This blog will provide cybersecurity commentary on the Colonial Pipeline Ransomware incident that occurred in 2021, and what key takeaways all businesses should implement to protect themselves from cybercrime.
Nation-state backed attacks on businesses have risen significantly over the past three years in scope and sophistication, and this rise is irrespective of sector or size. The main aim of nation-state attacks is to obtain intellectual property, business intelligence, or to lay the foundation for future attacks. One of the first steps to better protect your organization and your data is to understand this growing threat.
- Was the Colonial Pipeline Ransomware Incident a Nation-State Attack?
- Is DarkSide Still an Operating Threat?
- Is Introducing More Public Policy the Solution?
- Business Cybersecurity is National Security
- Government Should Aggressively Prosecute Cybercriminals
- SMB Cybersecurity is National Security
- Paying the Ransom Feels Dirty for a Reason.
- Final Takeaways
Was the Colonial Pipeline Ransomware Incident a Nation-State Attack?
Anytime there is an attack on Critical National Infrastructure (CNI) it raises eyebrows as a possible nation-state attack. Disrupting a country’s infrastructure with cyberattacks is modern-day warfare because it is costly, it’s crippling, it damages public confidence in their government, and the strength of the response from the victim country is revealing.
Our foreign adversaries often fly under the radar by hiring third-party hackers to tactically create mayhem, gain valuable data, or gather intelligence. Hired foreign hackers aren’t fearful of legal retribution because they are supported by their government or dictatorship.
It is believed that the perpetrator behind the Colonial Pipeline Ransomware incident is a group known as DarkSide, a Ransomware-As-A-Service (RaaS) vendor. This means that DarkSide received payment from a client to perform a cyber-attack on Colonial Pipeline. So, who is this client, and why isn’t DarkSide throwing them under the proverbial bus? Perhaps honor among thieves really is that strong of a bond in cybercrime rings? On the contrary, maybe DarkSide’s silence was bought with a large cut of the pie? On the other hand, it is possible that DarkSide is scared to disclose their client’s identity. Perchance, because they’re a powerful group. For instance, a powerful Nation-state.
If It Was A Nation-State, Was It Russia?
KrebsOnSecurity mentioned on May 17, 2021, “virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed – such as Russian or Ukrainian.”
Am I suggesting that introducing the Russian keyboard set to your computer is a failsafe cybersecurity strategy? Absolutely not. (Cyber assessments and annual pen tests are a better way to enhance a cybersecurity strategy.) But DarkSide’s malware strain does have a hard-coded do-not install list of countries that all have known relations that favor the Kremlin. This caveat in the ransomware code does strongly suggest that this ransomware is from Russia or Russian allies.
Having said this, it’s important to remember that nation-state actors go to extreme lengths to tactically cover their tracks, and often plant false flags to mislead cyber experts when tracing campaigns back to the country of origin.
Is DarkSide Still an Operating Threat?
DarkSide is now attempting to placate the FBI and Colonial Pipeline by apologizing for the ransomware attack, saying they didn’t mean to cause the widespread panic. Moreover, they’re offering an empty concession, claiming they would return the ransom money of $4.4 million in crypto.
Conveniently, DarkSide’s servers were “disrupted” before Colonial Pipeline’s transfer. As a result, the ransom money mysteriously disappeared. Hopefully, this charade doesn’t persuade anyone into believing they’re an ethical hacking group and deserving of absolution.
Similarly, this isn’t the first time a RaaS operation has masqueraded as an ethical crime ring. If history repeats itself, DarkSide will resurface after a rebrand with a new company name and the same old malware.
Is Introducing More Public Policy the Solution?
Pipelines are Critical Infrastructure, Yet Not On The Regulatory Grid
All organizations that provide Critical National Infrastructure (CNI) should follow cybersecurity best practices that assist in identifying and containing attacks. As we have seen recently, however, pipelines are under the authority of the Transportation Security Administration (TSA).
While the TSA already has the authority necessary to regulate pipeline cybersecurity, for twenty years the agency has chosen to take a voluntary approach despite ample evidence that market forces alone are insufficient.
An absence of regulations from TSA lends a portion of our CNI to private sector cyber negligence. Citizens, national security, and our economy suffer when deprived of Critical National Infrastructure. In short, it raises the question of “who should be deciding what is tolerable risk for pipelines?”
North American Electric Reliability Corporation (NERC)
While TSA is an arm of the government, NERC is a nonprofit corporation in Atlanta, Georgia. NERC develops, trains, and enforces standards for anyone that adds electricity to the power grid.
NERC has Critical Infrastructure Protection Standards that it enforces. Prior to 2006, NERC’s guidelines for power system operation and accreditation were strongly encouraged yet ultimately voluntary. That changed when the Federal Energy Regulatory Commission (FERC) issued an order certifying NERC as the Electric Reliability Organization (ERO) for the United States.
How Did Colonial Pipeline Slip Through the Cracks?
While NERC’s Standards protect our electrical grid infrastructure from cyberattacks, the standards put in place for the oil & gas industry are, as previously mentioned, voluntary. Since pipelines do not sell directly to consumers, they escape market forces, and as a private company, they don’t report to shareholders. So even though pipelines are certainly classified as Critical Infrastructure, there is ultimately no cyber accountability.
