GlobalSign Blog

Cyber Autopsy Series: Colonial Pipeline

Cyber Autopsy Series: Colonial Pipeline

Editor's Note: October marks National Cybersecurity Month, a full month dedicated to creating a more cyber-secure world for us all. Previously, we gave you 31 tips to help you #becybersmart. This year, to bring attention to this important matter, we’re adding several new cases to our Cyber Autopsy file, which could have been prevented had there been better defenses in place. Join us every Friday in October to read about one of these notorious cyber attacks and stick around for insights and learnings that may just keep your name off the list.

Cyber Victim: 

The Colonial Pipeline is the largest pipeline system for refined oil products in the United States. It is 5,500 miles long and can carry 3 million barrels of fuel per day between Texas and New York. This also includes nearly half the gasoline, jet fuel and diesel flowing along the East Coast. 

Case Details:

On May 7, 2021, Colonial Pipeline suffered a ransomware cyber attack that impacted computerized equipment managing the pipeline. It was the largest cyberattack on an oil provider in the US. As a result of the attack the Pipeline’s operators, Colonial Pipeline Company, were forced to halt the pipeline's operations. As if shutting down operations of the Pipeline wasn’t bad enough, its operators paid a ransom of more than $4 million (75 bitcoin) to the DarkSide ransomware gang. Fortunately, the Dept. of Justice was later able to partially recover some of the ransom (64 bitcoins).  

Cyber History:

There is no record of a cyber attack at Colonial Pipeline prior to the May 2021 incident. However, the company has had its share of dramatic events. In November 2016, two workers were killed  and four were injured when the pipeline leaked gasoline in Alabama (and was subsequently shut down). In August 2020 there was a “massive” gasoline spill in Huntersville, North Carolina. 

Description of Events: 

The Colonial Pipeline Company reported on May 7 it was the victim of a “cybersecurity attack” which involved ransomware. To limit the extent of damage, the company decided to take some systems offline. That meant that the 2.5 million barrels a day of gasoline, diesel, heating oil, and jet fuel carried on the pipeline would be disrupted. 

As Vox discussed in its coverage of the attack, a prolonged shutdown would have caused price increases and shortages. While the pipeline came back online within the week, the price increases and shortages could not be averted. Within five days of Colonial Pipeline company announcing it had been hacked, the national average price for a gallon of regular gas pushed past $3. To make matters worse, thousands of gas stations were shut down. 

During the breach, 100GB of data was stolen and Colonial Pipeline’s computers were encrypted with ransomware. On May 10th, the FBI confirmed that DarkSide was responsible for the attack. The group is known to supply its ransomware services to partners/affiliates who carry out the attacks. This method is known as Ransomware-for-a-Service (RaaS).  

According to this blog from Malwarebytes Labs, DarkSide is human-operated. Which means the ransomware is executed by an actual person behind the screen once they’ve infiltrated a target network. This makes it possible for threat actors to scour the entire network to persistently backdoor several systems until they gain administrative access. Following that, the administrator credentials are used to deploy the DarkSide ransomware, where a victim’s computer screen would look a lot like this: 

Systems /Parties Impacted:

During the height of the incident as many as 15,000 gas stations were closed. By the week of May 17th, 11,667 gas stations were still without fuel. Fuel prices spiked across the southeast, with smaller increases further north.

This Washington Post map depicted the status in the southeastern part of the US as of May 18th. 

Naturally, the gas lines were long across the southeast. 

Making matters even worse – if that was even possible – was a lack of truck drivers due to the pandemic.  

With the pipeline shutdown and fuel supplies limited, the US Department of Homeland Security approved a targeted and temporary waiver under the Jones Act for a then-unnamed company to ensure fuel supplies reach critical areas. Alejandro N. Mayorkas, secretary of Homeland Security, said, “In the interest of national defense, I have approved a temporary and targeted waiver request to an individual company. This waiver will help provide for the transport of oil products between the Gulf Coast and East Coast ports to ease oil supply constraints as a result of the interruptions in the operations of the Colonial Pipeline.”

Then came the lawsuits. Within six weeks of the hack the pipeline’s operators were sued. In June, Data Breach Today reported that a claimant said the Colonial Pipeline lacked a proper cybersecurity program for ransomware, and that led to the May 7th shutdown of the pipeline. The lawsuit, filed on behalf of the owners of a gas station in Wilmington, North Carolina, also claimed the company ignored warnings about the risks to interstate pipeline systems. 

US president Joe Biden was none too pleased and announced law enforcement would “pursue a measure to disrupt [DarkSide’s] ability to operate.” Then, DarkSide realized they may have gone too far and seemed to regret the attack in a statement released on May 10. That didn’t matter at that point because just days later, on May 14, the cybergang’s servers were knocked offline, their bitcoin had been stolen from their wallets, and consequently announced they would be shutting down their operation “due to pressure from the US.” Alas, their shutdown was short-lived, as some suspect the group re-emerged as Blackmatter about a month later.  

Mode of Entry:

As explained in this nGuard timeline of the incident, the mechanisms used to breach and infect systems by the DarkSide attackers included phishing attacks, brute-force password attacks, SQL Injection against VPN networks, utilizing TeamViewer and installing backdoors. 

Once inside Colonial Pipeline’s network, the attackers escalated privileges by exploiting a Zerologon vulnerability and more. With the access, DarkSide then used PowerShell and Certutil to deploy and execute the ransomware attack across the network.

Final Diagnosis:

The ransomware attack on the Colonial Pipeline was a watershed moment for the oil and gas industry. They realized it was no longer possible to ignore fully funding cybersecurity. Because threat actors see how they can gain the upper hand – and millions of dollars – by impacting everything from critical infrastructure operations, gas stations and consumers. 

In the wake of attacks like Colonial Pipeline (and of course the SolarWinds attack which took place in late 2020), there’s a plethora of cybersecurity laws being considered. Some legislation currently under consideration could stipulate that certain companies will have to report attacks within 24 hours. In addition, President Biden has convened numerous meetings, from an August cybersecurity summit with the CEO’s of some of the world’s leading businesses as recently as October 13th with 30 countries – except Russia and China – to discuss how best to tackle ransomware. 

With all of this activity, hopefully new cybersecurity laws will be signed in the near future which will serve as an effective deterrent against ransomware attacks. 

That's it for this week's case! Don't forget to sign up for our subscriber newsletter so you don't miss a post.

file with case closed stampBlog CTA_blog newsletter signup.jpg

Share this Post

Related Blogs