Analyzing The Colonial Fuel Pipeline Incident: How Data-Powered Cybersecurity Can Help Prevent Ransomware Attacks
In this article we will discuss:
How DarkSide’s Ransomware-as-a-Service (RaaS) paralyzed the Eastern Seaboard
DarkSide, an Eastern European-based ‘ransomware startup’ of sorts has pioneered the idea of Ransomware-as-a-Service (RaaS). What this means is that its ‘customers’ can access their website via the dark web where they lease malware, and ransomware to hackers who launch an attack on targets, and give DarkSide a cut of the ‘loot’ extorted from desperate corporate targets.
Quick definition: ‘Ransomware’ is the practice of locking the ‘owning parties’, and users out of their computer and/or network unless a ‘monetary ransom’ is paid.
DarkSide is known to use a double-edged sword in which they not only encrypt the victim’s data but also take an important sampling of said data, and threaten to release it if the ransom being demanded is not paid. This is their “insurance policy” in case a company has their data backed-up, and is considering not paying the group to recover data they already have digital copies of.
Here is a screenshot from the darkweb showing the exact types of private, albeit damaging data sets DarkSide holds over their victims’ heads in a ‘data hostage situation’:
How the Colonial ransomware attack went down
Cybersecurity experts believe that the Colonial Pipeline attack was aided by the unique COVID-19 scenario of remote working which means that more engineers, and other workers accessed critical infrastructure, and pipeline control systems from unsecure home networks.
Currently this is a ‘Colonial problem’ but in actuality, any business with a complete, or semi- remote working model is currently at risk of a cybersecurity attack.
One plausible point of entry could have been by collecting company user login details for software that enables remote access, and control by IT departments such as Team Viewer.
Once inside, DarkSide ‘injects’ their paralyzing malware, and informs users that servers/computers have been encrypted. They detail exactly what data has been stolen, and which information will be released in the event that the ransom payment is not made. The tragic comedy that unfolds comes complete with a ‘personal leak page’ all set, and ready to go live if demands are not met.
The economic effects of cyber-terrorism, and utilizing alt data as a secret weapon
DarkSide locked Colonial out of crucial pipeline servers, withholding 100 gigabytes of data hostage, and disrupting one of the largest refined gas, and oil pipelines in the U.S. To give you some numerical context, Colonial is responsible for the daily transmission of 100 million gallons (2.5 million barrels) per day of:
- residential heating oil
- jet fuel
The pipeline itself is responsible for supplying over 50 million Americans with their fossil fuel needs from Houston to Atlanta, Charlotte to Jersey City, as well as supplying the U.S. military.
The main impacts of this attack include:
- Spot shortages of gas/oil/diesel
- The rise of fossil fuel prices
- Fluctuations in energy firm share prices
- Future trader panic
- Increased transportation of oil products via roadways
Alternative data is crucial in managing cyber security infrastructure crises
Whether you are:
- the company dealing with a specific cybersecurity crisis
- a member of the affected sector
- or a financial institution looking to successfully maneuver portfolios
alternative data will provide you with crucial insights for in-the-moment strategic decision-making. Here are some examples from the Colonial Fuel Pipeline crisis:
Social sentiment- Many times the ‘name of the game’ is destroying a company’s reputation by releasing some ‘damning’ data set. Colonial paid $5 million to prevent this from happening, but each case could, and should be evaluated individually. What if by collecting social sentiment data you could deduce that your customer-base would be minimally, or marginally affected in terms of company loyalty. This is the type of insight that certain sectors can benefit from, avoiding ransomware payments altogether, and using those funds to beef up internal cybersecurity.
Satellite imagery- These data sets can be extremely important when trying to analyze alternative routes being used to meet demand, either by land or sea. This data can be crucial for energy sector competitors, as well as futures/commodities traders trying to gauge how supply/demand will influence fuel prices. One can also look at refinery activity in these times in order to analyze surplus, as well as reductions in refinery operation rates as stockpiles build up.