Speculation on How Colonial Pipeline's Technology and Security Led to a Gas Shortage
Operational Technology, being the computer systems that manage things like pumps, sensors, and powering the pipeline, should be separated by a data diode from the rest of the environment where business operations take place.
A data diode only allows data to go one way. Within NERC, they call this safeguard the Electronic Security Perimeter (ESP), and it is a required best practice of the energy sector.
If Colonial Pipeline was voluntarily following best practices, then the cybercriminals should not have been able to jump over the barrier and affect the pipeline itself. This has led many to speculate on a tug of war question. Either:
- Colonial Pipeline was not voluntarily following cybersecurity best practices. It is possible that they allowed their billing system to be connected to the pipeline in a way that the pipeline couldn’t operate without the billing system. So when they had to take the billing system offline because of ransomware, they couldn’t run the pipeline.
- On the other hand, it is possible that Colonial Pipeline did have a data diode in place so the pipeline was still functional and gas could still flow. That would mean then that the problem was they had not set up their network properly, and could not bill for the gas. This would mean that they made a controversial business decision to cease our critical infrastructure simply because they could not bill properly for their gas.
Business Cybersecurity is National Security
Government Should Aggressively Prosecute Cybercriminals
I believe it would be a mistake to create more cyber regulations for non-critical businesses. Often, imposing stricter regulations on businesses happens to be the knee-jerk reaction of those in government. Without more aggressively going after and punishing cyber-criminals, in a sense more regulations would be punishing businesses for cybercrime instead of cyber-criminals. Our Government should be protecting businesses as our businesses make up the fabric of our economy, which is directly how we fund our military.
I personally feel that we should call a spade a spade. Either this cyberattack on Critical National Infrastructure was terrorism by a cybergang or it was cyber warfare by a foreign adversary. In both scenarios, we are being tested on the world stage. If our reaction isn’t severe enough, these attacks (that are already escalating) will ramp up even more.
SMB Cybersecurity is National Security
Furthermore, we should not be disassociating cyberattacks from their countries of origin. It is not a coincidence that these perpetrators are most often also our country’s foreign adversaries. If a country does not go after and prosecute its known cybercriminals, then it is complicit.
Our foreign adversaries are reaping the benefits of these successful cybercrimes. How? Because our USD fiat is being exfiltrated to these adversarial countries. Additionally, our trade secrets and IP are being stolen as well. That’s why I firmly believe that local cybersecurity practices in the United States at each and every business, all equates to national security.
We all play a part, we are all a piece of the puzzle. I fear that if SMB does not ramp up its cybersecurity practices voluntarily, the government will forcibly ramp up regulations.
Paying the Ransom Feels Dirty for a Reason
Recently, Colonial Pipeline paid the $4.4 million ransom to get the decryption key from the criminals, only to discover that the decryption process was too slow. As a result, Colonial Pipeline still restored data from their own backups despite making the payment.
If you’ve ever been faced with paying a ransom, you know that it’s not something you ever want to experience again. It just feels wrong. Unfortunately, it feels necessary if you were caught without backups. Many businesses are relying on cyber insurance to pay these ransoms. Even more disappointing, a lot of insurance companies suggest you pay the ransom because it’s more affordable for insurance.
Yet, every time a business pays the ransom, we are continuing to feed the cybercriminal economy more fuel, making it meaner and more powerful. Moreover, when a victim company pays the ransom, they’re left even more vulnerable to future attacks because their company gets put on the dark web’s “sucker” list. Often the victim company’s known exploitable cyber vulnerabilities are published on the dark web for other cybercriminals to utilize.
Meanwhile, Europe’s cyber insurance sector is no longer paying ransoms on behalf of businesses. They’ve come to realize this is a failing strategy in the long term. I suspect we are not far behind them in amending our strategy.
How to Protect Your Business and Do Your National Duty
The rapid increase we are seeing in nation-state attacks is in addition to the dramatic increase we have seen in cybercrime, namely ransomware. We can’t stress enough the importance of having regularly tested backups. Decryption keys you get from hackers by paying the ransom don’t always work and are often painfully slow.
Secondly, create and practice an Incident Response (IR) Plan. Your backups and IR plan should be tested with cyber fire drills to ensure you’re organization is prepared. Part of your IR Planning process needs to include securing your Digital Forensics & Incident Response (DFIR) partner.
Thirdly, get an annual pen test to know where your vulnerabilities exist, and continually improve your cybersecurity posture.
In addition, as we’ve learned from the Colonial Pipeline ransomware attack, it’s best to segment networks. In the event attackers do gain entry, sensitive information won’t be stored in an easy-to-reach portion of your network.
Remember, your employees are your first line of defense when it comes to cyber threats. Cybercriminals know it’s easier to trick people than break through security technology. Employees should be continually trained to recognize threats and know how to report security incidents to a network administrator.
Finally, be mentally ready for an attack. The mindset of: “I don’t have any data they want, it won’t happen to us” is extremely risky for a business. In other words, no one company is too small.
Above all, it is vital that organizations invest in security that keeps them ahead of constantly evolving threats.
To learn more about our process for removing threat actors, check out the article: Has your business been hit by ransomware?