It isn’t often that the US government declares a state of emergency. But then, a ransomware attack that takes down a vital fuel pipeline supplying large parts of the eastern seaboard of the United States isn’t an everyday occurrence.
In just over two hours, a reported 100 gigabytes of data was exfiltrated and locked down from the Colonial Pipeline IT network, leaving the company without the ability to operate key systems that transport fuel. The result, said the US Department of Transportation, was the introduction of the Declaration which “addresses the emergency conditions creating a need for immediate transportation of gasoline, diesel, jet fuel, and other refined petroleum products and provides necessary relief.”
The purported hackers who are behind the Colonial Pipeline attack are believed to be based in former Soviet states, and came to prominence last year when they published a press release announcing their formation. Yet despite that, they claim a longer lineage than just 2020. “We are a new product on the market,” their statement said. “But that does not mean we have no experience and we came from nowhere.” However much their experience, the severity of the chaos they’ve wrought through their hack seems to have taken them aback.
Apologies and clarification
DarkSide, the group to which the hack was attributed by the FBI, released a statement in response saying it was “apolitical”. “We do not participate in geopolitics,” they said. “Our goal is to make money, and not create problems for society.” As a result of the unwanted attention, DarkSide said they would be introducing moderation when clients approached them, vetting companies “that our partners want to encrypt to avoid social consequences in the future.”
The statement was remarkable for its candour, and its admitting that the group thought they had perhaps mis-stepped in attacking and locking up the data of the Colonial Pipeline. “The more that hospitals, traffic management systems, policing or, in this case, fuel supplies, rely on data, the greater the impact that hackers can have by interfering with it,” said Peter Grimmond, head of technology, international at Veritas Technologies.
Yet just because DarkSide appear to have had a change of heart when they realised the impact their actions had, it doesn’t mean many others will. Could we see the birth of a new age of ethically-minded ransomware hacking? Probably not, not least because DarkSide themselves say that their primary goal is to make money.
The lure of money is hugely tempting for any organisation and individual – so much so that it can help people put aside their morals. Even if DarkSide were to step back from attacking vulnerable elements of society, there would be a raft of others who would be willing to step in and take their place.
“The ransomware attack on the Colonial Pipeline in the US is a reminder that the operational technology (OT) our day to day lives rely on is increasingly becoming a target for malicious actors,” said Gareth Williams, vice president of secure communications and information systems UK at Thales. “This attack serves to confirm that businesses are not adequately protected when it comes to OT security and must start taking cybersecurity seriously and increase protection across their business.”
It’s for that reason that we can’t simply assume that cybercriminals will shy away from launching ransomware attacks on vulnerable targets, but instead have to beef up security to ensure they can’t fall foul of such attacks in the first place.
How to mitigate against future attacks
“Building a cohesive approach to securing your OT can sometimes be an engineering challenge as much as a cyber one, so teams cannot approach this in the same way they would IT security – it’s a different ball game and critical national infrastructure is at stake,” says Williams.
“One of the first steps on this path is identifying where data is held, but also who and what applications and code are trusted to access it. In doing this, rogue code such as ransomware will be unable to weave its way onto a database to encrypt it and gain control of the data.”
It’s important to do that as the ransomware deployed by DarkSide, when analysed, seems willing and able to attack any network it finds – on one proviso. Digging into the code, cybersecurity experts have found that it won’t launch its worst against any network that has the default language set to Russian. That could provide a practical sticking plaster solution for any IT experts worried about being vulnerable while they undertake a more significant, root, and branch solution.