IT Tips & Tricks
18 May 2021
Latest Development in Disruption of East Coast Fuel Supply Proves Eye-Opening
Beyond Colonial and "DarkSide": How Many More Cyber Security Lessons Do We Need?
We’re not claiming to be Nostradamus, but we recently published an article that predicted that events like the one that just befell Colonial Pipeline could become more prevalent. Read on to discover Colonial’s who, what and where, and what we recommended in the aforementioned article that could have helped prevent or mitigate the damage.
If you’ve had difficulty gassing up your car anywhere between Texas and New York since Friday, May 7th, or you're stunned at a sudden gas price hike along the Eastern Seaboard, you might have been surprised to discover who or what is to blame. In fact, even if you don’t reside in the US, this data could be pertinent to you.
On Friday, 14 May, following a cyber attack resulting in a week of service disruption, Colonial Pipeline announced that they’d paid the DarkSide ransom demand to the tune of almost $4.4 million and received the decryption tool needed to unlock their system. According to Bloomberg Newsweek, “The tool was so slow that the company continued using its own backups to help restore the system …”
The payment was made in hard-to-trace cryptocurrency, but it transpires that this is not the end of the story and the cryptocurrency apparently wasn’t all that hard for someone else to trace, because they cleaned out the DarkSide account.
$4.4 million lighter: Colonial Pipeline — latest victim of a confirmed ransomware attack.
Who is “they”? To date, no identity has been given, but there are unconfirmed rumors of “government agency” involvement (with no country of origin stated). As the investigation continues, more details may emerge. For now, all we know is that it’s very possible that someone cleverly outsmarted DarkSide.
. . . social distancing requirements led to Colonial Pipeline staff working remotely, using the Internet.
According to Krebs on Security, “The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.”
Does this mean DarkSide is gone for good? While hope springs eternal, members of the cyber security industry are, at this stage, unconvinced. There is, however, some modicum of pleasure to be derived from the fact that all DarkSide gained for its efforts (or direct participation) in the Colonial Pipeline attack is being beautifully, deliciously broke. (Eeny, meeny, miny, moe, catch a thief by his crypto?)
Cyber security firm Intel 471, believes, “… a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways. A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to ‘wash’ the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service reported they were unable to access BitMix in the last week.”
While there appears to be no imminent threat from this group at present, the question remains: Will they live to ride again another day and if not them, then who? Nobody wants their cyber security to become a threatening game of whac-a-mole.
So, what happened at Colonial?
The Not-So-Darling Buds of May
Friday, the seventh of May, dawned with typical spring vigor. Buds unfurled and birds hopped daintily from branch to branch, giving voice to their seasonal call, and … No, no, that’s not quite how Friday unfolded — at least not on the East Coast of the United States. Colonial Pipeline, a key fuel supplier in the US, announced it had come under cyber attack and warned consumers to anticipate fuel shortages. How did this happen and why now?
“Eeny, meeny, miny, moe, catch a thief by his crypto?”
Well, Covid-19 safety protocols were in effect at Colonial. Prior to the coronavirus outbreak, onsite employees ran the pipeline on a closed system. However, social distancing requirements led to Colonial Pipeline staff working remotely, using the Internet. This ultimately led to attackers gaining access to the Colonial computer systems. (We referenced this precise phenomenon in a recent — and relevant — article, “Cloud Security and the Email from Hell.”)
A Code Amongst Thieves? (Um, no.)
Hackers pose a constant threat to your cyber security. Know how to avoid or minimize damage due to a cyber attack.
DarkSide apparently offers Ransomware-as-a-Service (RaaS) to customers on a subscription basis, although they’re claiming no knowledge of this particular incident (forgive the nasal snort) and are blaming it on one of their “clients.” This just proves, yet again, that there simply is no honor amongst thieves.
The big question, of course, is, “Who is the alleged client?” Perhaps this question will be answered during the course of the ongoing investigation.
