On Saturday, Colonial Pipeline, which operates a pipeline that transports gasoline, diesel fuel and natural gas along a 5,500-mile road between Texas and New Jersey, released a statement confirming information according to which ransomware hackers had hit its network. In response, Colonial Pipeline says it has shut down parts of the pipeline operation in an attempt to contain the threat. The incident represents one of the biggest disruptions to America’s critical infrastructure by hackers in history. It also provides another demonstration of the seriousness of the global ransomware epidemic.
“This is the biggest impact on the energy system in the United States that we have seen from a cyber attack, period,” said Rob Lee, CEO of critical infrastructure-focused security company Dragos. Aside from the financial impact on Colonial Pipeline or the many suppliers and customers of the fuel it transports, Lee points out that approximately 40% of U.S. electricity in 2020 was produced by burning natural gas, more than any other source. This means, he argues, that the threat of cyber attacks on a pipeline poses a significant threat to the civilian electricity grid. “You have a real ability to impact the electrical system in a large way by cutting off the supply of natural gas. It’s a big problem, ”he adds. “I think Congress is going to have questions. A vendor was hit with ransomware as a result of a foul play, it wasn’t even a state sponsored attack, and it impacted the system that way? “
Colonial Pipeline’s brief public statement says it has “launched an investigation into the nature and scope of this incident, which is ongoing.” Reuters reports that incident responders from security firm FireEye are helping the company, and investigators suspect that a ransomware group known as Darkside may be responsible. According to a report by security firm Cybereason, Darkside has compromised more than 40 victim organizations and demanded between $ 200,000 and $ 2 million in ransom.
The Colonial Pipeline shutdown comes amid a growing ransomware epidemic: Hackers crippled and digitally extorted hospitals, hacked law enforcement databases, and threatened to publicly disclose police informants and crippled municipal systems in Baltimore and Atlanta.
The majority of ransomware victims never publish their attacks. But Lee says his company has seen a significant increase in ransomware operations targeting industrial control systems and critical infrastructure, as for-profit hackers seek out the most sensitive and important targets to risk. “Criminals are starting to think about targeting industrialists, and over the last seven or eight months we’ve seen an increase in cases,” says Lee. “I think we’ll see a lot more. “
In fact, ransomware operators have had more and more industrial victims in their sights in recent years. Hydro Norsk, Hexion, and Momentive were all affected by ransomware in 2019, and security researchers last year discovered Ekans, the first ransomware apparently tailored to cripple industrial control systems. Even targeting a gas pipeline operator is not entirely unprecedented: In late 2019, hackers installed ransomware on the networks of an unnamed U.S. gas pipeline company, the Cybersecurity and Infrastructure Security Agency warned at the start of the report. 2020 – but not the size of Colonial. Pipeline.
In this previous pipeline ransomware attack, CISA warned that hackers gained access to both the computer systems and “operational technology” systems of the targeted pipeline company – the computer network responsible for controlling the equipment. physical. In the case of the colonial pipeline, it is not yet clear whether the hackers filled this gap with systems that could have allowed them to meddle with the physical condition of the pipeline or create potentially dangerous physical conditions. Just having wide access to the computer network could be reason enough for the company to stop operating the pipeline as a security measure, says Joe Slowik, security researcher for Domaintools who previously led the security team. IT and incident response at the US Department of Energy. “The operator did the right thing in this case in response to the events,” Slowik says. “Once you can no longer provide positive control over the environment and clear visibility of operations, you have to stop it. “