On Saturday, Colonial Pipeline, which delivers 45% of the East Coast's fuel, had to be shut down due to a ransomware attack.
Colonial Pipeline posted a press release on its website on Saturday, May 7, notifying the public that it had been the victim of a cybersecurity attack and that it involved ransomware. The public notice read that the attack
"halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring."According to The Hacker News, "Colonial Pipeline is the largest refined products pipeline in the U.S., a 5,500 mile (8,851 km) system involved in transporting over 100 million gallons from the Texas city of Houston to New York Harbor."
Threat experts have identified the ransomware as DarkSide, which has been used by various English-speaking targets. Recently the owners of DarkSide have moved to an affiliate model where hackers use the ransomware to breach networks and spread malware, and the owners handle payments.
How Did Colonial Pipeline Respond?
The company immediately engaged the help of leading cybersecurity experts to fix the problem and investigate those behind it. They also contacted law enforcement and "other federal agencies such as the Department of Energy who is leading the Federal Government response."
According to The Hacker News, "FireEye's Mandiant incident response division is said to be assisting with the investigation, according to reports from Bloomberg and The Wall Street Journal, with the attack linked to a ransomware strain called DarkSide."
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said this "We are engaged with Colonial and our interagency partners regarding the situation. This underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats."
Bloomberg theorizes that the attackers stole roughly 100GB of data from Colonial Pipeline. There is no word yet on the ransom figure.
They have since repaired some of the systems, but other areas (Lines 1,2,3, and 4) are still offline to maintain safety until the issue is fully resolved. Colonial said in their public notice, "We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulation."
Additionally, they have had to "take additional precautionary measures to help further monitor and protect the safety and security of its pipeline," according to their press release.
Who is DarkSide?
All evidence points to Russian involvement, but it is unclear yet specifically who is behind this attack. Normally, after the ransomware is installed, the cybercriminals will demand a ransom (payable only by Bitcoin) and then release the decoder key. If the ransom is not paid on time, sometimes the demand will double. DarkSide has a reputation of demanding between $200,000 and $2 million in ransom.
According to Data Breach Today, DarkSide appears to be a cyber gang with a conscience (somewhat) by not targeting hospitals, hospices, schools, universities, non-profit organizations, and government agencies. The group has also publicly claimed that they have donated to charities for children.
The group avoids any Soviet Bloc nations, which indicates that is where they are operating from. Spokespeople for the group have spoken out on Twitter and other social media platforms marketing its wares.
Data Breach Today explains how the group operates "Once it has gained access to an organization's systems, the group moves laterally and targets domain controllers, which are the backbone of an organization's IT infrastructure. Cybereason says the group then collects files, credentials, and sensitive information."
"When those operations are done, DarkSide uses the Microsoft scripting utility PowerShell to download the ransomware binary and puts it on a shared folder within the organization's domain controller itself."