Colonial Pipeline runs dry following ransomware attack
A vital U.S. oil supply was shut down to prevent a ransomware infection from spreading from corporate IT systems to more crucial operational technology systems.
The U.S. Colonial oil pipeline shut down this weekend after a ransomware attack infected systems at its parent company.
Colonial Pipeline Company said the shutdown was a precautionary measure, and that none of its critical industrial control systems are believed to be affected by the DarkSide ransomware that has encrypted data on a number of its corporate systems.
The FBI said it is monitoring the situation and the White House has called in a number of agencies, including the Department of Energy and Department of Transportation, to help keep fuel supplies running during the shutdown.
While the early speculation was that the network breach could have been the work of nation-state attackers intent on disrupting U.S. critical infrastructure, indications are that the attack is the work of financially motivated cybercriminals. At this point, the infection is being treated as a criminal case and is not believed to be the work of state-sponsored attackers.
The incident occurred late on Friday, May 7, when Colonial Pipeline announced that it was shutting off operations temporarily to prevent the spread of the ransomware. The infection was soon identified as DarkSide, a prolific ransomware variant that is sold to individual criminal hackers who in turn pay the malware's creators a portion of their revenue.
The Colonial oil pipeline is a 5,500-mile long network that runs petroleum from the Gulf of Mexico through the Southern U.S. and up the Eastern Seaboard. It is considered one of the main fuel arteries for gasoline and heating oil, as well as for jet fuel for numerous major U.S. airports and military bases.
It is not yet known if Colonial Pipeline has paid or is planning to pay any part of the ransom demands. The White House said Colonial Pipeline is currently handling the investigation and response with its own security providers and consultants.
UPDATE 5/13: Colonial announced Thursday that it had restarted the entire pipeline system and resumed fuel delivery to all markets. While several media outlets reported that Colonial had paid a multi-million dollar ransom to the attackers, the company declined to comment. "Regarding reporting around the ransom demand or potential payment, as this is an ongoing investigation Colonial Pipeline is not commenting at this time," a Colonial spokesperson told SearchSecurity.
Colonial Pipeline said on Monday that it had begun the process of getting the pipeline back up and running; however, the company cautioned that the restart would not be immediate.
"In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems," Colonial said in the statement. "To restore service, we must work to ensure that each of these systems can be brought back online safely."
Not as bad as feared, but still bad
Despite initial concerns, Colonial Pipeline confirmed there was no damage to the pipeline itself. The ransomware appears to have only damaged the internal corporate systems of Colonial -- the IT network. The operational technology (OT) network, the actual industrial controllers and other equipment used to interact with the pipeline itself, were not affected.
Colonial Pipeline statement
Separating IT and OT networks, through air-gapping and multiple layers of network security, is considered a best practice for many industrial operators for this very reason; OT should be isolated from the outside world and the internet-facing IT network will be the entry point for attackers. Separating the two prevents hackers from turning a bad scenario into a public safety emergency.
That said, the incident still caused one of the nation's main oil pipelines to shut down and raised concerns from the White House and the FBI, both for the security implications and the infrastructure problems that come with the days-long shutdown.
Jon Oltsik, senior principal analyst and fellow with analyst firm Enterprise Strategy Group (which is owned by TechTarget), noted that while Colonial Pipeline might be relieved that there was no sabotage or damage to its essential industrial systems, the public will not make such distinctions if the shutdown causes problems at the pump.
"At the end of the day, from the consumer and economic perspective, it is shutting down consumer operations," Oltsik said. "When you're lining up for gas or paying $10 a gallon, you don't care whether it affected IT or not, you care that operations were disrupted."
Meanwhile, the DarkSide gang is doing its own damage control. Because DarkSide operates as a ransomware-as-a-service operation where third-party criminals use DarkSide to infect networks and then kick a portion of the payout back up the chain, the creators of the malware don't have direct control over what companies are hit. In this case, it seems one of those "end users" got a lot more than they bargained for when seeking out a target.
Realizing that this attack was attracting the wrong kinds of attention, the DarkSide operators issued the following statement in an apparent attempt to reassure the public it has no interest in creating a disaster scenario.
"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for [our other] motives," the statement reads. "Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."
That the group would seek to distance itself from any government backing is worth noting, particularly in light of the recent blurring of the lines between private ransomware operations and those carried out with either the implicit or explicit backing of government regimes.
DarkSide apparently wanted no part of the Colonial Pipeline attack, either because the group truly has no government ties or it wants to hide them.
Regardless of the attackers' affiliations, Oltsik said this attack will serve as another reminder for companies to step back and reassess their own defenses.
"What they should be doing is looking at the whole ransomware kill chain and their own defenses and training in each area," Oltsik said. "If they recognize shortcomings in any area, they should look at how to addresses them."