Colonial paid the ransom but did this fan or fuel the fire?
This article was published in The Business Anecdote Magazine.
Earlier this month we heard about the operator of the Colonial Pipeline falling victim to a ransomware attack. On Friday 7th May, the U.S. saw the most damaging cyberattack to its critical infrastructure, and all operations to the largest fuel pipeline in the United States stopped. The FBI confirmed that hacker group DarkSide, was behind the cyberattack - an organised gang with a ‘ransomware as a service’ business model which they sell to other criminals seeking to carry out attacks. Using ‘double extortion’, they encrypt the victim’s data, whilst also threatening to leak it publicly to ‘DarkSide Leaks’, if ransoms are not paid. A rapidly expanding operation, Cybereason reported a new version of the malware: Darkside 2.0.
Unlike other threat actors currently at play such as Maze, DarkSide it seems, wish to operate ‘ethically’, prohibiting attacks against hospitals, schools, and non-profit organisations. An article by CNBC revealed an unusual statement from DarkSide, which seemed to be an attempt at being perceived as more of a ‘Robin Hood’ style operation.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
This was followed by their code of conduct, which outlined to their customers what type of targets are acceptable to attack and which should be protected, including entities based in former soviet countries. They went on to declare that a percentage of their profits are also given to charity.
Five days after the Russian linked hackers forced the pipeline to shut down, operations were back up again and running, however, 3 out of 4 gas stations in North Carolina still had no gas, and half of the gas stations in Georgia, South Carolina, Virginia, and Washington DC, were also out of fuel pushing prices to extreme levels. The proceeding investigations into the East Coast pipeline company found their vigilance to be under scrutiny, as findings from a 2018 audit revealed flagrant failings which had not been addressed.
Press were informed that the outside audit found “atrocious” information management practices and poorly connected and secured systems. Robert F. Smallwood, whose consulting firm iMERGE, delivered the 89-page report after a six-month audit claimed, "an eighth-grader could have hacked into that system". It is still unclear whether Colonial Pipeline addressed the 2018 audit, however, they claim to have increased their overall IT spending by more than 50% since 2017, hiring four independent cybersecurity risk assessment firms. Although they did not name these companies, Rausch Advisory Services in Atlanta affirmed they were among them, with Colonial’s chief information officer a member of its advisory board.
With Colonial responsible for providing the East Coast with 45% of its gas, jet fuel, and petroleum (a staggering 2.5 million barrels a day), there is no doubt the firm will be investigated by federal authorities seeking answers as to why the security issues highlighted in the audit were not addressed. Colonial admitted to implementing several of Smallwood’s recommendations, with active monitoring and overlapping threat-detection systems on its network, and its IT network strictly segregated from the pipeline control systems. They identified the ransomware attack as soon as it was detected and found the pipeline control systems were unaffected by the ransomware. It seemed the pipeline was shut down due to the firm's billing system being compromised.
Referencing an article in The Drive, company officials were concerned over the accurate billing of gas delivered to customers, and so chose to cut off the supply of its fuel. On the 7th of May, due to the uncertainty over how long its billing systems would be affected, the pipeline paid the $4.4m ransom. Colonial’s Chief Executive Mr. Blount, conversed with experts who had previous dealings with DarkSide and claimed, “I didn't make [that decision] lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this, but it was the right thing to do for the country".
According to Bitcoin records, since August 2020, DarkSide, received at least $90m in ransom payments from around 47 victims, and the pandemic levels of cybercrime have driven the reignition in calls to governments across the globe to ban ransom payments to criminals. The US government has recommended in the past that companies do not pay criminals over ransomware attacks in case they invite further hacks in the future, however, as it stands today, paying ransoms is not illegal.
DarkSide have since announced they are shutting their operations after they lost access to their servers which were used to house the victims’ data and ransoms, and funds were withdrawn to an unknown account. U.S. officials have argued that military cyber operators did not have any involvement in this, nor had any other U.S. agency. Concerns over the credibility of DarkSide’s disappearance have emerged as cyber experts believe it is merely a smokescreen, and that the criminals will simply regroup and return.
Clearly Colonial did not have a Cyber Incident Response Plan in place for such events, which considering the continuously increasing prevalence of global cybercrime, and the firm’s critical role in the U.S. energy system – they may now be exposed to claims of negligence. Further, their executive team demonstrated more concern over billing, than being a responsible player in the provision of Critical National Infrastructure services and the flow of vital fuel to U.S. businesses and consumers. The reactions of Colonial Pipeline clearly exposed their lack of effective cyber risk assessment and business continuity plans.
In reflection, perhaps the onus should not exclusively be on the provider, in this instance Colonial, to properly plan for, and execute business continuity arrangements when something like this happens. The U.S. Federal and Local government have a Critical National Infrastructure oversight role, and one may call into question whether they have delivered on their responsibilities here.