Vulnerabilities in U.S. cybersecurity were exposed when, according to sources, the Darkside Colonial Thursday attack paralyzed operations in the largest pipeline for refined oil products in the United States. The urgency to have a stronger defense system against cyber attacks was highlighted, bringing the need for the federal government to change its outdated security models.

After the attack that caused a wave of panic in different states, both the private sector and the government have to work together against known vulnerabilities.

What Happened?

On Friday, May 7, the Colonial Pipeline stated the need to temporarily halt its operations after suffering a network intrusion. The company said in the statement that they had fallen victim to a well-organized cybersecurity attack. Additionally, they had to halt operations to contain the attack by turning off some of their OT systems.

The hack became the largest cyber attack aimed at critical infrastructure in the U.S. that has ever been disclosed publicly. The FBI named the DarkSide ransomware group as the culprit behind the Colonial Pipeline attack. With efficient cyber threat intelligence services, detection and containment of threats are possible.

Darkside performed the hacking in different stages against the company’s IT systems. According to reports, the hacking group accessed the Colonial Pipeline network and stole 100 gigabytes of data. The data theft was executed within a 2-hour window, followed by Darkside infecting the rest of the network with ransomware.

To contain the ransomware attacks, Colonial Pipeline shut down its system. The company then brought Mandiant firm on board to investigate the hack. The FBI, Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, and the U.S. Department of Energy were all notified to join the ongoing investigation.

Who Is Darkside Ransomware Group?

DarkSide is a cybercrime group notorious for its ransomware attacks. The hacker group based in Eastern Europe is known for professionalism and efficiency, making it a dangerous ransomware group. The cybercriminal hacking group is believed to be responsible for some of the largest ransomware attacks in history, including the Colonial Pipeline attack. Darkside ransomware group also offers Ransomware-as-a-Service (RaaS) to other cybercriminals and takes a cut from the operations.

The group reached its highest notoriety when they were named as the culprits behind the ransomware attack on the largest pipeline for refined oil products in the United States. The attack caused great disruptions to people’s lives and widespread panic across the different states.

However, Darkside has since come out to blame an affiliate criminal group. While they are known for different attacks, they seem to have an “ethics code” by which they operate. Darkside is known to take a “Robin Hood” persona, claiming they use their profits to help different needy groups. Though their ransomware was responsible for the Colonial Pipeline ransomware attack, they blame a separate group for the breach of their code of conduct.

The group stated in a post, “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money and not create problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” 

Key Findings on Darkside Ransomware Group

  • Darkside ransomware group is considered one of the most inventive hacking groups in the field
  • Darkside has a public blog called “Darkside Leaks”, used to intimidate their targets.
  • The group has strict criteria for picking partners; established Russian-speaking hackers
  • The group has a code of conduct dictating that certain industries are not to be targeted
  • Darkside’s code of conduct is against targeting critical infrastructure

Colonial Pipeline Paid Ransom In Full

When a ransomware group attacks an organization, the goal is usually to have the victim pay a ransom. Colonial Pipeline found itself facing the same ransom demands from the Darkside ransomware group. Colonial pipeline paid Darkside a ransom of 75 bitcoin, which translates to approximately $4.4 million.

Joseph Blount, Colonial Pipeline CEO, explained why the company didn’t wait a little longer before paying the ransom. He said the colonial pipeline paid the amount during Congressional hearings to try and contain the infection. He added that they were not sure how widespread the intrusion had gotten or how long recovery would take. It was with this uncertainty that they decided to pay the group with the hopes that it would speed up the recovery of the network.

FBI Turned the Tables on DarkSide

 Ransomware groups have commonly used Bitcoin with the notion that it cannot be tracked. As a cryptocurrency, Bitcoin also has a digital wallet that holds it. The FBI managed to trace the ransom paid in bitcoin and recovered part of it.

On June 7, Deputy Attorney General Lisa O. Monaco said they successfully managed to recover the ransom paid by the Colonial Pipeline. She said the U.S. Department of Justice’s Ransomware and Digital Extortion Task Force managed to find the digital address of the wallet that the hackers used and got a court order to recover the bitcoin. They were able to recover 64 bitcoin from the 75 that were paid. At the time of the operation, the 64 bitcoin were worth around $2.4 million.

Colonial Pipeline To Resume Operations

The Darkside attack led to fuel shortages and widespread panic buying in different areas of the U.S. However, everyone woke up to great news on Thursday with Colonial pipeline announcing that most of its network would resume operations.

A company spokesman, Eric Abercrombie, assured the public further, stating, “Colonial Pipeline has made substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we serve. By mid-day today, we project that each market we service will be receiving the product from our system.”

Several sections remained out of commission due to how slow fuel travels per hour. According to the company statement, the Southeastern parts of the United States would require time before they are fully restocked.

President Biden’s Executive Order on the Nation’s Cybersecurity

On Wednesday evening, President Joe Biden signed an Executive Order aimed at improving cybersecurity. According to the policies outlined, the federal government will take necessary measures to augment and align the nation’s cybersecurity and minimize future ransomware incidents. The private sector has also been encouraged to do the same. A few of the necessary initiatives include:

1. Digital Supply Chain Security.

Organizations should identify threat signatures and anomalies in their digital supply chain. By working on such anomalies, it is easier to prevent the exploitation of vulnerable software in an organization. Organizations should utilize security-by-design principles across all their software development to guarantee that the company is one step ahead of ransomware groups.

2. Stronger and Modernized Cybersecurity Standards.

In an era where ransomware attacks are increasing, critical infrastructures need to modernize their security standards. One way to implement stronger cybersecurity standards is to migrate to zero-trust security models. Being able to monitor your network for anomalous activities guarantees that you can contain or restrict malware infections before any damage occurs. Working with a professional company to provide visibility into all your organization’s network activity.

3. Improving Investigation and Remediation Capabilities.

Organizations should learn from the colonial pipeline ransomware attack and improve their ability to detect and mitigate data exfiltration. Proper logging and reporting allow for the timely detection and mitigation of intrusions from ransomware groups. It is, therefore, essential to find a company that provides effective network detection and response solution for your organization.

Conclusion on the Colonial Pipeline Ransomware Attack

Organizations must step up and put cybersecurity at the forefront to avoid becoming victims of ransomware groups. As technology advances, ransomware groups also sharpen their techniques and attacks. Understanding that these attacks are not going anywhere should inform a need for the private sector and the federal government to stay on high alert. Additionally, partnering with companies with the expertise to detect intrusions and offer effective solutions is a wise route for all organizations.

Featured Image Source: pexels.com

Similar Posts

|

What is Network Detection and Response (NDR)?

ByJacky

Used by organisations to detect and prevent malicious activity in an organisation, Network Detection and Response describes a category of security solutions that are used to investigate and mitigate the risk of attackers. It is a progressive security solution providing a centralised machine-based analysis of network traffic and response solutions.

NDR solutions provide a single solution for visibility across on-prem, remote, and cloud environments.

Leave a Reply

Your email address will not be published. Required fields are marked *