Performing preemptive data-driven cyber security
- $350 million in annual losses attributed to ransomware attacks
- An increase of 300% in YoY cybercrimes
- An average ask of $335,000 per attack
The Biden administration considers the U.S. cybersecurity infrastructure to be in dire straights, and in need of being addressed immediately. As with his administration’s Broadband-for-every-American initiative, the president plans on launching a “100-day plan to tackle increasing cyber threats” in order to build up utility, supply chain, and corporate American cyber security resilience by:
To cyber security threats across the board.
But how can companies practically create a preemptive cybersecurity strategy?
Many companies, including Colonial, are using the antiquated practice of taking servers offline in order to disrupt cybersecurity activity which is the equivalent of amputating a limb instead of using modern-day antibiotics.
Instead, companies need a clear cybersecurity governance strategy in place:
Multi-factor authentication (MFA): It is bewildering that so many companies have yet to enact MFA, especially those guarding society’s most cherished infrastructure. As I mentioned earlier, Colonial was most likely hacked by collecting engineer login details. Had they used MFA this debacle could have been avoided.
Data storage, and backup systems: Ransomware services like DarkSide use a two edged sword – one edge is paralyzing systems by locking companies out of crucial data. But what if your company kept an off-server copy of crucial data sets? Or used cloud-based data services to keep digital copies in secure data centers across the globe? That would at the very least neutralize one end of that very real, sharp sword.
Trojan horses: Just as the Greeks did with Troy, companies can, and should use their red teams to search for vulnerabilities. For example, an in-house cybersecurity team can use a global network of IPs in order to map, and monitor internet-exposed attacks (outside of their firewall). An open port may indicate an IP has a high potential of being fraudulent, and as such can either be blocked/neutralized or fed false information in order to lead cybercriminals in circles.
Network segmentation: Colonial’s crucial infrastructure systems were accessed vis-a-vis the IT department which shows that they lacked basic segmentation of non crucial assets from important operating systems. Companies should first identify which systems, and information they consider to be their ‘crown jewels’, and then treat them as such, by:
- Keeping them on a completely separate/secure/internal network
- Not allowing access to them remotely
- Uploading decoy information (as in the ‘Trojan horse’ scenario causing cybercriminal groups to lose credibility)
- Taking advantage of data encryption technology which divides data points into thousands of illegible particles until it reaches its final destination, and can be decrypted only by authorized parties
Preemptive web data monitoring: Companies can use data collection networks to monitor for, and catch malware, and viruses through email clients, social media, and server networks in real-time. Antivirus software only catches ‘known viruses’ (the virus used with Colonial is “new on the ransomware market”, based on their dark web marketing efforts), and it takes providers time to update, and adapt all end-points to current threats, leaving companies vulnerable, and assets compromised in the interim.
In order to avoid this, cybersec teams are testing links in real-time, and detonating the malware in designated sandboxs. Attackers also usually tailor the attack to a specific geo, so using an IP network which can adapt based on those needs is important.
In the instance of Colonial, their malware is programmed to not attack Russian IPs, and assets based in Russian-Slavic languages. Once a company knows this, they can use proxy networks as a tool, only using Russian-based IPs for a period, protecting themselves against the hackers by being prepared, and knowledgeable regarding their Modus Operandi, using evolutionary tactics as necessary.
The bottom line
Acting Cybersecurity and Infrastructure Security Agency Director Brandon Wales summed up the state of cybersecurity nicely at the recent Senate Homeland Committee hearing (Via Archive.org):
“Malicious cyber actors today are dedicating time and resources towards researching, stealing, and exploiting vulnerabilities, using more complex attacks to avoid detection, and developing new techniques to target information and communication technology supply chains. There’s no company too small to suffer a ransomware attack”, Mayorkas added. “We are seeing increasingly small- and medium-sized businesses suffer ransomware attacks”.
Don’t wait to become a victim.