On Friday, May 7th, Colonial Pipeline experienced a ransomware attack. Colonial Pipeline transports gasoline, diesel, jet fuel, and home heating oil starting from refineries on the Gulf Coast to Texas and New Jersey with a system spanning 5,500 miles and transporting over 100 million gallons a day. As a result of the unanticipated shutdown, the U.S. DoT had to issue emergency orders to allow fuel movement outside service hours by other means.
The FBI confirmed on Monday, May 10th that the Darkside group was responsible for the attack. DHS officials are reported to have said that Colonial’s operations were shut down to prevent the spread of the attack from IT to OT networks. Darkside is a well-known group not clearly associated with state-sponsored actors but also known to not attack Russian affiliated organizations. They are known to have a Robin Hood principle which involves only targeting for-profit commercial entities and not cities and schools like many other groups do. Their extortion ranges from few hundreds of thousands to millions of dollars.
According to reporting by Bloomberg
The intruders, who are part of a cybercrime gang called DarkSide, took nearly 100 gigabytes of data out of the Alpharetta, Georgia-based company’s network in just two hours on Thursday
Here are the five key takeaways from what we know so far about this attack:
1. Ransomware and exfiltration increasingly go hand-in-hand (double extortion)
Due to the increased adoption of backup and the introduction of easier-to-use backup technologies, attackers are increasingly exfiltrating data and not just encrypting and holding it to ransom. This trend started in later 2019 and is only accelerating with attackers publicly naming their victims.
2. Ransomware and disruption-ware increasingly go hand-in-hand
Since 2019, ransomware groups have started adding an OT/ICS twist to their attacks. Families such as EKANS and MEGACORTEX specifically go after ICS control application software on the IT side to either disrupt operations or ransom the provider to re-enable the service. For example, these ransomware will look for GE or Honeywell-related processes to kill them which can result in loss of monitoring of the system or general disruption of the workflows in the organization. Ransomware no longer needs to just encrypt or exfiltrate data, they can simply disrupt and ask for compensation to restore service. Honeywell reported that 11% of detected USB disk-based malware had ICS-specific components while that number rose to 28% when ransomware was added as a category. Attackers are increasingly targeting sensitive infrastructure organizations where disruption causes critical statewide or nationwide problems that can increase their payout.
3. Timely detection is still a hard unsolved problem at scale
Two years ago, I wrote (somewhat hyperbolically) about a world in which every attack was a zero-day. While this is not strictly the definition of a zero-day, it is true that millions of never seen before malicious code variants are created every single day each going after well-known unpatched or yet unknown zero-day vulnerabilities. I also talked about how combining automation and AI-based predictions could help turn the tide. However, prevention technologies are still largely signature-based and Network Detection and Response technology is not widely deployed yet. With the wider adoption of AI, Automation, and NDR we stand a better chance of defending against ransomware. However, detection and response cannot just be anomaly-based. This attack exfiltrated data in under 2 hours and sent out 100GB. This amount of data is just noise in the typical N-S traffic in an organization and would not stand out. We need detection in earlier stages of the kill chain for initial and second stage infection, command and control, and lateral movement. This analysis by Varonis corroborates the zero-day point, “By using unique executables and extensions, the ransomware easily evades signature-based detection mechanisms. Darkside also provides customized ransomware to other threat actors (Ransomware as a Service) and takes a part of the profit in successful attacks.”
4. IT Security and OT Security are tightly coupled
DHS officials are reported to have said that Colonial’s operations were shut down to prevent the spread of the attack from IT to OT networks. While OT networks are supposed to be air-gapped from IT, and attacks usually start from the IT side (leaving aside a physical breach scenario) it is common for this gap to be software-based and also for system administrators to access the OT systems with credentials and no MFA turned on. This makes it possible for an infected IT user or desktop to eventually lead to an OT security incident. This is exactly what happened in the Ukraine energy grid attack of 2016, where a commodity attack with phishing emails containing Microsoft Word documents with macros eventually, through multiple stages, led to 30 power substations going offline! Going back to the better detection piece (3rd takeaway), if we were better at detecting the initial stages like the Word doc malware, we would not be dealing with complicated infections that are all over the network. However, because controls are usually signature or sandbox based they just don’t do the job. The ease of getting in using obfuscation, XLS4, or simply rewriting VBA macros is well known. While defending OT is a worthy defense-in-depth investment, if we are fighting that close to the crown jewels, we have already lost.
5. Automated response and prioritized triage is essential and directly relates to trust in AI
Detection is not enough. Ransomware attacks escalate quickly and there may not be enough time for a human assigned ticket workflow to blunt the attack. The Colonial Pipeline attack exfiltrated data in under 2 hours and the attackers were likely in the network for weeks and months prior to the final stage. Additionally. the SOC team may be under a deluge of many other trivial alerts (this is a huge issue in pure anomaly-based detection systems) to be able to triage the one that matters. We need some level of automated response to at least limit the spread of the problem before a human analyst can triage the incident. The automated response will have to be based on an automated AI-generated verdict which leads to the final issue of “can you trust your AI detection system?” and if so “to what extent?”. We need AI systems that have extremely low false positives to engender such trust.
This blog was also published on LinkedIn here https://www.linkedin.com/pulse/5-take-aways-from-colonial-pipeline-ransomware-attack-saumitra-das/
Questions? How to Contact Blue Hexagon Security Experts
I hope you found this article informative. If you need assistance or have any questions on how to replace your security agents with an agentless solution or how to bolster your security stack in the cloud, please contact Blue Hexagon Security Experts by email at firstname.lastname@example.org or online at https://bluehexagon.ai/contact/ and let us know how we can help.