Follow up on East Coast Emergency

More information has surfaced since our last blog on the Colonial Pipeline attack that inspired the east coast oil emergency. Antipathy toward Russia certainly clouds most of the story since. Russians perpetrated the SolarWinds hack and now Colonial Pipeline. In both cases Russian citizens attacked private corporations causing vast social implications. There is no indication at this point that the Russian government was involved in either attack, both are cases of criminals being criminals. The need for cybersecurity is greater than ever and growing constantly.

FireEye published a blog delving into the technical aspects of DarkSide’s Colonial Pipeline operation. The specific MITRE framework signature easily identifies DarkSide as the culprit, and incidentally, the IoCs from their blog don’t fully match up with the IoCs selectively distributed by the Canadian government.

Colonial’s pipelines are trickling back online. Their control and corporate networks were properly isolated so neither was infected. Taking the pipelines offline was either out of an abundance of caution or because their billing systems were offline. Regardless there should be no lasting effect to fuel distribution of pipelines going offline.

Nevertheless Colonial paid DarkSide $5 million for the decryption key almost immediately after they discovered the ransomware. The fact that they paid the ransom is problematic for a couple reasons: their recovery was extremely slow despite paying quickly and, more importantly, they’ve likely inspired countless new ransomware teams to get out there and hack the planet. Unfortunately we are likely to hear about similar attacks on other large corporations because of it.

This crisis has taught me some things about pipelines. I thought oil ran through pipelines 24x7 but apparently they are often empty and the kind of fuel they carry changes almost daily. One day they can send light crude to a giant tank at destination A and the next it might be heavy crude to destination B.

Fuel storage isn’t affected if the pipeline is down since there are often a few days of reserves in tanks at the various locations. The east coast gasoline shortage was created entirely by inflated demand as people rushed to refill or stockpile fuel after news of the attack broke. Not unlike the great toilet paper shortage of 2020.

There are many examples of attacks on critical infrastructure or fundamental services in the USA (have a look here, here, here, or just check out this list for details). There was discussion early in the news cycle that the attack on Colonial Pipeline was a declaration of war. Luckily that talk quickly subsided but, the reality is, something must be done to alleviate this pressure.

President Biden issued an executive order regarding cybersecurity last week. The order mostly ignores the private sector despite the recent high profile attacks against it. Why wouldn’t they focus on the private sector given that the US government is already pretty secure. (See the FISMA Act and NIST standards for more on government cybersecurity practices.)

The policy is already in place, and doing its job so this executive order will have no real impact since it doesn’t improve anything. If President Biden really wants to improve the situation, he should impose NIST 800-53 onto the critical infrastructure managed by the private sector.

In the meantime, DarkSide disbanded after receiving Colonial’s payment. We will never know what truly happened. Did they pretend their account was drained or are they merely rebranding? It’s a good strategy to lay low until MITRE fingerprints them again. Or did someone inside DarkSide snatch everything and run? Maybe a law enforcement took them out quietly and the DarkSide team is on a 1 way trip to a black site? Or maybe it was some grey hats, those typically lawful but occasionally vigilantes acting for the greater good?

While we have many examples to look to, this is just the beginning of the cyber threat. Conside that only about half the world’s population is actively connected to the internet. While this is more than double what it was 10 years ago, the likelihood of threats increasing as more people get online is high. Now is the time to bolster cyber defences.