We’ll travel to the DarkSide a little later in this article, but for now, we’re returning to the fuel-challenged East US, to the Colonial Pipeline and the chaos that unfolded.
Oil Be Seeing You
What is the Colonial Pipeline? Without getting bogged down in infinitesimal detail, the privately-owned Colonial Pipeline is one of the largest pipeline operators in the US, supplying approximately 45% of the gasoline, diesel, home heating oil, jet fuel and military fuel supplies required on the East Coast. Over 100 million gallons of fuel are transported daily via the pipeline that runs from Texas to New York. So, no dinky little operation, by any means. Perhaps this is another reason they were so attractive to DarkSide (or their alleged client).
The spring-morning attack forced the company to proactively shut down operations and freeze IT systems, which resulted in temporarily halted pipeline operations while a cyber security firm and cyber forensics team were called in to investigate.
As the investigation and analysis are still ongoing, few details have been released regarding precisely how the attack occurred, other than that it was a ransomware attack linked to DarkSide.
. . . do everything necessary to protect your Cloud data.
Into the Dark Side
DarkSide, believed to originate in Russia, first came to the attention of the cyber-security industry in the summer of 2020. Their general modus operandi is to first encrypt and steal their target’s data. Next, the ransom demand is presented. Should the ransom go unpaid, DarkSide’s next gambit is to work with the victim’s competitors or investors to extract funds.
. . . the playground for potential hackers has grown exponentially.
The stolen data may be posted on a leak website that DarkSide has created and, failing payment from either the targeted victim, their competitors or their investors, the data is then made public. Should the ransom be paid, DarkSide “honorably” defers publication and offers a decryption tool. This strategy, effectively a double-extortion campaign, is explicitly designed for DarkSide to maximize their income.
When DarkSide hit Colonial, they encrypted and stole over 100GB of data in just two hours. Colonial says they were forced to take certain systems offline in order to contain the threat.
As of Monday, 10 May, remediation is apparently ongoing and each system is being worked on in an “incremental approach.” On the same day, the US Federal Bureau of Investigation stated, “The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation.”
Less than a month ago, we published the above-mentioned article, “Cloud Security and the Email from Hell,” in which we stated, “With more organizations migrating to Cloud-hosted systems, the playground for potential hackers has grown exponentially. In fact, the threat of ransomware or malware has exploded in the last couple of years, as hackers take advantage of changing business practices.” Less than a month later, the eastern US is bearing the brunt of a cyber attack on a key supplier, proving we weren’t wrong when we said, “being ahead of the game is a whole lot easier than dealing with an unplanned-for disaster when it strikes.”
Nobody wants their cyber security to become a threatening game of whac-a-mole.
The Colonial Pipeline attack certainly underpins that sentiment.
Protect Your Valuables
Consider the security protocols you currently have in place. Are you doing enough to protect your data?
In that previously mentioned ransomware article, “Cloud Security and the Email from Hell,” we outlined a number of practical, helpful do’s and don’ts and some battle-plan basics for avoiding and mitigating ransomware attacks. That information still holds true. (It will also help to avoid the above-mentioned whac-a-mole game in terms of your cyber security.)
We understand that migrating to the Cloud has become something of a necessity for a multitude of businesses. However, we urge you to read the above article, double-check the security systems you currently have in place and do everything necessary to protect your Cloud data.
If you’d like to discuss a proposed Cloud migration, or if you’ve completed a migration and now have missing data, please call 727-442-1822 to speak with a friendly and knowledgeable consultant or, for more information, visit www.LinkTek.com. But whatever you do, protect your data and ensure (and insure) its security.
Copyright © 2014–2021 LinkTek and IntelliProp. All Rights Reserved. LinkTek and LinkFixer Advanced are trademarks of IntelliProp. Microsoft is a registered trademark of Microsoft, Inc. Other trademarks are held by their respective owners. Not responsible for inadvertent errors.