The Colonial Pipeline attack that revolutionised ransomware landscape

Ransomware extortionist DarkSide’s attack on the Colonial Pipeline Co. triggered a comprehensive federal response focused on securing critical infrastructure in the USA and a global drive in fighting cryptocurrency-fuelled ransomware attacks.

Victim and the scale of attack

The Colonial Pipeline Co., privately owned by IFM Investors, Koch Industries Inc., KKR & Co. Inc. and Royal Dutch Shell PLC., is the largest provider of pipeline services in the USA, delivering more than 100 million gallons of gasoline, kerosene, home heating oil, diesel, national defence fuels and other refined petroleum products per day on its 5,500-mile route; taking fuel from the refineries of the Gulf Coast to the New York metro area.

This attack has been reported as the biggest cyber attack on physical operations at a critical infrastructure in US history. It forced some of the services to shut down for almost a week, instigating panic, fuel price hikes and shortages but fell short of an economic disaster.

Vulnerability

Charles Carmakal, Senior Vice President and Chief Technology Officer at FireEye Mandiant Inc., led the incident response investigations. He reported that the earliest evidence of compromise was attackers gaining entry into the network through a Virtual Private Network (VPN) account, on 29 April, using a legacy VPN profile and employee credentials.

Though how the username was obtained is unclear, the complex password may have been re-used as it was found in the dark web. The legacy VPN profile left active due to a misconfiguration did not require multi factor authentication.

Attack

According to open sources, an employee found a ransom note for 75 Bitcoins, with a ToR (the onion router) address, claiming to have links to data exfiltrated from hackers (later identified as the Darkside) on a control room computer at dawn on 7 May 2021.

DarkSide doubly extorted Colonial, exfiltrating 100gb data and compromising the billing system. Colonial initiated the Incident Response Plan (IRP) to proactively shut the system. The US Energy Department acted as a channel through which Colonial provided updates to public and agencies involved in the response.

The CEO admitted authorising ransom payment of $4.4 million, considering the stakes involved in a shutdown of a critical energy infrastructure. However, the decryption tool provided by DarkSide on receipt of the ransom was inefficient.

Threat actor

DarkSide, known as a ransomware-as-a-service (RaaS) provider to criminal affiliates, has previously been observed gaining initial access through phishing and exploiting remotely accessible accounts, systems and virtual desktop infrastructure (VDI); and maintaining persistence through remote desktop protocol (RDP).

TOR and Cobalt Strike are primarily used for command and control (C2). Ransomware with a ChaCha20 stream cipher and RSA-4096 is used on Linux. Salsa20 with RSA-1024 is used on Windows (which is what was used in the Colonial Pipeline attack). On 10 May, Darkside announced that the motivation for the Colonial attack was financial, not political, and a ‘partner’ to be blamed for the ‘social consequences’.

The outcome

Incident investigation is ongoing. Colonial hired Mandiant, Dragos and Black Hills Information Security to strengthen its cyber security programme. So far, the security team has shut down the legacy VPN profile and implemented additional layers of protection across their enterprise. The systems were recovered from the backups and stolen data was isolated through the internet service provider (ISP) with the help of external security firms and US government officials.

Nothing was found to indicate that the threat actor moved laterally to the company's operational networks, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have reported.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

Colonial is said to have cyber insurance, but ransomware-related coverage is unknown. Colonial also shared lessons learned widely. The US Department of Justice seized most of the cryptocurrency paid to DarkSide.

The Cyber Crime Squad of the FBI trailed the ransom Bitcoins using the Bitcoin public ledger and blockchain explorers as Bitcoins were transferred to the ransom payment address. At least 23 consequent addresses via 63.7 Bitcoins landed at an address to which the FBI in the Northern District of California held the private key to seize the money.

On 13 May, DarkSide announced it was closing its services due to losing access to its infrastructure: blog, payment, and content distribution network (CDN) servers. However, intrusions are continuing by affiliates as the researchers speculate on an attempt to duck law enforcement and re-brand themselves.

The cyber community calls for governments to ban ransom payments to hackers whilst steps are being taken by global government agencies - such as the Securities and Exchange Commission (US) and the Financial Conduct Authority (UK) - to increase regulation of cryptocurrency services.

Note: Colpipe website may not be accessible to some readers.