Security Experts:

Industry Reactions to Ransomware Attack on Colonial Pipeline

Industry reactions to Colonial Pipeline ransomware attack

Colonial Pipeline, the largest refined products pipeline in the United States, last week revealed that it was forced to shut down operations after being hit by a piece of ransomware.

The attack, which involved the Darkside ransomware, had significant implications, including states declaring a state of emergency, temporary gas shortages caused by panicked motorists stocking up over fears of gas shortages caused by the hack, and gas prices rising.

Darkside has been linked to Russia, but the hackers said they only wanted to make a profit and denied any government ties. The Russian government has officially denied any involvement, but U.S. President Joe Biden said Moscow does have “some responsibility to deal with this.”

Several industry professionals have commented on the Colonial Pipeline cyberattack and its implications.

And the feedback begins…

Setu Kulkarni, Vice President, Strategy, WhiteHat Security:

Setu Kulkarni, WhiteHat Security

“Connected industrial control systems now have given adversaries access to our distribution systems. What is worse is that with such remote access, the relative anonymity and the potential safe-harbor, adversaries do not have any deterrent to launch such malicious and profound attacks. While the alleged perpetrators deemed this as an accident and claimed they did not want to harm society, their acts need to be dealt with a response that acts like a deterrent. The administration and Colonial will respond to this tactically, and rightfully so to resurrect operations. However, if not now, then when will we lead the charge on deterring and punishing malicious cyber activity that targets the individual, a corporation or the society as a whole. While cyber is a part of each one of our defense forces, it is time to recognize and elevate Cyber Force as the eighth force in our national defense.”

Chris Kubic, CISO, Fidelis Cybersecurity:

Chris Kubic, Fidelis Cybersecurity

“The US Government has lots of resources at its disposal and it does have a history of reaching out to industry to alert them to cyber threats and attacks impacting our industrial base. I would expect that the Government’s A-team is actively involved in helping Colonial Pipeline contain and recover from the attack. 


The question will be whether the Government actively engages to hunt down, disassemble, and bring to justice the members of the DarkSide Ransomware group and whether the Government devotes more resources to tracking and disrupting Ransomware attacks against US interests.”


John Cusimano, Vice President, aeCyberSolutions:

John Cusimano, aeCyberSolutions

“In our company's extensive experience in assessing oil & gas pipelines for several of the country’s largest pipeline operators, we have found that pipeline cybersecurity is far behind that of other energy sectors (upstream and downstream O&G and electric utilities). A common gap in the pipeline industry is the lack of segmentation of the pipeline supervisory control and data acquisition (SCADA) networks which are the networks that connect the pipeline control center to every terminal, pumping station, remote isolation valve, and tank farm along the pipeline. These are very large networks covering extensive distances but they are typically “flat”, from a network segmentation standpoint. This means that once someone gains access to the SCADA network they have access to every device on the network. While pipeline SCADA networks are typically separated from the company’s business (IT) networks with firewalls, by design, those firewalls pass some data between the networks. For example, network monitoring software, such as Solarwinds, may be permitted through the firewall in order to monitor the SCADA network. These permitted pathways through the firewall are one-way malicious software or hackers can move from the IT network into the SCADA network. This was one of my greatest concerns when I learned of the Solarwinds attack.


The other big challenge with securing pipeline SCADA networks is that they branch into every facility along hundreds of miles of pipeline. Some of those facilities are in very remote places with little to no physical security meaning that if an attacker breached the security of one of those facilities they could gain access to the network. Finally, SCADA networks rely on extensive use of wireless communications (e.g. microwave, satellite, and cellular). Breaching the wireless signals or stealing a cellular modem from a remote site could give an attacker access to the entire SCADA network.”

Vladimir Kuskov, Head of Threat Exploration, Kaspersky:

Vladimir Kuskov

“DarkSide is a typical case of cybercriminal groups involved in ‘Big Game Hunting’. Their stated goal is to make money. They work via affiliate partner schemes – offer their ransomware ‘product’ to ‘partners’ which may in turn buy access to organizations from other hackers and then use it to deploy ransomware. Unlike some other groups, Darkside claims to have a code of conduct: they claim not to attack hospitals, schools, government institutions and non-commercial organizations.


Interestingly, DarkSide published a statement on their leak site. Judging by the statement, it looks like they did not expect such consequences and attention after the latest attack on Colonial Pipeline and now they are planning to introduce some sort of ‘moderation’ to avoid such situations in the future.


There are versions of DarkSide ransomware for Windows and Linux. Both versions have a secure cryptographic scheme so the decryption is not possible without the criminal’s key.


