Ransomware Attack Against Critical Infrastructure

By Hubert Yoshida posted 05-11-2021 19:19

Last week I posted a blog on ransomware and pointed out the cost of recovery and some of the Hitachi tools that can protect against ransomware. By Friday of that week the United States had suffered its worst cyberattack on its critical infrastructure through a ransomware attack on Colonial Pipeline which delivers approximately 45 percent of the East Coast's petroleum products, including gasoline, diesel fuel, and jet fuel.
Colonial pipeline.jpg
The DarkSide ransomware group was quickly identified as being responsible for the Colonial Pipeline attack. The gang stole almost 100 gigabytes of data hostage, threatening to leak it onto the internet, but the FBI and other government agencies worked with private companies to respond. The cloud computing system the hackers used to collect the stolen data was taken offline on Saturday. Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of their IT systems, which they are actively in the process of restoring. Colonial has been publishing regular notices which indicate that they hope to back in operation by the end of this week.

“This weekend's events put the spotlight on the fact that our nation's critical infrastructure is largely owned and operated by private sector companies," said Elizabeth Sherwood-Randall, the White House domestic security adviser. "When those companies are attacked, they serve as the first line of defense and we depend on the effectiveness of their defenses."

"Our critical infrastructure sectors are the modern day battlefield and cyber space is the great equalizer. Hacker groups can essentially attack with little individual attribution and virtually no consequence. With over 85% of all infrastructure owned and operated by the private sector, significant investment and attention must be placed on hardening key critical systems," according to Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security.

In response to the attacks on Colonial Pipeline, the Biden administration issued a Regional Emergency Declaration 2021-002 this Sunday. The declaration provides a temporary exemption to the Federal Motor Carrier Safety Regulations, allowing alternate transportation of petroleum products via tanker truck to relieve shortages related to the attack. Although the move will ease shortages somewhat, the exemption wouldn't be anywhere near enough to replace the pipeline's missing capacity. "Unless they sort it out by Tuesday, they're in big trouble," said oil market analyst Gaurav Sharma, adding that "the first areas to hit would be Atlanta and Tennessee, then the domino effect goes up to New York."

This Wednesday President Biden will begin to sell his 2 Trillion dollar plan to rebuild infrastructure in the United States. This plan will need to include investment in rebuilding cyber security in the private and public sector. The oil pipeline attack should strengthen demands for cybersecurity standards for companies that play an important role in Americans’ critical infrastructure. As it is, it’s left up to the private companies to implement the security measures they use to protect systems that are critical to the national interest. Like many companies today Colonial Pipeline has been on a digital transformation journey which they describe on their website.  However, this did not protect them from this cyber attack. It is not known how much of that digital transformation was focused on Cyber Security. It appears that security should have precedence over operational efficiency when it comes to critical infrastructure companies like Colonial Pipeline.

 Details on how the hackers were able to gain access to Colonial’s systems haven’t been made public yet, but Bloomberg reports that the attack began on May 6, with nearly 100 gigabytes of data stolen before Colonial’s computers were locked up. A ransom was demanded, both to stop the data from being leaked on the internet and to unlock the affected systems. 100 gigabytes is not a lot of data considering the petabytes of data that a company like this would have. If that data was encrypted, stealing it would not have been a big threat. However, that fact that any data was stolen, whether it was in a form that could be interpreted or not, meant that the system was compromised. Once compromised the company had to shut systems down in order to determine the extent of the compromise. Even though this was an IT hack they had to determine if there was also a compromise to the operational systems which controlled the physical assets that could have exploded or caused other catastrophic destruction.

An organization carrying out a ransomware attack is looking for a vulnerability in order to insert their code. Many come in through a phishing attack, so users of the system must be trained and tested for their awareness to avoid these attacks. Many find entrance through some unpatched system in the infrastructure. Running the most up to date software is an obvious deterrent. However, it’s a much harder process for a large company running something as complex as a petroleum pipeline to keep up with the latest update. They are usually more concerned about the stability and reliability of their business operations and are reluctant to take outages for maintenance. The result is that many critical infrastructure businesses are built on top of software that are old and vulnerable by modern security standards.

More insidious is the Supply Chain attack like SolarWinds where a hack was inserted through an update to a third party network management tool. Here the installation of the latest software update introduced the hack. (the hack was discovered when a second phone number was used in a two factor authentication) Supply Chain Attacks are likely to occur in widely used software since it can affect more users. Supply Chain hacks are increasing and measures must be taken to authenticate third party code. CSO Online published a blog on some ways to guard against Supply Chain attacks. A patch management system should require third-party risk testing or have some standards that vendors need to comply with. Avoid Automating updates to sensitive code.

A supply chain attack may have already inserted sleeper code which may be waiting for the right moment to be activated. This give you time to encrypt your critical data and protect against ransomware attacks with our advanced technologies that are built into block and object storage systems that can protect backup data from being modified or deleted. When an attack happens, recover your data and don't pay the ransom.