The Colonial Pipeline breach brought the physical-world effects of a cyber-attack – such as those seen in Iran and Ukraine – to the U.S. However, unlike SCADA attacks in Iran and Ukraine, it is unlikely that the Colonial Pipeline attack was the direct result of a nation-state actor, but rather cybercriminals who (by their own words) may not have intended a physical-world outcome. In today’s blog, we discuss three important observations about this unique attack.
1. Where was the business system – operational system separation?
With the Colonial Pipeline incident, there is a fundamental disconnect between the type of attack (ransomware) and the ultimate outcome (disruption to the pipeline). DarkSide, the group responsible for the attack was not in the past focused on infrastructure – with previous victims such as Toshiba and a Canadian truck rental company. Many, such as infrastructure security expert Joe Weiss, point out that the attack may have resulted from an intermingling of information technology and operational technology systems – suspecting that operators using an IT system may have been locked out from something needed to restart the pipeline. This, combined with the fact that DarkSide had a very well-defined ransomware paybook that did NOT involve holding critical infrastructure for ransom highlight some unanswered questions. It will be interesting when the community learns how what was likely an IT attack spread to OT systems and what practices emerge in the future for better segregation.
2. Ransomware is having an outsized impact
Since the start of the pandemic, there has been a definite uptick in ransomware – in particular ransomware that leverages VPN vulnerabilities. Just consider some of the case studies in this blog over the past year:
- FTA Zero-day Vulnerabilities and Recent Data Theft Extortion Attacks
- Vulnerabilities Used by Ryuk Ransomware
- University of Utah Ransomware
Ransomware continues to be lucrative to hackers because the ransom is often paid. The entire business model hinges on companies not conducting robust and timely backups and/or trusting that criminal hackers will not also sell or otherwise disclose the stolen information. This leads to the next lesson in that these attacks are avoidable – if resources are allocated properly.
3. Ransomware is preventable – if firms allocate resources properly
So, DarkSide (which conducted the Colonial Pipeline attack) along with Netwalker (University of Utah), CLOP (Accellion exploits), and Ryuk (which targeted medical facilities) all successfully achieved their goal. When you look at the typical victims of these attacks, they are clustered around medical, academia, manufacturing, and infrastructure – organizations with 3,000-8,000 endpoints and security staff of 5-10 people. This type of organization represents a sweet spot for ransomware – large enough to extort millions of dollars, yet small enough to be over-burdened from a security perspective. Issues like prioritizing security projects, proactive patching, robust backups, and underfunding of security efforts are more common in firms like these – which leave wide gaps open for cybercriminals.
ATT&CK and Vulnerability Management Part 5: Disrupting Attack Sequences through Vulnerability Management
Docker/Kubernetes Part 6: Common Weakness Enumeration (CWE)
ATT&CK and Vulnerability Management Part 4: Using Intelligence to Generate Attack Sequences
ATT&CK and Vulnerability Management Part 3: Considerations in Aligning CVEs and ATT&CK Techniques