The Colonial Pipeline Cyberattack: Explained

The recent cyberattack on the Colonial Pipeline Company in the United States has adequately demonstrated the significance of cybersecurity, where the slightest lapse in digitally securing the organization can prove to be the Achilles heel. Through this example of a digital attack, we notice the real-world consequences that impact physical assets, livelihood, and the economy. In this blog, we shall explore some cybersecurity measures on how to combat cyberattacks like the one on Colonial Pipeline.

 

The Giant Company

The Colonial Pipeline Company, headquartered in Georgia, operates the largest pipeline system for refined oil products in the U.S. This network of pipelines extends between New York and Texas, is 5500 miles long, and provides almost 45% of the East Coast’s fuel.

 

What had happened? The Incident that Brought the Company to a Grinding Halt

In May, Colonial Pipeline came under a cyberattack and all IT operations had to be immediately stopped. The incident surfaced as a ransomware outbreak organized by a cybercriminal hacking group called DarkSide. The malware they launched jeopardized the company’s necessary technology and equipment, which managed the pipelines.

 

Who all were affected? The Ramifications

During this time period, the entire service of fuel supply was paralyzed from Texas to New York. It invariably led to a shortage of available gas, which in turn, increased the gas-rate as well.

 

How did it exactly happen? The Way of Cybercriminals

The cybercriminals got hold of “Colonial Pipeline” through an inactive Virtual Private Network (VPN). Though, not in use, the VPN had been accepted by the Colonial Server and remained associated. Credentials of the cybercriminals were found from the dark web and they also claimed double extortion.

This meant that, in addition to the ransomware for encrypts of data, the cyberattackers had also stolen nearly 100 GB of critical data. There is sufficient evidence to conclude the hackers’ movement around the IT network.

While FBI was investigating, DarkSide, the cybercriminal group demanded 75 BTC ($4.4 million) for releasing the compromised data it had exfiltrated by using the ransomware.

After the payment, the Department of Justice (DOJ) USA stated that around 64 BTC was recovered from the virtual wallet, which the cybercriminals had used to collect the payment from the victim.

Nowadays, hackers use a new perspective called double extortion. It means they will not only encrypt the data but will also sell it.

 

The Consequence – DarkSide lost access to Infrastructure

The virtual wallet was seized from DarkSide and FBI recovered funds along with other US government facilities. It put out an online statement in a forum that “Services were ceased (country not named); money of advertisers and founders was transferred to an unknown account”. The hacker group also claimed that they had released the decryption tools to all the companies they attempted to extort data from, but were yet to receive payments.

 

Mitigations – How to Shield against Cyberattacks?
The number of cyberattacks through ransomware extortion in America’s energy infrastructure, oil and gas and power sector has increased tremendously. Such attacks are adversely affecting the oil and gas production along with the other supply chains across the globe.

Some measures to prevent cyberattacks:
  • Backups are important: Use backup systems and create multiple copies. They also need to be tested for infected files.
  • Disable Macro: If the Macro is not disabled then Microsoft files, transferred within the emails, may contain malicious scripts.
  • Endpoint Protections and Antivirus: Performing regular system scans and updating the antivirus signatures are critical. The EDRs should be configured and updated as per the latest rules and policies.
  • System Patches: Devices, including applications and cloud management systems should be patched and updated regularly. If possible, a centralized patch management system should be used.
  • Internet Access Restrictions: The key point of a ransomware’s entry consists of social network websites and personal mails. Creating limitations on access and imposing restrictions can be beneficial.
  • Monitor Third party: Continuous monitoring of network and activities regarding all third-party involvements are needed.
  • Restricted Policies: The key targets of Ransomwares are directories like Temp. Hence, such directories, in addition to on-memory execution should be blocked.

 

Responding to Ransomware – How to Treat Compromised Systems?
  • Isolate the infected system from the network to contain the malware and prevent it from spreading.
  • Find out if a decryptor is available or not. There are plenty of online resources available like https://www.nomoreransom.org/
  • Restore files from the backups held earlier


Thus, it can be noticed that while precaution is better than cure; in certain critical instances like cyberattacks, precaution is the only cure!

