Colonial Pays $5M Ransom, Returns Service
After paying a ransom of nearly $5 million, the largest U.S. refined products pipeline system, Colonial Pipeline (Alpharetta, Georgia), reported that it has officially resumed “normal operations” following a ransomware attack experienced at the beginning of the month.
“All of these markets are now receiving product from our pipeline,” Colonial stated, adding that its employees across the pipeline “worked safely and tirelessly around the clock to get our lines up and running.”
On May 7, Colonial Pipeline reported that it was the victim of a ransomware attack on its corporate computer systems. Slightly different from an average cyberattack, ransomware attacks are usually conducted by criminal hackers who scramble data with an encryption and paralyze victim networks. The hackers typically leave instructions on the infected computers and/or demand a large ransom payment in exchange for decryption codes.
Following the attack, private cybersecurity firm FireEye/Mandiant was hired to manage the incident response investigation. Although, the Federal Bureau of Investigation had already confirmed DarkSide ransomware as the ones responsible for the attack.
At the time, Cybersecurity technology company Cyberreason also weighed in on information about DarkSide, noting that the organization is newer but had previously targeted domain controllers using double extortion methods, meaning that they encrypt data of the target, while also exfiltrating data threatening to make it public.
As a result of the incident, Colonial Pipeline reported that some of its company information and technology systems were affected. In a statement, the company noted that once it realized what was happening, it moved proactively to move systems offline and halted its pipeline operations, which transport more than 100 million gallons a day.
US firm pays $5m ransom to Colonial Pipeline hackers https://t.co/ns27A8Q7z1— David ?? (@davewetzelca) May 13, 2021
On the morning following the attack, the White House reported that President Joe Biden was briefed on the incident and that federal government agencies ranging from the Department of Energy to the Transportation Security Administration would also be working with Colonial Pipeline and the Cybersecurity and Infrastructure Security Agency to assess the implications of the attack, restore operations and avoid disruptions to the supply.
In additional efforts to help mediate any potential supply issues, the Biden administration issued an emergency waiver extending hours for truck drivers delivering fuel across 17 states, including several across the southeastern U.S. that depend on the pipeline for fuel. According to additional reports, the government was also planning to conduct various scenarios and work in conjunction with state and local authorities.
The following Sunday, Colonial Pipeline was reported to have restored some smaller, lateral lines between terminals and delivery points. On Monday, the company resumed limited shipments, delivering fuel from North Carolina to a terminal in Maryland under manual controls while existing inventory is available.
Paying the Ransom, Returning Service
Contrary to reports that followed the ransomware attack story saying that Colonial had no intentions of paying and extortion fee, last Friday the pipeline company submitted to paying DarkSide nearly $5 million (75 Bitcoin) in order to restore the country’s largest fuel pipeline.
According to reports, in an effort to get gasoline and jet fuel flowing again to major cities along the East Coast, Colonial paid the ransom in a difficult-to-trace cryptocurrency. Once accepted, DarkSide provided Colonial with a decrypting tool to restore its disabled computer network.
“They had to pay,” said Ondrej Krehel, Chief Executive Officer and Founder of digital forensics firm LIFARS and a former cyber expert at Loews Corp., which owns Boardwalk Pipeline. “This is a cyber cancer. You want to die or you want to live? It’s not a situation where you can wait.”
Krehel went on to tell Bloomberg that the ransom was actually very low, compared to other attacks which have requested amounts as high as $25-$35 million. However, he believes that the reduced request was in response to triggering a massive government response.
Around 5 p.m. on Wednesday, fuel shipments were officially resumed to normal operations.
Call for Increased Cyber Security
While the attack on Colonial Pipeline is the latest in infrastructure cyberattacks, earlier this year a water treatment plant in Oldsmar, Florida, reported that a hacker had breached its computer networks and changed the level of sodium hydroxide from 100 parts per million to 11,000 per million.
Sodium hydroxide—also known as lye—is commonly used at water treatment plants to control the acidity of drinking water and remove metals. However, too much of the chemical can make the water dangerous to drink.
After it appeared that the hacker had left the system, the operator immediately returned the sodium hydroxide to the previous levels, ensuring that no harm would come to the public or the drinking water. However, to put local residents at ease, Gaultieri noted that even if the operator hadn’t been present, the issue would have been caught during a secondary chemical check when the water is moved to holding tanks.
Since the incident, Oldsmar local authorities alongside the Federal Bureau of Investigation and the U.S. Secret Service have been investigating the hack. In February, investigators were unsure if the hacker originates within the U.S. or somewhere outside of the country.
In the past year, American cybersecurity firm Mandiant told Bloomberg that hacker attacks against industrial systems have increased, with hackers mostly engaging in limited-impact operations. Other experts have pointed out that industrial control systems have become more of a target since its transition in becoming more interconnected within the OT environment and connected to the IT environment as well.
The increase in vulnerability is also attributed to the shift of operations to more remote environments in wake of the ongoing coronavirus pandemic.
To mitigate these issues, President Biden has already noted on increasing cybersecurity. Since the start of the year, the Department of Homeland Security has already issued 25 advisories listing various industrial control systems that could be vulnerable to hacking.
By April, Neuberger told reporters that the government was undertaking a new effort to help electric utilities, water districts and other critical industries protect against potentially damaging cyberattacks. The goal is to ensure that control systems serving 50,000 or more Americans have the core technology to detect and block malicious cyber activity.
Following that announcement, the White House has since launched a 100-day initiative aimed at protecting the country’s electricity system from cyberattacks by encouraging owners and operators of power plants and electric utilities to improve their capabilities for identifying cyber threats to their networks.
While additional measures are being taken, other industry leaders have reported that they’re disappointed, however not surprised by the uptick in attacks.
“The systemically important critical infrastructure entities, and their most vital systems and assets, are pressure points in our grid, and targets for both nation state adversaries and criminal actors, allowing them to scale up the effects of cyber campaigns and the risk they can pose to the United States in peacetime and in crisis,” said CSC co-chairs Sen. Angus King (I-Maine), and Rep. Michael Gallagher (R-Wisconsin) said in a joint statement.
On the technical side of things, Mark Montgomery, senior fellow at the Foundation for Defense of Democracies and senior advisor to the Cyberspace Solarium Commission said via email, “This is the sort of issue that concerns us in all these infrastructure systems that have undergone significant automation over the past two decades. If the cybersecurity effort does not keep pace, you can have vulnerabilities in your IT, or your OT, or both.”