Colonial Pipeline Ransomware Attack: Bitter Lessons Learned

Colonial Pipeline Ransomware Attack showed that large eneterprises are vulnerable to cyber attacks if they don’t take necessary data protection measures. SpinOne cyybersecurity experts prepared an in-depth analysis of this attack along with suggestions how enterprises can protect their cloud from attacks.

As the world has been facing the COVID-19 pandemic this past year, another pandemic is ramping up to epidemic proportions – ransomware. Ransomware is arguably the most concerning threat to cybersecurity experts and business leaders alike. It can render business-critical data inaccessible and unusable and do this with very few indicators that anything is wrong until the characteristic ransom demand screen pops up on a client computer.

However, with the recent attack on the Colonial Pipeline resulting in critical infrastructure going down, ransomware is steadily moving into the realm of not just a problem for businesses and their data. It is also a significant problem for critical infrastructure industries and, by extension, all they serve, as these are becoming a target of sophisticated ransomware. Let’s look more closely at what we have learned from this late-breaking ransomware attack on Colonial Pipeline and its meaning for future ransomware attacks.

What is Colonial Pipeline?

Colonial Pipeline, founded in 1962, is a privately held company with headquarters located in Alpharetta, Georgia. It is a major pipeline operator in the United States, operating some 5500 miles of fuel pipeline that makes Colonial a major fuel source that services the US East Coast’s gasoline, heating oil, jet fuel, and other fuel needs. They provide roughly 45% of the fuel resources to the eastern United States.

Courtesy of Colonial Pipeline LinkedIn

Colonial Pipeline ransomware attack

On May 7th, 2021, just a few days ago, at the time of this writing, Colonial Pipeline was hit with a ransomware attack from a criminal hacker group known as “Dark Side.” The attack caused the company to shut down critical systems and infrastructure. Ultimately, this resulted in shutting down the 5500-mile long pipeline that feeds half of the fuel to the United States East Coast. The fallout from shutting down the pipeline cause “panic buying” of gasoline and other fuels. The mass shortage of fuel was felt at the pump, with many gas stations running out.

How could hackers infiltrate a large industrial organization and cause this much damage to critical IT systems that affected operations, including the pipeline? Eric Cole, who authored the book Cyber Crisis and has his own cybersecurity company, Secure Anchor, said the situation with the Colonial Pipeline ransomware attack was directly related to the COVID-19 pandemic. The infrastructure changes made to accommodate remote workers for Colonial provided the weakness in the cybersecurity armor that led to the compromise.

Before COVID-19, Colonial carried out critical operations of the pipeline on a secure, closed network with no external access. However, to accommodate remote workers, access to the essential systems controlling the pipeline was made publicly available on the Internet for remote workers. The resulting changes led to the recent ransomware attack.

Many organizations have relaxed security protocols that have been enacted since the COVID-19 pandemic and work-from-home initiatives simply to keep workers productive. This major ransomware attack on Colonial is a wake-up call for all businesses to take a look at their security protocols and configurations to understand any attack vectors that may have crept in.

Ransomware payment when critical infrastructure involved

Most law enforcement agencies worldwide encourage organizations not to pay the ransoms demanded by criminal hacker groups. Regarding ransomware payments, the FBI has detailed in their “how to respond and report ransomware” site:

“The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

However, when dealing with critical infrastructure or business downtime, the pressure to restore access to data and services can be immense. President Joe Biden said in a statement concerning the Pipeline shutdown,

“They should be reaching full operational capacity as we speak, as I speak to you right now. That is good news,” the President said. “But I want to be clear. You will not feel the effects at the pump immediately. This is not like flicking on a light switch.”

As was the case with Colonial Pipeline, shutting down the 5500-mile pipeline meant that millions of Americans faced gasoline shortages at the pump. It is difficult to say it would be the wrong decision to pay the ransom demanded by hacker groups in this situation. Businesses involved with critical infrastructure are in a challenging position and must weigh the consequences of not paying a ransom demand and the potential for the longer resulting downtime as opposed to conceding to the wishes and demands of known criminals.

According to Bloomberg, Colonial Pipeline reportedly paid the hackers the demanded $5 million in Bitcoin. Considering the tremendous impact, this is a “drop in the bucket” compared to the money lost due to the shutdown and the impairment to critical infrastructure. The same Bloomberg report made mention the provided decrypting tool was so slow the company continued restoring from backup in parallel with the decrypting tool. Bloomberg News noted when they asked President Joe Biden if he was briefed on the company’s ransom payment, the President paused, then said:

“I have no comment on that.”

A rallying call for attacks on critical infrastructure

While traditional ransomware attacks corporate environments and locks up computer files, some even extorting money with threats of a data leak, critical infrastructure attacks serve to disrupt. Ransomware attacks are growing more effective and sophisticated each year, and critical infrastructure attacks have been in their sights for some time now.

Recently, hackers have hit solar power firms, federal and local government agencies, water treatment plants, and police departments across the US. While these types of attacks attempt to make money, they often serve a great purpose of attacking core critical infrastructure to disrupt, extort, and inflict damage. Some are part of nation-state attacks, but others may be hacking groups attempting to make a name for themselves.

Unfortunately, the ransomware attack on Colonial Pipeline may encourage and usher in a whole new era of attacks. While ransomware has targeted critical infrastructure before, the Colonial Pipeline attack is by far the most successful of its kind. An entire region of the country was affected for days. It caused significant disruption such that the President of the United States made certain policy interventions and reactions to make it easier to transport fuel. Colonial paid the ransom, and the attack served as a major disruption to critical US infrastructure. It is a win-win for hackers.

Will this attack serve as a rallying call for other hacker groups to purposely attack industrial organizations that produce or serve out core infrastructure? Time will tell on that front. However, the Colonial Pipeline attack is certainly not the end of attacks of this kind.

Alarming Ransomware trends

The Colonial Pipeline attack and many others like it highlight an alarming trend among recent ransomware attacks. Are ransomware attacks becoming an even more significant part of malicious attacks? Yes. According to the Verizon 2021 Data Breach Investigations Report,

“The major change this year with regard to action types was Ransomware coming out like a champ and grabbing third place in breaches (appearing in 10% of them, more than doubling its frequency from last year).”

Other ransomware statistics include:

Every 11 seconds, a new organization falls victim to ransomware
In 2020 73% of all ransomware attacks were successful

Aside from the sheer numbers, ransomware attacks are targeting more prominent and critical targets. If you look at the trend in types of targets in recent attacks, we have seen targets such as the following:

Many have thought for years now that a massive cyberattack on critical infrastructure such as the electric grid is an ever-looming threat that comes closer to reality with other infrastructure attacks like the Colonial Pipeline attack. Infiltrating industrial control systems is undoubtedly achievable given the interconnected nature of today’s critical infrastructure.

A recent report from the Government Accountability Office (GAO) found the electric grid’s distribution systems responsible for carrying electricity from providers to consumers are increasingly at risk of cyberattacks. The report states:

“Distribution systems are growing more vulnerable, in part because their industrial control systems increasingly allow remote access and connect to business networks. As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations.”

Examples of techniques for gaining initial access to Industrial Control Systems (courtesy of GAO)

Heightened Threat – What organizations can do

It is imperative for organizations worldwide and in every business sector to take the threat of ransomware seriously. Ransomware can not only lock down files. It can disrupt lives, as shown with recent attacks such as the Colonial Pipeline. Businesses need to give rapt attention to their cybersecurity strategies, tooling, and other cybersecurity processes and procedures. Giving attention to the basics is essential. It includes such things as:

Securing email against phishing attacks
Implementing two-factor authentication
Securing perimeter networks

Aside from securing email, identity, and the network perimeter, the reactive, traditional approach to cybersecurity with manual processes is no longer effective in dealing with modern ransomware variants. New techniques and cybersecurity defenses such as security automation help organizations to give attention to their security posture and limit the scope of damage that ransomware can inflict on business-critical environments.

While security automation is not 100% effective against preventing a ransomware attack, it can much more rapidly contain and stop an attack as it unfolds. Security automation helps to quickly disarm the hackers using ransomware as they cannot encrypt enough data leading to any consequence.

Security automation solutions use next-generation artificial intelligence (AI) and machine learning (ML) to recognize the anomalies in the environment, either in user-level or file-level behavior, indicating a ransomware infection is underway. After a ransomware attack is discovered, the same AI and ML processes can block the attack source and remediate the environment based on predefined “playbooks” of tasks.

SpinOne is a cloud SaaS Security Posture Management (SSPM) Platform that uses security automation in the fight against ransomware in cloud SaaS environments such as Google Workspace and Microsoft 365. SpinOne uses a four-step process to remediate ransomware, including:

SpinOne detects the ransomware attack using AI and ML-driven processes
It automatically blocks the network source of the ransomware attack
It identifies the number of damaged files
SpinOne automatically recovers files infected by ransomware

It is a great example of proactive security automation in action that allows countering the massive threat vectors, including ransomware, on the horizon.

Concluding Thoughts

The massive Colonial Pipeline ransomware attack is arguably the first of its kind in scale and damage caused. It emphasizes that ransomware is not simply a threat to files and data on servers. It can disrupt the everyday livelihood of the populous, whether they care or directly use technology or not. It shows how dependent we have become on technology in all aspects of life, industries, processes, and critical infrastructure.

It highlights the evolving danger to even further critical infrastructure attacks and the need for these industries to bolster their cybersecurity posture to deal with attacks in the future. Using security automation allows AI and ML processes to quickly and automatically deal with threat actors as they attack technology environments. SpinOne is an example of a next-generation SSPM solution that effectively uses security automation to protect against ransomware in the cloud.

Statement from CISA acting director Wales on executive order to improve the Nation’s cybersecurity and protect federal networks

Source: Cybersecurity and Infrastructure Security Agency

Original release date: May 13, 2021

WASHINGTON – Yesterday, President Biden signed an executive order to improve the nation’s cybersecurity and protect federal government networks. Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales released the following statement:

“President Biden’s executive order is an important step forward in bolstering our nation’s cybersecurity. As last week’s ransomware attack against the Colonial Pipeline and recent intrusions impacting federal agencies demonstrate, our nation faces constant cyber threats from nation-states and criminal groups alike.”

“As the nation’s lead agency for protecting the federal civilian government and critical infrastructure against cybersecurity threats, CISA serves a central role in implementing this executive order. This executive order will bolster our efforts to secure the federal government’s networks, including by enabling greater visibility into cybersecurity threats, advancing incident response capabilities, and driving improvements in security practices for key information technology used by federal agencies. And because the federal government must lead by example, the executive order will catalyze progress in adopting leading security practices like zero-trust architectures and secure cloud environments.”

“The cybersecurity landscape is constantly changing, and this executive order reflects the need for a sustained commitment and urgent progress. We are now moving forward with this same commitment and urgency to implement the President’s executive order to defend against the threats of today and secure against the risks of tomorrow.”