On May 7 the Colonial Pipeline, which stretches from Texas to New York and is the largest pipeline system for refined oil products in the United States, was hit by a ransomware attack that resulted in the shutdown of most of the 5,500-mile pipeline.
The company is operating some parts of the pipeline manually and has sought the help of private cyber investigators and the US government. Meanwhile, a huge segment of the US’ critical infrastructure is disabled and Washington does not seem to have any answers.
We do not know what the hackers demanded from Colonial Pipeline or even who the hackers are.
Ransomware in its most basic form attacks a cyber network by encrypting everything and demanding ransom before the encryption can be removed. In the case of the Colonial Pipeline, we know that along with encrypting all the computers in the Colonial Pipeline network, the perpetrators also stole a vast amount of company data.
What the thieves plan to do with the data is not known at this time. In prior ransomware cases involving information theft, those who don’t pay find that selective information is released to the public or handed over to competitors or to hostile governments.
Computers can be infected in many different ways, even if they are not actually connected to the internet. In the famous Stuxnet case where Siemens industrial controllers were hacked and caused damage to Iranian uranium gas centrifuges – Stuxnet was invented by the US and Israel – the malware was embedded in certain versions of an update of the Siemen’s controller’s software.
There are many ways to move malware to computers – for example, through email, by hacking passwords and pretending to be a legitimate user, by the use of false credentials or even by an insider working for the company or organization.
Mandiant, a subsidiary of Fire Eye, has produced a useful report that provides information on the main types of malware threats and some background on a few of the bigger perpetrators. Mandiant is now working with Colonial.
In the United States, aside from government and the military, the bulk of the critical infrastructure is privately owned and operated. While this may suggest that industry security standards are below US government standards, the truth is that both the government – including the military departments – and the private sector are facing similar security challenges.
Almost all computer networks have grown topsy-turvy over the years, and networks often operate network components that have not been updated for security. But even if all of them employed the best security practices and followed a disciplined approach in consistently updating hardware and software and trained all employees in best practices, they still remain vulnerable, especially to sophisticated cyber attacks.
The ransomware group that attacked Colonial is known as DarkSide. DarkSide says: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Brian Krebs, a security expert writes that “first surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims.
“DarkSide says it targets only big companies and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.”
The Biden administration has let it be known that they believe that the Colonial Pipeline attack had, at the least, the backing of the Russian government, but so far they have no proof. In fact, the US government seems at a loss to know how to deal with ransomware attacks.
There is no doubt US-Russia relations are at an all-time low, maybe even worse than during the Cold War where, as Sergey Lavrov, Russia’s Foreign Minister explains, that at least the US respected Russia. It is also true that the Russians are trying many ways to put pressure on the United States – and vice versa.
In the bigger picture, US intelligence says that foreign governments – eg, China, Russia, Iran and others – are either directly running cyber operations against outside targets or getting hackers to do it for them.
Even going back to the earliest computer hacks, Clifford Stoll reported in his book The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage (1989), that a hacker in Bremen, Germany, had penetrated the computer system of the Lawrence Livermore National Laboratory and was seeking classified US Defense Department information. The Bremen hacker was working for the KGB.
Today hostile governments can afford to set up large and sophisticated cyber-spying operations or use those operations to cripple an adversary. This is something that the Chinese have tried to do against Taiwan, the Russians against the United States, the Ukraine and select European countries such as Estonia and Iran, have used cyber methods to attack Israel.
Many cyberattacks are designed to steal intellectual property. China ripped off Lockheed and Lockheed’s suppliers to steal information on the design of the F-35 fighter. Iran has used cyber espionage to steal intellectual property from hundreds of universities and private companies.
Despite government and industry spending hundreds of billions of dollars on computer security, most computer systems and networks remain dangerously exposed to cyber-attacks, including ransomware.
Worst still, as the Colonial Pipeline case underlines, the government including law enforcement doesn’t know what to do when a major disruptive intrusion happens. This is especially worrisome because the entire critical infrastructure could be collapsed by a determined adversary and Washington would just be scratching its head, as it is now.