Colonial Pipeline Ransomware Attack Sparks Executive Action, but U.S. Cyber Infrastructure Still Vulnerable

On May 7, Colonial Pipeline, which is responsible for 45% of the East Coast’s fuel supply, proactively shut down 5,500 miles of pipeline in order to contain a ransomware attack that hit its corporate IT systems.

One day later, Colonial confirmed that it was indeed the victim of a ransomware attack. Ransomware is a form of malware that criminal groups use to encrypt systems and hold data hostage until the victim pays a ransom. Many criminal groups have taken to a double-extortion model, in which a copy of the victim’s data is exfiltrated before the victim’s systems are encrypted and the criminals threaten to make the systems permanently inaccessible as well as publicly release some of the stolen (presumably proprietary) information on the internet. Colonial Pipeline paid close to $5 million in cryptocurrency to the malicious actors to obtain the decrypting tool and restore the pipeline’s disabled network. Unfortunately, as it is often the case, the tool was slow, and Colonial was forced to use its own backups to ultimately restore service -- almost a week later.

Colonial restarted the pipeline in stages starting on May 12 but full restoration of fuel flows took several days. The incident throttled gas supplies across the eastern U.S. for at least a week and caused fuel shortages and a temporary surge in prices. As a result, the Federal Emergency Management Agency (FEMA) and the Department of Transportation (DOT) declared a regional state of emergency for 18 states to keep the fuel lines open. Meanwhile, President Biden invoked emergency powers to ease restrictions around fuel delivery and ensure that gas and oil supplies kept flowing to airports and cities along the East Coast.

Other recent major cyber-attacks were perpetrated by Russian and Chinese state actors or proxies, while the attack on Colonial has been confirmed to be the work of a criminal gang known as DarkSide. According to the FBI, DarkSide surfaced last August, and they have been investigating them since October 2020. While they are estimated to have made millions in extortion demands, their average ransom was $850,000. Curiously, DarkSide exercised a code of conduct in choosing its victims; hospitals, schools, nonprofits, and government agencies were considered off-limits. As a large for-profit company, Colonial fit its target profile.

After the FBI confirmed them as the perpetrators, DarkSide reportedly shut down its operations after their servers were allegedly seized and their cryptocurrency assets were transferred to an unknown account. DarkSide also lost access to their public data leak site and payment servers possibly due to law enforcement action. According to The Wall Street Journal, DarkSide announced its shutdown to its associates on May 14.

The attack on Colonial Pipeline brings to light two larger issues. First, it emphasizes the vulnerability of the U.S.’ aging critical infrastructure that has been connected to the internet, either directly or indirectly. Second, it affirms the trend in ransomware: the frequency and sophistication of ransomware attacks that have dramatically increased in the last year. According to cybersecurity experts, this is because of the rise of automated attack tools and the payment of ransom in cryptocurrencies, which makes it harder to trace perpetrators.

The FBI, Depart of Energy, and the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security actively participated in the investigation and response to the incident. Actual cyber-attacks on energy systems are rare. This is the second time a pipeline operator has been targeted in a cyber-attack; CISA reported a ransomware attack on a natural gas compression facility of an unnamed company last year. Federal agencies are still checking in with other companies in the fuel industry to ensure that they are properly protecting themselves.

“Critical infrastructure owners and operators are going to experience deeper scrutiny by the government to ensure that they have stronger protections and can maintain a continuity of service,” said Melissa Hathaway, a member of the Board of Regents at the Potomac Institute and a cybersecurity expert. “The steps that management took to halt operational technologies (OT) because of ransom on the corporate IT networks suggest that the company’s networks were not properly segmented and that the malicious actors could have created even more disruption.”

In the meantime, on May 12, President Biden signed an executive order to bolster the cybersecurity of the federal government, improve its ability to respond to major cyber incidents, and improve information sharing between the public and private sectors. The order had been in the works for months but was released in the aftermath of the ransomware attack on Colonial Pipeline and after the SolarWinds supply chain compromise (attributed to the Russian SVR) and the Microsoft Exchange Server attack (attributed to Chinese state-sponsored actors). In response to the SolarWinds compromise the Biden Administration announced sanctions against various Russian entities. Both attacks initially appeared to be cyber espionage cases aimed at the theft of emails and other data, but the nature of the intrusion created “back doors” that could have enabled future attacks on digital and physical infrastructure.

The new executive order will create a new road map for cyberdefense by creating a series of digital safety standards for federal agencies and government contractors, setting up a Cybersecurity Safety Review Board to analyze significant cyber incidents and make concrete recommendations for improving cybersecurity, and increasing collaboration between companies and the federal government in terms of sharing intelligence on cyber threats.

However, some federal officials are not sure whether the order goes far enough. The new measures would not do much to stop attacks like the ones perpetrated by Russian and Chinese malicious actors, although they could help create better responses to ransomware attacks. Also, it is unclear whether the new requirements would apply to private sector companies like Colonial, meaning that it is unlikely that the order would have prevented the Colonial issue.

One thing is for certain, according to Hathaway: “Colonial will surely be further evaluated [by regulators] for the quality of its protections and its transparency about how it responded to the attack.”

Hathaway’s latest article, “Hijacked and Paying the Price: Why Ransomware Gangs Should be Designated as Terrorists,” speaks on the growing trend of ransomware attacks and the disruptive impacts on society, and the need to designate ransomware operators as terrorists. Read it here.