By: Daniel Simonds – Research analyst at the GTPF

On May 7th, 2021, a ransomware attack that targeted Colonial Pipeline caused Colonial Pipeline to shut down their mainlines (1, 2, 3, and 4). This ransomware attack has had the largest impact on physical operations in the history of cyber-attacks on U.S. critical infrastructure. In the last two weeks since the attack, there have been a few important developments.

Joseph Blount, CEO of Colonial Pipeline made the decision to pay the ransom of $4.4 million dollars in bitcoin because they were unsure of the scope of the attack and how long it would take to restore the pipelines. This was a controversial decision because the FBI, who was involved in the investigation, advises private industries to not pay ransoms. Regarding the ransom payment, Blount stated “I know that’s a highly controversial decision,” “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this,” “But it was the right thing to do for the country.” Once the ransom was paid, a decryption tool was provided by the attackers that allowed Colonial Pipeline to unlock and access the compromised systems. All pipelines have since been restored, and Colonial Pipeline continues to monitor the pipelines for any physical damage. 

There has not been a definitive attribution made as to who perpetrated the ransomware attack yet. However, many sources are claiming that there is evidence that the Eastern European cybercriminal group Darkside is behind the attack. The Cybersecurity firm FireEye, which was hired by Colonial Pipeline to investigate the ransomware attack, has gone as far as to publish an article on May 11th, 2021, titled “Shining a Light on DARKSIDE Ransomware Operations” that details the origin, tactics, and operations of the cybercriminal group.

On May 13th President Biden also made remarks regarding the cyber-attack on the Colonial Pipeline ransomware attack. In his speech, President Biden stated that “we do not believe the Russian government was involved in this attack.  But we do have strong reason to believe that criminals who did the attack are living in Russia,” and announced the cybersecurity executive order he signed specifically emphasizing the executive order’s focus on critical infrastructure cybersecurity in light of the attack on Colonial Pipeline.

While the exact details of the ransomware attack on Colonial Pipeline are not public yet, the industrial cybersecurity firm Waterfall Solutions published an article about the attack. This article states that the attack was “consistent with recent trends. In a recent survey of 2020 cyber incidents that impacted physical operations… all such attacks were targeted ransomware – ransomware that was deliberately planted using modern targeted attack techniques.” The article also states that these targeted attacks on the industrial sector generally begin with spear-phishing or phishing to steal remote access credentials or activate malware within the victim’s systems, however, what is “really bad” is that these tactics and targeted attacks on the industrial sector historically have been used exclusively by nation-state actors five to ten years ago but now are being employed by cybercriminal groups. 

Sources:

Christopher Bing, Stephanie Kelly. “Cyber Attack Shuts down U.S. Fuel Pipeline ‘Jugular,’ Biden Briefed.” Reuters, Thomson Reuters, 8 May 2021, www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/. 

Eaton, Collin, and Dustin Volz. “WSJ News Exclusive | Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom.” The Wall Street Journal, Dow Jones & Company, 19 May 2021, www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636. 

Nuce, Jordan. “Shining a Light on DARKSIDE Ransomware Operations.” FireEye, 11 May 2021, www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html. 

“Remarks by President Biden on the Colonial Pipeline Incident.” The White House, The United States Government, 13 May 2021, www.whitehouse.gov/briefing-room/speeches-remarks/2021/05/13/remarks-by-president-biden-on-the-colonial-pipeline-incident/. 

Team, Waterfall. “Ransomware Targets Largest Gasoline Pipeline in USA.” Waterfall Security, 13 May 2021.

“Media Statement Update: Colonial Pipeline System Disruption.” Colpipe.com, Colonial Pipeline, 9 May 2021, www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption.