What We Can Learn From the Colonial Pipeline Ransomware Attack
The DarkSide hacking group infiltrated the systems of the Colonial Pipeline, locked IT out, and demanded ransom. What can we learn from this?
What We Can Learn from the Colonial Pipeline Ransomware Attack
The DarkSide hacking group successfully infiltrated the systems of the Colonial Pipeline, locked IT out, and demanded ransom. This shut down a major oil and gas pipeline that served the entire eastern U.S. corridor from Maine to Florida and even as far as Texas. Gas prices soared, long lines gathered as supplies ran out. The federal government came under criticism for its hands-off approach.
The word on the street is that the company paid around $5 million to restore access. This goes directly against FBI and Department of Homeland Security advice: These agencies constantly preach that paying off bad actors only encourages them to do it again (it’s a similar policy to “We don’t negotiate with terrorists”).
But they are still coming to terms with how hackers could bring to a standstill the systems that supply over 100 million gallons of fuel per day (almost half the East Coast’s needs). Investigators are figuring out whether the attack vector was an unpatched vulnerability, a phishing email, compromised access credentials, or some other method.
This attack may not be an isolated occurrence. The Cybersecurity and Infrastructure Security Agency (CISA) and FBI to issue an alert that DarkSide has, “recently been targeting organizations across various sectors including manufacturing, legal, insurance, healthcare, and energy.”
Who would have thought that an innocuous-sounding concept such as software-as-a-Service (SaaS) would eventually morph into Ransomware-as-a-Service (RaaS). Yet DarkSide is effectively a RaaS community offering its malware to criminals on a subscription basis (believed to be Russian-based or Russian-linked).
Once the RaaS software gets inside, it hijacks data, encrypts, and deletes volume shadow copies to thwart backup attempts. If you don’t pay up, confidential data is sometimes published on the web. The company’s business model even involves negotiating with competitors of the hacked firm as well as investors looking to make a quick buck by getting inside information about the publication of potentially damaging information. The company gives to charity as a ploy to improve its image – straight out of the playbook of Pablo Escobar who became a folk hero in his nation due to his cocaine-funded largess.
This breach serves notice of the unforeseen consequences of the ongoing effort to fully digitize systems and bring together the worlds of IT and operational technology (OT). The world of OT has been largely immune to cyberhacking as its systems were never networked. Now that they are, those industries that are digitally transforming are realizing they are wide open to attack.
When it comes to security, OT is the wild west. The country’s infrastructure is a labyrinth of remote sites, logins, and points of entry. But that is about to change. The federal government is beginning to enforce multi-factor authentication, and data encryption at rest and in transit, as well as the implementation of zero trust security, better endpoint protection and faster incident response.
CISA recently urged industry to immediately update antivirus signatures, deploy the latest OS and application patches, disable file and printer sharing services, institute least privilege access, and deploy multi-factor authentication on networks. Further recommendations are to use spam filters and network traffic filters, and establish employee training programs, and conduct security audits and risk assessments.
Patch, Patch, and Patch Again
Unpatched systems are a primary attack vector into organizations. Failure to patch systems can be taken as an invitation to hackers to come on in. In light of the Colonial Pipeline incident, stronger security legislation could be on the horizon. Executives failing to ensure timely patching of corporate networks could possibly be up for criminal charges.
The morale is clear: Centrally patch all systems and automate the process. Syxsense Secure provides automated patch management, vulnerability scanning, and IT management. It detects outdated patches and threats in real time and can be used to implement updates before bad actors can take advantage of exploits.