of control over Active Directory, a business dramatically increases their risk of large ransomware, data theft and disruption of service attacks. To prevent this, organizations must invest in understanding exposed attack paths from endpoints, vulnerabilities and misconfigurations within AD, and least privilege cloud entitlements.”
As an industry, cybersecurity experts have been open with their perspectives on this impactful attack. James Saturnio, Senior Lead Technical Advisor at Ivanti, pointed out the fact that ransomware continues to grow in both cost and downtime. And while the details are still pretty unclear, there are some general lessons for all organizations to learn from this incident, he said.
“This hack is a reminder that every organization needs to make defending against ransomware attacks a top priority. Organizations need to take a multi-layered approach to cybersecurity to secure their digital workplaces and reduce the risk of breaches. First and foremost, organizations need to implement good cyber hygiene practices and host frequent employee training on detecting and remediating social engineering attacks like phishing,” Saturnio said.
Read his complete commentary in Ivanti’s guest post on this topic.
Colonial Pipeline Tanks in New Jersey (Ted Shaffrey/AP)
THE DARKSIDE RANSOMWARE GROUP
While it’s becoming increasingly difficult to keep up with all the hacking and ransomware groups, DarkSide has a particularly unique story. In a breakdown from Data Connectors Community Partner SentinelOne, they cover the group’s main mission. The blog states:
DarkSide launched as a RaaS (Ransomware-as-a-Service) with the stated goal of only targeting ‘large corporations.’ They are primarily focused on recruiting Russian (CIS) affiliates, and are very skeptical of partnerships or interactions outside of that region. From the onset, DarkSide was focused on choosing the ‘right’ targets and identifying their most valuable data. This speaks to their efficiency and discernment when choosing where to focus their efforts. From their inception, DarkSide claimed they’d avoid attacking the medical, educational, non-profit, or government sectors.
The post highlights the group’s recruiting process, as well as their continually evolving processes — as well as some key indicators of compromise.
MalwareBytes, another Data Connectors Community Partner, also shared a post describing DarkSide as being used by APT group Carbon Spider. (Check out CrowdStrike’s Adversary Profile on Carbon Spider to learn more about this Russia-based group).
According to MalwareBytes blog, DarkSide will encrypt all files, empty recycle bins, uninstall services, delete shadow copies, terminate processes, encrypt local disks and encrypt network shares once it is deployed. Then, they’ll post it on DarkSide Leaks.
But unlike other groups, DarkSide has a Robin Hood-style approach to their work. They’d (attempted) to donate some of their ransom cash to charity organizations — but the charities were unable to accept it due to the legality around taking fraudulent cash, according to the post.
DON’T JUMP TO THE DARKSIDE RIGHT AWAY…
However, it’s important to keep in mind that just because the attack has been attributed to DarkSide doesn’t tell us exactly who they’re working for, according to Mike DeNapoli, lead solutions architect for Cymulate, a Data Connectors Community Partner.
“While the ransomware in question has been attributed to the Threat Actor Group known as DarkSide, it’s important to realize that this group may not have ordered the attack. DarkSide is an APT group known to both target companies themselves and to resell their ‘Ransomware as a Service’ to third parties who want to perform an attack but lack the skillset and infrastructure to do so — or who need political cover to attack sensitive targets without pointing suspicion to their own operations directly,” DeNapoli said.
So yes, according to DeNapoli, though DarkSide was involved in this attack, we can’t rule out the fact that the potential for the attack to have been carried out and paid for by anyone — from a disgruntled former employee to a state-sponsored group.
Continue monitoring the Data Connectors news page for updates and other insider perspectives on this topic.
Leave a Reply