One of the most disruptive cyber-attacks in history, the ransomware attack on the Colonial Pipeline shut down, caused outages at gas stations in more than a dozen states. The FBI has named the group responsible, which operates Ransomware as a Service (RaaS) for itself and other cybercriminals.

< Back to Tag
Jan 15, 2022

Detailing the Ransomware Attack that Shut Down US Gas Pipeline

The Colonial Pipeline is back online and returned to normal operations after one of the most disruptive cyber-attacks in history. The Colonial Pipeline carries gas, diesel, and jet fuel that serves much of the south and nearly half of the East Coast's fuel. Widespread gas delivery disruptions led to shortages, rising fuel prices, and long lines in some parts of the country as consumers panicked and saw gas stations running out of gas. Market deliveries have now returned to Texas, Louisiana, Mississippi, Alabama, Tennessee, Georgia, South and North Carolina, Virginia, Maryland, DC, Delaware, Pennsylvania, and New Jersey. "Our team members across the pipeline worked safely and tirelessly around the clock to get our lines up and running," said Colonial Pipeline via Twitter. "We are grateful for their dedicated service and professionalism during these extraordinary times. Image image credit: colonial pipeline company

Ransomware Attacks Forces Shutdown

Company officials confirmed a ransomware attack on their computer systems that forced them to shut down the system and halt operations. In its wake, Colonial shut down 5,500 miles of pipeline as a precautionary measure fearing that cybercriminals had obtained information that would enable them to attack the pipeline at various unknown locations. In recent months, ransomware attacks have grown in frequency — encrypting data from systems and shutting off access while holding the key to unlock them for ransom. More than 25 government agencies have been attacked this year, including the Washington, DC police department. Several police departments have had their computer network system breached and schools and hospitals across the country. Federal investigators, including the FBI, Energy Department, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, have been called on to investigate. According to the New York Times, the  company has also engaged FireEye, a private cybersecurity team, to investigate. FireEye has recently been involved in investigations into breaches at Middle East energy facilities and US government agencies.

FBI Advises Ransomware Victims Do Not Pay the Ransom

In cases of ransomware attacks, the FBI advises victims not to pay the ransom.  "Paying a ransom doesn't guarantee you or your organization will get any data back," the FBI says on its website. "It (paying the ransom) also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity." According to Bloomberg News, however, Colonial Pipeline did pay nearly $5 million to the cybercriminals in cryptocurrency. Although company representatives have not confirmed the payment, multiple sources have reported that Colonial did receive the decrypting tool from the hackers.

Ransomware Groups Launch Sophisticated Attacks

Victims of ransomware are often surprised by the sophistication and organization behind the attacks. These attacks are not the work of the stereotype lone hacker in a dark basement. They are criminal enterprises that often feature mailing lists, press centers, hotlines, and help desks. Once attacked, many such groups offer online support and offer a limited key to de-encrypt a small amount of data to prove they can reverse the encryption process. Once the ransom is paid, some cyber criminals have provided the de-encryption key while others have failed to do so. Reuters reported that DarkSide's website on the dark web even showcases a "Hall of Shame" with leaked documents from victims that refused to pay the ransom. At last check, it was advertising stolen documents from more than 75 US and European entities. In April 2021, the group  issued a press release acknowledging they were targeting companies listed on the NASDAQ and offering information to stock traders to profit on advance knowledge after breaches were announced. According to Krebs on Security, DarkSide typically employs a "double extortion" racket — demanding separate payments for the digital key required to unlock servers and a separate payment for promising to destroy stolen data.

FBI Names Russian Hacking Group DarkSide

The FBI attributed that attack to a criminal hacking group called DarkSide for the ransomware attack on Colonial Pipeline. DarkSide operates what it calls Ransomware as a Service (RaaS). RaaS allows other hackers to  use its resources to attack companies anonymously. After being blamed for the attack, DarkSide claimed responsibility for three more attacks on private companies. Then, the group announced it was disbanding.  DarkSide claimed in a message in Russian sent to several news organizations that the group lost access to its servers and funds had been withdrawn to an unknown address. It is unknown whether the actions were due to retaliatory actions on behalf of government agencies. "The post (from DarkSide) cited law enforcement pressure and pressure from the United States for this decision (to shut down," Kimberly Goody, Mandiant's Senior Manager for financial crime analysis, said in a statement. Mandiant is a division of FireEye, which has been investigating the Colonial Pipeline attack. "We have  not independently validated these claims, and there is some speculation by other actors that this could be an exit scam." Security experts say cybercriminal groups often form and frequently disband to avoid exposure only to re-emerge as a new entity. 

Biden Issues Executive Order on Improving Nation's Cybersecurity

In the wake of the attack, President Biden issued an  Executive Order to improve efforts to identify, deter, protect against, and respond to cyber threats. While it does not address critical infrastructure, it does create new standards for security for software vendors supplying the federal government. The President also announced that the Justice Department launched a new task force charged with prosecuting ransomware perpetrators to the full extent of the law. Just last month, the Biden administration announced sanctions against Russia for its role in the  SolarWinds attack, which targeted US government agencies and corporations, naming a Russian foreign intelligence agency as the culprit. That was the same Russian government agency thought to be behind the hack of the Democratic National Committee during the 2016 election cycle. While DarkSide hackers have not been linked to the Russian government, officials speculate its operatives reside in Russia, but the country denies involvement.
Part 3: Security Blind Spots: The Fallacy of SMB Cyber Invulnerability Part 2: Security Blind Spots: How Trust Concealed the SolarWinds Attack