On Monday 7th of June the U.S. law enforcement officials state that 67.3 bitcoins paid on ransomware from Colonial Pipelines was recovered.
On Tuesday 8th of June Colonial Pipeline CEO Joseph Blount confirm that 75 bitcoins on ransom was paid to DarkSide (around 4.4 million from that time). He also reveals that the hacking group got access to the IT network through a legacy VPN account that was not intended to be in use. The account did not have MFA (multi-factor authentication) and it is still no clear how DarkSide was able to get the credentials. The top executive of the company stated as well that the shutdown of the pipeline was a prevention measure, and no indications were found that the ransomware was targeting the OT infrastructure.
Located on the East Coast, Colonial Pipelines supply more than ten states with different oil products (Texas, Louisiana, Mississippi, Alabama, Georgia, South Carolina, North Carolina, Virginia, Maryland, Delaware, Pennsylvania). The pipeline traverses from Texas to New York, covering almost 9000 Km, making it the most extensive pipeline distribution system for fuel within the U.S.
Figure 1 Colonial Pipeline company system map (source: https://cpcyberresponse.com/system-map/)
At midday of Saturday 8th, the company stated the following:
“On May 7th, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations and affected some of our IT systems.” (source)
Upon discovering the incident, Colonial Pipeline contacted law enforcement and federal agencies to start the investigation. To support additional cybersecurity know-how, Colonial Pipeline contacted FireEye to take part in the analysis and support and support the remediation activities.
During the following days, the Colonial Pipeline worked heavily on the recuperation process, including a broad communication campaign. This comprehensive communication campaign covered a diverse set of channels, including the company’s website, social media such as Twitter, and a dedicated web page launched on May 11th, providing continual updates on the incidents and the ongoing recovery activities.
The recovery process took ten days since the incident and shutdown occurred to the “back to normal” of all pipeline systems. However, it is expected that the markets could take several more days until the supply chain catches up and a pre-incident status is restored.
The Ransomware Journey
For decades, different evolving types of malware (malicious software), and associated criminal business models, have been a constant struggle for IT departments worldwide. Currently, so-called ransomware is most likely the most famous and most feared type of malware.
Ransomware is designed to encrypt all data and, in some instances, system files accessible from an infected system. The most advanced kind of ransomware also brings capabilities to further distribute and infect other systems autonomously. The applied encryption mechanisms lock users and IT administrators out of files and devices, rendering the affected IT systems unusable. In the early years of ransomware, often only single systems were infected, allowing for a quick recovery through enterprise-grade backup systems.
While these low-level attacks still exist, some criminal groups have as well advanced their attack methodologies. In this advanced approach, after an initial break occurs, criminals infect as many systems as possible of an organization using different spreading mechanisms (such as exploiting outdated software or weak passwords). All those systems eventually start to encrypt data and system files at a coordinated point in time, aiming for the highest possible impact.
Following the encryption of all relevant and vulnerable systems, attackers hold these affected data and environments hostage until a ransom is paid. For that purpose, it is common for attackers to pressure the company by exposing stolen data if they refuse to pay. Only if this payment is made, users receive a decryption tool or key, allowing them to recover their data. These ransom payments are commonly paid in cryptocurrencies, such as Bitcoin, to allow a nearly anonymous payment methodology. Alternatively, an organization can attempt to rebuild and restore their IT-Infrastructure and data from unaffected backups or rebuild IT-Infrastructures from scratch.
Handling these types of attacks leaves companies in a dilemma. With IT systems being unavailable for large parts of the organization, payment of the ransom seems to be an obvious and quickest solution to retrieve data and recover operational functionality quickly. However, leading researchers and agencies with specialized departments such as the FBI and the German Federal Police (Bundeskriminalamt) warn organizations from giving in and paying the ransom. Not only is paying ransom legally problematic in several countries such as the U.S., where government organizations strictly prohibit this type of ransom payment. It is also not ensured that encrypted data can be recovered after the payment is made.
Restoring data and systems from unaffected backups on the other side is, if even possible, very likely to last several days and requiring extensive support from external IT specialists.
Overall, it can be summarized that organizations are suffering from a significant service impact as IT services and depending business capabilities often require up to weeks to be restored, leading to a drastic effect on revenue, profit, share prices, and customer trust. Moreover, depending on the impact of which data became encrypted or perhaps even stolen, additional liabilities and fines may occur.
On Monday 10th, the FBI revealed that a cyber-criminal organization called DarkSide was responsible for the attack on Colonial Pipelines.
DarkSide is a fairly new hacking group based in Eastern Europe, also suspected to be involved in the recent attack on Toshiba. The group follows the trend to professionalize ransomware-as-a-service (RaaS). They define themselves as an enterprise and have a professional approach around extorsion, help-desk support, and call-in numbers to help their victim’s decryption and payment efforts.
The group itself stated to be apolitical and not tie to any government activities. They have a very clear business approach: they aim to have an ethical facade, presenting a code of conduct to their victims and affiliates with protected organizations that are “out of scope” like hospitals, hospices, schools, universities, nonprofit organizations, and government agencies.
“Our goal is to make money and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” (source)
According to their statement, part of the profits had been donated to charity.
“We think that it’s fair that some of the money the companies have paid will go to charity; no matter how bad you think our work is, we are pleased to know that we helped change someone’s life.” (source)
This “ethical” attitude to crime works in their interest, earning credibility around their victims and developing good publicity.
However, after the incident with Colonial Pipelines, the group attracted more attention than they expected. The pressure of different organizations and legal authorities caught them off guard. On May 13th, a representative of DarkSide posted in the Russian-language forum XSS that they lost access to the public part of their infrastructure due “pressure from the US.”
A complete translation of the note penned by Darkside can be found on the Intel471 blog.
It’s hard to tell if this is the end of the criminal organization since it is a common dynamic for cybercriminal networks to back off when they get some heat to appear later with a different name.
On May 7th, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. In response, the company halted all the pipeline operations and contracted a third-party cybersecurity firm to support the remediation efforts.
On May 9th, the Colonial Pipeline operations team developed a system restart plan. While mainlines (Lines 1, 2, 3, and 4) remain offline, some smaller lateral lines between terminals and delivery points are returned to operations.
On May 10th, Line 4 is restarted to work under manual control for a limited time.
On May 11th, Colonial Pipeline initiated additional distribution methods to supply those markets suffering constraints.
On May 12th, Colonial Pipeline initiated the restart of pipeline operations.
On May 13th, 90% of the pipeline system is working. Later in the day, 100 % is achieved.
On May 17th, all pipeline systems are back to work in a normal way.
BxC Take Away on the Colonial Pipeline Attack
Though the financial revenue for Darkside from this ransomware action is not reliably known, it is an attractive example in the business of Ransomware as a Service (RaaS). The recent increase in ransomware attacks, since about 6 months, lead us to believe that we will keep seeing an increased amount of such actions.
Network segmentation, emergency incident processes, incident detection capabilities are part of an essential toolset of actions that we can only strongly recommend small to large enterprises to get equipped.