Ransomware attack shuts down critical US pipeline

On May 7, 2021, Colonial Pipeline, a major US pipeline based in Georgia, was hit with a ransomware cyber attack. This resulted in an ongoing network shutdown. Most importantly, this major pipeline carries 2.5 million barrels each day of diesel, gasoline, and jet fuel to approximately 45% of the East Coast of the US. It spans over 5500 miles starting from Texas to the Northeastern states. US fuel prices at the pump are not yet affected. However, the concerns are that prices will spike if the shutdown continues past its fourth day.

As of May 10, the FBI has released an updated statement attributing this attack to a threat group using DarkSide ransomware. US legislation issued an emergency legislation. They are working with Colonial Pipeline, FBI, and other government agencies to restore service to the network and respond to the attack.

Colonial Pipeline states, “segments of our pipeline are being brought back online in a stepwise fashion” and “we proactively took certain systems offline to contain the threat. This temporarily halted all pipeline operations, and affected some of our IT systems.” The company further explains that its operations team is currently executing an incremental plan to facilitate a return to service in phases.

As efforts to slow the pandemic carry on globally, more teams are completing operations and access control systems from remote locations. So, this opens up increased vulnerability and risk. The threat group infiltrated Colonial Pipeline’s network. As a result, they stole nearly 100 gigabytes of sensitive data. They demanded a ransom by threatening to leak the information online.

It is important to note that the Darkside ransomware was deployed to infiltrate Colonial’s IT (information technology) network. It was not their OT (operational technology) network. However, their OT network controls the flow of fuel and oil products from the pipeline to distributors. Then, it sends information to their ticketing system which is located on their IT network. Their physical pipelines were not damaged or hindered. Consequently, the cyber attack on the company’s IT network compromised how they collect data on the amount of product flowing to each customer. Hence, the company shut down their systems and halted operations over the weekend.

The threat of ransomware is agnostic. It can affect critical industrial infrastructure on a national level much like Colonial Pipeline as well as businesses of any size or industry. The developers behind the DarkSide ransomware have stated that they are an apolitical group. The only goal is making money. This statement should be warning enough for all organizations to prepare for such attacks. When money is the driving point, there is nothing that threat actors won’t resort to. Therefore, security flaws, vulnerabilities, leaks, and plain human error are all easy avenues. This is how threat actors can launch their attack. Ransomware attacks especially are only on the rise and becoming more sophisticated. Once compromised, threat actors can move laterally. In your IT networks, they can access valuable financial records showing how much you make, what you charge, and what funds you have at the ready for their taking.

Firstly, Blackpoint Cyber’s 24/7 security operations center (SOC) is actively monitoring the developing Colonial Pipeline compromise. For our customers in the oil, gas, and energy sectors, we are conducting additional threat hunting to ensure the safety of your operations. Secondly, Blackpoint Cyber has past experience in dealing with threat groups using this specific ransomware. In conclusion, we are confident that our experienced SOC analysts and MDR technology will continue to protect your business and clients.

For more details on how we can safeguard your and your client’s operations, contact us today.

• Colonial Pipeline Media Statement
• FBI Statement on Compromise of Colonial Pipeline Networks