The Nuances of Ransomware Protection Unveiled

What is a Ransomware?
Ransomware is a kind of malware that pressurizes a victim to pay ransom, and unless and until the ransom fee is paid, the data of the victim remains encrypted or blocked from his access. Within the context of this attack, an entire organization is left paralyzed.
How they spread?
Ransomware spreads through phishing emails which contain malicious attachments or through software which a user downloads unknowingly. The attachment can be in any format such as ZIP files, Word documents, Excel spreadsheets, and even more. A ransomware attack can also take place when a user visits a website he is not aware of.
WannaCry-a ransomware
WannaCry ransomware (also known as Wana Decrypt0r, WCry, WannaCrypt) came to notice in the year 2017. A massive attack across multiple countries took place on 12 May 2017. Multiple reports mention that a total of 300,000+ systems were affected in over 150 countries. The ransomware attack affected multiple industries including healthcare, government, telecommunications, and petrochemicals. The true nature of this malware is that it comes under a worm classification which means that it can replicate itself in order to spread within an entire network. Researchers also mentioned that WannaCry has an encryption component that is based on public-key cryptography.
How WannaCry infects the systems?
The malware uses the famous Eternal Blue and DoublePulser exploits that were developed by NSA (National Security Agency). These exploits were leaked in 2017 by the Shadow Brokers group. The Eternal blue exploits the SMB v1 vulnerability, which Microsoft patched on 14th March 2017 and added to the security bulletin-MS17-010. The following vulnerability allows an attacker remote code execution by sending crafted messages and connects to TCP ports 139 and 445 of unpatched Windows system. Once the Eternal Blue exploit is executed, WannaCry tries to insert the DoublePulser through the system backdoor.
Prevention
  • Don’t click on suspicious links: If you feel that the link within an email is not relevant then it’s best to avoid clicking on it. Sometimes when a user interacts with the link, say by clicking on it, the malware starts downloading itself.
  • Information related to you: Let’s say you receive a call, message from an unknown contact, do not respond to them. The attacker may have a phishing attack in mind and sharing personal information would make you vulnerable.
  • USB drives: If an unknown person (untrusted source) hands over a USB drive to you, never plug-in the device into your system. This device may contain auto-run scripts which can be executed once you connect the drive to the system.
  • Updating your Operating System: Keep your programs and operating system updated as the vendors provide regular patches, which are sometimes critical security updates. If you abide by this practice attackers will find it difficult to exploit your system or network.
  • Using VPN: We as daily users connect to public networks (Wi-Fi) in coffee shops, subways, railway stations, and restaurants. Nevertheless, we do not realize that connecting to a public network makes us vulnerable to cyber-attacks. Therefore, it is a good practice that we use VPNs while we are in a public place. Another word of caution though; until very essential, do not use public networks.
  • Downloading Software: Ideally users should download software from a known source that they can rely on; meaning files from an unknown source may contain ransomware.
  • Application whitelisting: Configure operating systems or use third-party software to only allow authorized applications to run on computers, thus preventing ransomware from working.
  • Awareness: For organizations, it will prove beneficial if they educate their employees on practices and programs based on ransomware protection along with countermeasures for an attack.
If remote services are not required, it is advised that an individual turns them off. This will make the system more secure. Hence, attackers will not be able to execute remote exploits. For organizations, plenty of endpoint protection software are available, which protect against ransomware. Apply content filter for your mail servers and block websites that are malicious. There are firewall rules that can protect you against ransomware and these configurations should be applied.
Backup
Additionally, within Windows, a feature is available for data backup, and it is a good practice that users keep a backup of their data. If NAS (Network Attached Storage) is configured within a network, it can also be a target of ransomware. This is one reason why you should create regular back-ups of your data and save multiple copies.
Conclusion
To avoid becoming a victim of ransomware, we urge you to adopt the necessary precautionary measures and block future attacks. In case you are still a victim of ransomware we encourage you to take necessary action by referring to the above protective measures.