For years the the cybersecurity industry has warned that State-sponsored hackers could shut down large swathes of U.S. energy infrastructure in an act of geopolitically motivated cyber warfare. But now, seemingly profit-driven cybercriminal hackers have inflicted a disruption that hackers in intelligence agencies and the military never dared, shutting down a pipeline that carries nearly half the fuel consumed to the east coast. the United States.
On Saturday, Colonial Pipeline, which operates a pipeline that transports gasoline, diesel fuel and natural gas along a 5,500-mile road from Texas to New Jersey, released a declaration confirming reports that ransomware hackers had hit its network. In response, Colonial Pipeline says it has shut down parts of the pipeline operation in an attempt to contain the threat. The incident represents one of the biggest disruptions to America’s critical infrastructure by hackers in history. It also provides another demonstration of the seriousness of the global ransomware epidemic.
“This is the biggest impact on the energy system in the United States that we have seen from a cyber attack, period,” said Rob Lee, CEO of security firm Dragos, which specializes in critical infrastructure. Aside from the financial impact on Colonial Pipeline or the many suppliers and customers of the fuel it transports, Lee points out that approximately 40% of U.S. electricity in 2020 was produced by burning natural gas, more than any other source. This means, he argues, that the threat of cyber attacks on a pipeline poses a significant threat to the civilian electricity grid. “You have a real ability to impact the electrical system in a large way by cutting off the supply of natural gas. It’s a big problem, ”he adds. “I think Congress is going to have questions. A vendor was hit with ransomware as a result of a foul play, it wasn’t even a state sponsored attack, and it impacted the system of that way?”
Colonial Pipeline’s brief public statement says it has “launched an investigation into the nature and scope of this incident, which is ongoing.” Reuters reports that incident responders from the security company FireEye assist the company and that investigators suspect that a ransomware group known as Darkside may be responsible. According to a report By security firm Cybereason, Darkside compromised more than 40 victim organizations and demanded between $ 200,000 and $ 2 million in ransom.
Colonial Pipeline shutdown comes amid growing ransomware epidemic: hackers have hospitals paralyzed and digitally extorted, hacked police databases and threatened to publicly denounce police informants, and municipal systems crippled in Baltimore and Atlanta.
The majority of ransomware victims never publish their attacks. But Lee says his company has seen a significant increase in ransomware operations targeting industrial control systems and critical infrastructure, as for-profit hackers seek out the most sensitive and important targets to risk. “Criminals are starting to think about targeting industrialists, and over the last seven or eight months we’ve seen an increase in cases,” says Lee. “I think we’ll see a lot more.”
In fact, ransomware operators have had more and more industrial victims in their sights for years. Hydro Norsk, Hexion and Momentive were all affected by ransomware in 2019, and security researchers discovered Ekans, the first ransomware apparently tailor-made to cripple industrial control systems. Even targeting a gas pipeline operator is not entirely unprecedented: in late 2019, hackers installed ransomware on the networks of an unnamed U.S. gas pipeline company, the Cybersecurity and Infrastructure Security Agency. notified early 2020– but not the size of Colonial Pipeline.
In this previous pipeline ransomware attack, CISA warned that hackers gained access to both the computer systems and “operational technology” systems of the targeted pipeline company – the computer network responsible for controlling the equipment. physical. In the case of the colonial pipeline, it is not yet clear whether the hackers filled this gap with systems that could have allowed them to meddle with the physical condition of the pipeline or create potentially dangerous physical conditions. Just having wide access to the computer network could be reason enough for the company to stop operating the pipeline as a security measure, says Joe Slowik, security researcher for Domaintools who previously led the security team. IT and incident response at the US Department of Energy. “The operator did the right thing in this case in response to the events,” Slowik says. “Once you can no longer ensure positive control over the environment and clear visibility of operations, you must stop it.”