In the past they’ve made a mistake using the same keys for multiple victims. This allowed security companies to make a decryption tool that could help victims to recover their files without paying the ransom. DarkSide responded to that situation on a darknet forum and fixed this problem so new victims do not have such an option anymore, unfortunately.”

Marcin Kleczynski, CEO, Malwarebytes:

Marcin Kleczynski, Malwarebytes

“Many will recognize DarkSide from their dubious donations of $10,000 of stolen money to well-known charities in October 2020. Originally, this gang claimed that they wanted to "make the world a better place" but based on their post regarding the Colonial Pipeline attack , sharing that their “only goal is to make money,” we can deduce that this gang is far from good Samaritans.


This is another example of an alarming trend – devasting cyberattacks on US infrastructure and this latest incident further escalates the tensions between Russia and the U.S. regarding cyberattacks, whether or not they are sanctioned by the Kremlin. In accordance with the Ransomware Taskforce’s recent recommendation, ransomware must be treated as a national security threat. The forthcoming executive order from President Biden meant to strengthen cyberdefenses must address the cracks in the nation's cyber defense systems, as well as set strict regulations to not only how we respond to attacks once they happen but how companies, both private and public, work to proactively defend against these attacks. It is time to do more than just talk or write orders – we must take action. ”

Mark Stamford, CEO, OccamSec:

Mark Stamford, OccamSec

“I think we need to ask why this keeps happening, same MO every time - there’s a hack or ransomware, it’s described as being done by “elite hackers”, incident response kicks in (which is expensive), company buys some new tools, rinse, repeat.


At some point we are going to have to come to grips with how the bad guys actually operate, stop putting technology into everything “because we can” (IOT is a growing element of industrial organizations) and do something other than issue a press release, set up a task force, etc.


We need to adopt new ways of addressing this, or at least look at the old ways and realize they are not good enough.


The problem continues to be a lack of understanding around how bad guys actually do bad things - so when you publish a task force on ransomware have you a) worked out a blueprint for stopping ransomware or b) just told the bad guys what you are going to do so they can plan around it?”

Grant Geyer, Chief Product Officer, Claroty:

Grant Geyer, Claroty

“Unfortunately, the cyber attack against Colonial Pipeline is only a teaser of the future of cyber attacks. As cyber criminals and foreign adversaries seek opportunities for financial gain and power projection, our national critical infrastructure is an easy target. Industrial environments are operating with infrastructure that commonly maintains obsolete technology that can’t be patched, and staff that frequently are not as cyber savvy as they need to be to keep attackers at bay. This leads to a situation where cyber security risk levels are below acceptable tolerances, and in some cases organizations are blind to the risk.


One additional risk factor of pipelines is that they are highly distributed environments, and the tools that are used to enable asset operators’ remote connectivity are optimized for easy access and not for security. This provides attackers opportunities to sneak through cyber defenses as we saw in the water utility attack in Oldsmar, Florida earlier this year.


Among critical infrastructure sectors, energy is especially at risk. Our researchers have found that the energy sector is one of the most highly impacted by industrial control system (ICS) vulnerabilities, and it experienced a 74% increase in ICS vulnerabilities disclosed during the second half (2H) of 2020 compared to 2H 2018. Improving the nation’s critical infrastructure is going to require a public-private sector partnership given the current gaps and potential risk to the US supply chain and national security.”

Calvin Gan, Senior Manager, Tactical Defense Unit, F-Secure:

Calvin Gan, F-Secure

“We used to separate cyber crime versus physical world crime and view the impact differently. Even legislation is more documented for physical crime, compared to cyber crime where we are now slowly maturing. However, if there’s one thing the pandemic has changed, is the acceleration rate of cyber crime. With convergence of technologies being connected through the Internet, we now have a concrete view of how cyber crime impact has spread not only across the Internet but also to the physical world.


Attacks such as ransomware on CNI is just one example of how cyber crime can affect people directly or indirectly. With emergency laws needed to be passed to respond to cyber attacks, this is a clear sign that there is now increased interest by attackers to target these industries. The larger the impact to people or nations, the more pressure it is for these organizations to pay up or act upon the breach. This serves as motivation for attackers to continuously target them because they know it has the ability to push them “into the corner” of paying up.


While it’s easier said than done, reducing a successful attack is a role to be played by everyone and comes in all angles; from increased user general awareness to beefing up security measures in organizations, and having the right response plan in place with law enforcement being better equipped to track cyber criminals, and legislation being more robust in prosecuting cyber criminals. We should perceive cyber criminals similar to how we perceive a criminal in the physical world.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.