What You Need to Know About the Colonial Pipeline Ransomware

On May 7, 2021, a major US energy transportation company known as Colonial Pipeline experienced a ransomware attack. This news has sparked concern over both the federal government and private enterprises’ ability to respond to stay ahead of increasingly advanced cyber threats.  

Here’s what you need to know about the ransomware and DMI’s recommendations for cyber risk management and mitigation. 

A Summary of the May 7th Colonial Pipeline Ransomware 

The May 7th ransomware appears to have only infected Colonial Pipeline’s business network (IT). However, the company still shut down its Operational Technology (OT) networks as a precautionary measure to prevent further spread of the malware through its operational systems. 

The shutdown interrupted the flow of fuel through its 5,500 miles of pipeline distributing 2.5 million gallons of its daily supply of gasoline to the East Coast of the United States.

According to Bloomberg, the attackers performed reconnaissance and stole data ahead of the ransomware attack. The malicious actors behind the attack exfiltrated approximately 100 gigabytes of company data in just two hours. 

The ransomware group, known as “DarkSide,” acknowledged responsibility for the attack, according to the FBI. The exact amount of the ransom demand is not officially known. Previous DarkSide ransom demands have historically been up to the equivalent of two million dollars.

A press statement was released by DarkSide:

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.

Our goal is to make money, and not create problems for society.

From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

DarkSide operates as a Ransomware as a Service (RaaS) with two entities — one is their core developers while the other deploys the ransomware.

Most pipeline companies use a combination of IT and OT technologies, making them very susceptible to attacks like ransomware. Attacks on industrial control systems (ICS) can lead to safety and/or environmental catastrophes (i.e., causing leaks or explosions) along the pipeline.

When dealing with OT mission-critical systems, it’s important to maintain availability wherever technology operates physical processes (e.g., energy production). Defending critical OT infrastructure and their related systems requires a different approach than those used when defending IT systems.

What Can We Learn From the Colonial Pipeline Ransomware Attack? 

The Colonial Pipeline ransomware imparts several lessons about how ICS firms should prepare for and respond to a cyberattack. 

After an attack of this magnitude, enterprises should: 

1. Isolate the impacted systems from the non-impacted systems. Additionally, conduct forensics to determine the level of infiltration, data exfiltration, and devices and systems compromised. 
2. Work with vendors and governmental bodies to validate your strategy for preventing future spread. Ensure that your network is segmented in such a manner that it restricts movement between systems. Vendors should also be vetted to ensure they meet or exceed cybersecurity controls and operational standards. 
3. Utilize threat intelligence to identify potential compromises. If threats are identified through threat intelligence tools, attacks can be prevented and mitigated. In layman’s terms, security departments have tools they use to find network trends that are being targeted or attacked. 
4. Perform email risk assessments. These help ensure that employees are doing their due diligence and following your policies, standards and controls.
5. Partner with experienced external providers to develop an incident response plan. DMI, for example, is trained in dealing with these types of incidents. We’ve developed tools that notify the company if their network, systems, or data have been compromised or a compromise is suspected.
6. Regularly monitor and review all email attachments, clickbait, vendor access, and logs. This includes change management controls that regulate updates and other modifications that go into production.
7. Design a backup plan to protect your data backups and configurations. Ensure controls include real-time notifications and resolution of backup failures. Regularly test backup restorations.

In addition to these cyber response strategies, DMI’s cybersecurity experts also recommend the following mitigation strategies.  

• Strong segregation of OT and IT networks.
• Continuous monitoring of network security.
• Multi-factor authentication.
• Robust cyber threat hunting process.
• Regular vulnerability assessments.
• Strong change controls.
• Security awareness training.
• Training and playbooks for security operations staff.
• Business continuity and incident response playbooks.
• Periodic tabletop exercises involving IT, OT, and Operations.
• Endpoint protection, detection, and response.
• Application whitelisting.
• IP obfuscation.

A Comprehensive Cyber Risk Management Partner 

At DMI, we understand the growing need for protection against increasingly sophisticated ransomware and cyber threats. We also believe that cybersecurity is a critical component of your business’s overall risk management process. 

Our cybersecurity team designs, tests, and implements tailored incident response and disaster recovery plans based on our client’s cyber risk priorities. We apply proven processes, tools, and world-class expertise to contain, analyze, mitigate, and recover from a cybersecurity incident. 

In addition to cyber response and recovery, we also offer full lifecycle cybersecurity governance, risk management, and compliance as well as tailored, end-to-end operational solutions. We help our clients quickly identify, assess, and respond to cyber risks to protect overall business productivity. 

Want to learn more about our cybersecurity expertise? Let’s talk.