Colonial Pipeline, one of the largest fuel pipelines in the U.S., remains largely paralyzed after a ransomware cyberattack that took place over the weekend forced the temporary shutdown of operations. The company shut down approximately 5,500 miles of pipeline, leading to a disruption of nearly half of the nation’s East Coast fuel supply.
The attack attracted national news headlines and also spurred an emergency declaration from the White House, which lifted regulations on select U.S. drivers, allowing them to drive between fuel distributors and local gas stations on more overtime hours and less sleep than federal restrictions normally allow.
The incident highlights the rising threat of ransomware and the ongoing targeting of the nation’s aging critical infrastructure.
We heard from cybersecurity experts on what this latest large-scale ransomware attack means for the industry and how we should respond as a cybersecurity community and nation.
Matt Trushinski, Technical Director, Arctic Wolf
"Ransomware-as-a-Service is big business and we are not surprised groups like DarkSide are capitalizing on extortion techniques that are quickly becoming a hallmark for many eCrime actors. The hallmark of DarkSide attacks, among other eCrime groups, is that they do extensive research on their targets and are mainly interested in large corporations. This creates a sense of urgency especially as we see critical infrastructure suffering kinetic impact. This situation illustrates a growing security crisis. It’s imperative that if prevention fails, there is a world-class security operations infrastructure in place to detect, manage, and mitigate any threat."
Nick Cappi, Cyber Vice President, Portfolio Strategy and Enablement at Hexagon
"While all the details of the attack are yet to be made public, it appears that this is a ransomware attack that landed on the IT network. In an abundance of caution, Colonial shut down some or all of the industrial control systems to prevent the attack from spreading to these devices. Assuming they are able to isolate the attack and bring the control systems back online within a few days, this will be a shining example of a company’s ability to respond to and mitigate an attack. If they are unable to bring the control systems (and the pipeline) back online within a few weeks, the North East of the United States will likely see a steep increase in fuel prices and perhaps shortages and rationing."
Gary Kinghorn, Marketing Director, Tempered Networks
"While Zero Trust architectures are not necessarily a direct remediation against ransomware, Zero Trust can greatly mitigate the damage that can be done once a user or host is compromised. Lacking Zero Trust, the compromised host can likely navigate to critical infrastructure where it can do real damage. Zero Trust can reduce the lateral spread of attackers and malware by blocking access and communication that is not explicitly authorized. It is unlikely that whatever the initial ransomware host that was compromised would have had authorization to systems that can affect the flow through the pipeline or the control systems. With monitoring and visibility to anomalous traffic, like an accounting PC trying to access a control system, it's possible to even quarantine impacted systems further to restrict what limited Zero Trust access they were previously allowed to further mitigate damage. We can do this with partners that provide ongoing threat intelligence and analysis that can refine Zero Trust policies. Very few security approaches can overcome a trusted employee doing something stupid, as is usually the case with ransomware, but Zero Trust can dramatically limit the damage so it doesn't have significant impact on the business or, in this case, the economy."
Pascal Geenens is the Director, Threat Intelligence for Radware
“The Colonial pipeline ransomware attack demonstrates yet again the significant impact of ransomware attacks. Once ransomware actors get an initial foothold, no system is safe. These new higher-end/professionalized ransomware attacks are harder to defend against because of the automated and human intervention where human actors pick the targets and operate the attack. There is a growing underground economy where ransomware operators have access to verified credential lists, attack tools, and malware platforms. This is a game-changer. Previously, gangs could never pull this off on their own, but now they can because of underground trading. The world is facing a severe enemy in ransomware and no one is safe. Authorities should not lose sight of this threat and continue or increase their resources in the fight against ransomware actors.”
Daniel Smith is Head of Security Research for Radware’s Cyber Threat Intelligence
“Today's threats, without a doubt, require full-spectrum solutions, but nothing will change the threat landscape without firm action from governments around the world. No task force against ransomware will solve this unless we are ready to address international loopholes and arrest criminals who operate with impunity from specific regions in the world. Giving advice to organizations on “not clicking links” or “not paying ransomware authors” has clearly not the answer. Nothing will change until we have the international law and the power to arrest actors in countries that are hacking us like Russian and China. The same should be applied to us. Nation-states should have the ability to detain US citizens suspected of hacking as well. Once we have a strong governing law with consequences, then we will see change. “
Troy Gill, Manager of Security Research at Zix
“The recent attack on the Colonial Pipeline highlights the risk ransomware can pose not only to businesses but to critical national industrial infrastructure. The attack also showcases that the trend of "ransomware as service" is prolific in today’s world in addition to seeing the growing trend of more joint involvement from both private companies and government agencies to help halt the impact as quickly as possible. Similar to the FBI stepping in and removing Microsoft Exchange web shells to help safeguard organizations, I believe this involvement by the FBI and other government agencies have become critical to assist and prevent further damage with the Colonial Pipeline attack.
Many believe that this attack was a result of more engineers remotely accessing control systems for the pipeline from home using a remote desktop software such as TeamViewer and Microsoft Remote Desktop. The pandemic forces more employees to work from home and unfortunately, many organizations are still trying to secure their devices, remote access points, and overall networks. There is no excuse for organizations not to enforce and implement two-factor authentication (2FA) or a multi-layered authentication (MFA) protection approach. In addition to requiring 2FA or MFA, this attack is a great reminder for organizations to make sure they are following all their best practices including:
Identify and isolate/mitigate the threat, eliminate it as appropriate and confirm elimination,
Deploy regular security audits to identify vulnerabilities and suspicious user behavior, and
Ensure business-critical data is being backed up accurately and regularly.
Also of note, this is an important reminder that it is never recommended to pay ransoms as you have no real guarantee that the attackers will cease attack nor is it certain they will provide you with the decryption keys. It is your company’s responsibility to have best proactive and reactive security measures in place so that when faced with a cybersecurity breach, you can reduce the recovery time and restore business quickly.”