Ransomware attack shuts down Colonial Pipeline fuel supply

Ransomware attack shuts down Colonial Pipeline fuel supply

UPDATE 12:02 PM Pacific Time, May 19: It has been a solid week of news coverage on Colonial Pipeline, and within this time, so much has happened. Here’s a gist:

  • Colonial Pipeline resumed operations after a six-day temporary shut down brought about by a DarkSide ransomware attack, causing panic buying of fuel and price hikes in the East Coast. It was pointed out that the company’s billing system was compromised in the attack, making them concerned that they wouldn’t be able to correctly bill their clients for fuel.
  • In an interview with the Wall Street Journal, Colonial Pipeline CEO Joseph Blount confirmed the payment of the ransom demand to the tune of $4.4M USD, which was roughly 75 Bitcoin at that time.
  • The successful attack against Colonial Pipeline fast-forwarded the approval of an Executive Order to boost the cybersecurity posture of the US federal government.
  • The DarkSide ransomware group called it quits after their DOS and payment servers, Bitcoin accounts were seized and the DarkSide Leaks blog site was shut down. This is believed to be the work of the US government, local law enforcement, or other gangs looking after their interests that would immediately follow from DarkSide’s “downfall.”
  • Several underground forums used by criminals to peddle their ransomware and recruit affiliates also publicly announced that they will be banning all ransomware groups from advertising on their platform. This, of course, doesn’t mean the end of ransomware gangs and their attacks.
  • Many ransomware gangs have started introducing changes with the way they handle business going forward. REvil, for example, announced a ban on affiliates targeting vital sectors, such as healthcare, education, public sector, and government organizations.

UPDATE 10:47 AM Pacific Time, May 10: At 8:55 AM Pacific Time, the FBI confirmed that Colonial Pipeline was attacked by Darkside. According to a statement posted on Twitter, the FBI said:

“The FBI confirms that the Darkside ransomware is responsible for the compromise of Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation.”

Malwarebytes’ signature-less protection detects all known variants of DarkSide.

Original story below:

Ransomware caused major trouble last week, as the famous Colonial Pipeline fell victim to a devastating cyber-attack.

Presenting: the Colonial Pipeline

The pipeline exists to supply gasoline and other products across the southern and eastern United States. We’re talking from Texas all the way up to New Jersey. The pipeline is the largest of its kind in the US, reportedly transporting almost half of the fuel consumed by the east coast.

This is an incredible volume of supply and demand, and anything going wrong could be disastrous. There’s enough to worry about with more general accidents, without the threat of people maliciously breaking into systems.

That’s where we are now.

What happened?

Ransomware brought everything to a standstill on Friday. According to those performing analysis on the attack, the culprits are likely a group known as DarkSide. This is a group that rose to mainstream prominence in 2020, via dubious donations to charities. Going for that whole Robin Hood angle, they stole from corporations and handed the cash to causes they felt were deserving.

Well, they tried to.

When help turn out to be a hindrance

As it happens, charities don’t want a bunch of stolen money circulating in their bank accounts. Charity trustees can get into all kinds of trouble. Not just charities; any organisation could end up in a baffling sequence of money laundering shenanigans if not careful.

There were also suspicions that the “Good Samaritan” act was a way to cover for the fact that they’re still criminals, stealing money. The group behind these attacks seemed to have got the message. The Robin Hood charity drive went away, and we wondered what the criminal group’s follow up would be.

If the investigators are correct, this is several orders of magnitude more serious than anything people could have imagined.

 Lockdown and emergency powers

The US government declared an emergency and brought in emergency powers to ensure people are still supplied with fuel. Those emergency powers allow for more flexibility for drivers to transport petroleum products to various locations. From the text:

FMCSA is issuing a temporary hours of service exemption that applies to those transporting gasoline, diesel, jet fuel and other refined petroleum products to Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia.

The digital to physical impact of the Colonial Pipeline attack

The real-world consequences from this attack are clear, and spread in several directions. There’s the immediate risks of transporting fuel across 5,500 miles, and of people having no supplies. We also have potential danger on the roads, as road use increases and drivers have to cope with potentially longer driving hours. Fuel prices? Those appear to have risen, though it seems the supply would need to be down for a few days for it to cause significant impact. 

Finally, there’s the issue of the shutdown itself. How many systems are compromised? What’s the damage? Can they guarantee all traces of infection are gone?

If it does turn out to be DarkSide, then this surely destroys their whole Robin Hood angle. And, if a recent message via DarkTracer is to be believed (the message has not been verified by Malwarebytes) then the group is making no pretence this time: “Our goal is to make money.”

If this attacker is DarkSide, it clearly doesn’t help those in need to eliminate their fuel reserves.

They’re coming for your Crypto-coins…maybe

2021 is already shaping up to be a mast year for ransomware. Ransomware gangs now have years of experience and tool making to draw on, cash in the bank, and a cryptocurrency boom to profit from. It is hard to imagine the status quo holding and it seems inevitable governments will respond strongly.

Prior to the attack the US Justice Department has already announced a 120-day review of its approach to combating cyberthreats, that will include an analysis of how cryptocurrencies enable cybercrime. This echoes concerns raised in a recent strategic plan for tackling ransomware, conducted by the Ransomware Task Force. Among many recommendations, the task force called for ransomware to be treated as a national security threat, and for greater regulation of the cryptocurrency sector. A collision course seems inevitable at some point, and it’s already a significant talking point for experts in this field.

That’s for the future, though. For now, we’re left with supply lines left reeling. A few megabytes of code, perhaps a stray email with a dubious attachment, or maybe even just a server vulnerability that someone didn’t manage to patch in time.

Small issues, massive consequences.