The recent cyberattack on the Colonial Pipeline Company in the United States has adequately demonstrated the significance of cybersecurity, where the slightest lapse in digitally securing the organization can prove to be the Achilles heel. Through this example of a digital attack, we notice the real-world consequences that impact physical assets, livelihood, and the economy. In this blog, we shall explore some cybersecurity measures on how to combat cyberattacks like the one on Colonial Pipeline.
The Giant Company
The Colonial Pipeline Company, headquartered in Georgia, operates the largest pipeline system for refined oil products in the U.S. This network of pipelines extends between New York and Texas, is 5500 miles long, and provides almost 45% of the East Coast’s fuel.
What had happened? The Incident that Brought the Company to a Grinding Halt
In May, Colonial Pipeline came under a cyberattack and all IT operations had to be immediately stopped. The incident surfaced as a ransomware outbreak organized by a cybercriminal hacking group called DarkSide. The malware they launched jeopardized the company’s necessary technology and equipment, which managed the pipelines.
Who all were affected? The Ramifications
During this time period, the entire service of fuel supply was paralyzed from Texas to New York. It invariably led to a shortage of available gas, which in turn, increased the gas-rate as well.
How did it exactly happen? The Way of Cybercriminals
The cybercriminals got hold of “Colonial Pipeline” through an inactive Virtual Private Network (VPN). Though, not in use, the VPN had been accepted by the Colonial Server and remained associated. Credentials of the cybercriminals were found from the dark web and they also claimed double extortion.
This meant that, in addition to the ransomware for encrypts of data, the cyberattackers had also stolen nearly 100 GB of critical data. There is sufficient evidence to conclude the hackers’ movement around the IT network.
While FBI was investigating, DarkSide, the cybercriminal group demanded 75 BTC ($4.4 million) for releasing the compromised data it had exfiltrated by using the ransomware.
After the payment, the Department of Justice (DOJ) USA stated that around 64 BTC was recovered from the virtual wallet, which the cybercriminals had used to collect the payment from the victim.
Nowadays, hackers use a new perspective called double extortion. It means they will not only encrypt the data but will also sell it.
The Consequence – DarkSide lost access to Infrastructure
The virtual wallet was seized from DarkSide and FBI recovered funds along with other US government facilities. It put out an online statement in a forum that “Services were ceased (country not named); money of advertisers and founders was transferred to an unknown account”. The hacker group also claimed that they had released the decryption tools to all the companies they attempted to extort data from, but were yet to receive payments.
Mitigations – How to Shield against Cyberattacks?
The number of cyberattacks through ransomware extortion in America’s energy infrastructure, oil and gas and power sector has increased tremendously. Such attacks are adversely affecting the oil and gas production along with the other supply chains across the globe.Some measures to prevent cyberattacks:
- Backups are important: Use backup systems and create multiple copies. They also need to be tested for infected files.
- Disable Macro: If the Macro is not disabled then Microsoft files, transferred within the emails, may contain malicious scripts.
- Endpoint Protections and Antivirus: Performing regular system scans and updating the antivirus signatures are critical. The EDRs should be configured and updated as per the latest rules and policies.
- System Patches: Devices, including applications and cloud management systems should be patched and updated regularly. If possible, a centralized patch management system should be used.
- Internet Access Restrictions: The key point of a ransomware’s entry consists of social network websites and personal mails. Creating limitations on access and imposing restrictions can be beneficial.
- Monitor Third party: Continuous monitoring of network and activities regarding all third-party involvements are needed.
- Restricted Policies: The key targets of Ransomwares are directories like Temp. Hence, such directories, in addition to on-memory execution should be blocked.
Responding to Ransomware – How to Treat Compromised Systems?
- Isolate the infected system from the network to contain the malware and prevent it from spreading.
- Find out if a decryptor is available or not. There are plenty of online resources available like https://www.nomoreransom.org/
- Restore files from the backups held earlier
Thus, it can be noticed that while precaution is better than cure; in certain critical instances like cyberattacks, precaution is the only cure!
