Executive Summary: COLONIAL PIPELINE RANSOMWARE ATTACK
Alexandros Kouiroukidis, Hubert Zhang, Priya Venkadesh, Counterintelligence and Cyber (CICYBER) Team
Week of Monday, May 17, 2021
On Friday, May 7, 2021, Colonial Pipeline suffered a ransomware attack and shut down its operations and Information Technology (IT) systems in response. The attack severely disrupted their fuel supply and oil prices, causing fuel shortages across the south and east coast and prompting Florida, North Carolina, and Texas to declare states of emergency. Colonial Pipeline is responsible for 45% of the total supply on the east coast and extends from Washington D.C. down to Texas. On Monday, May 10, 2021, U.S. President Joe Biden confirmed that the hack on Colonial Pipeline was carried out by DarkSide, a new hacker group based in Eastern Europe. On the same day, Darkside released a statement stating that its goal was to “make money, and not [create] problems for society.” Although Colonial Pipeline initially declared they would not pay the ransom, on Friday, May 14, 2021, Colonial Pipeline paid approximately 75 Bitcoin, worth about $5 million at the time, to the attackers. This attack sets a major precedent of a cyberattack disrupting critical supply lines across the country; despite recent government awareness and efforts towards enhancing cybersecurity nationwide, similar ransomware attacks against the petroleum industry, critical infrastructures, and other vital resources are likely to continue and grow in scale and frequency.
Point 1 - What type of cyberattack did Colonial Pipeline suffer from and who carried out the attack?
Colonial Pipeline’s production and operations were put on hold after the attack, which largely affected the gasoline supply and prices along the east coast. The attack is part of a rapid rise in ransomware attacks that has accelerated and expanded since the start of the COVID-19 pandemic. The number of ransomware attacks from 2019 to 2020 grew by over 150%. The majority of the ransomware attacks in 2020 were based on ransomware-as-a-service (RaaS), a technique that has grown dramatically since the start of the pandemic and led to an increase in ransomware attacks. Darkside is a RaaS network offering ransomware services to cybercriminal groups and individuals. According to FireEye, Darkside’s affiliates are required to pay up to 25% of ransom payments for ransom attacks under $500,000, and 10% of successful ransomware extortions over $5 million. Colonial Pipeline paid the ransom of 75 bitcoin, worth roughly $5 million on Friday, May 14, 2021.
While it is not known how the attackers were able to infiltrate Colonial Pipeline’s network, cybersecurity researchers believe the attackers could have bought the login information for employees that use remote desktop software. Based on previously observed Darkside operations, it is possible that the attackers bought login credentials from initial access brokers (IABs). IABs typically hack into a target company’s network - often due to weak passwords or unpatched software - to establish access, before advertising the potential victim to ransomware developers such as Darkside and their RaaS clients. DarkSide’s business model follows typical ransomware tactics, such as working with other cybercriminal groups to identify vulnerable targets, launch attacks, and split profits. Darkside is also part of the recent trend of ransomware groups maintaining official websites and publishing press releases to add a veneer of professionalism.
Point 2 - Who/what was impacted by the cyberattack?
One of the major factors affected by this attack was fuel prices, which rose to $2.97 per gallon for regular gasoline, the highest since late 2014. Further, the U.S. Department of Transportation (USDOT) took additional steps to ensure more flexibility for drivers to avoid disruption of fuel supply. Eighty-eight percent of gas stations in Washington, D.C. were without fuel on Friday, May 14, 2021, due to panic-buying, along with at least half the gas stations in South Carolina, North Carolina, and Virginia. However, gas stations have begun reopening as Colonial Pipeline announced on Wednesday, May 19, 2021, that the pipeline has been restored to normal operations, though it may take several days to restore the supply chain to regular levels. As of Friday, May 21, 47% of stations in Washington D.C. were without gas, and 32% of stations in North Carolina, and 30% in Georgia. Many Americans depend on transportation to get to work and to travel in the event of an emergency, so many have been forced to pay inflated gas prices across the east coast. In addition to the economic damage suffered by the East Coast and Southeast, the attack revealed the vulnerabilities of critical pipelines and infrastructures and the need to enhance cybersecurity nationwide to prevent disruptions of critical resources. With the largest pipeline in the U.S. shut down, millions of barrels of oil were carried on trucks, which severely slowed down the transportation of oil across the east coast. 13,000 mid-sized fuel tankers a day would be needed to compensate for the blocked pipeline, resulting in increased fuel prices and slowed economic growth. Transportation of goods and services will also be affected by the fuel crisis, causing prices to rise across the board. Food, appliances, furniture, electronics, airline ticket prices, and of course gasoline may rise in price until the Colonial Pipeline returns to complete functionality and regular supply levels.
The shutdown has also left many Americans to decide to stay home, due to the increase in gas prices. This has a ripple effect on the economy as people are not driving to do various activities including going shopping, eating out, etc. Many states on the east coast are slowly lifting COVID-19 restrictions to bring their local economies back to normal, but the pipeline shutdown acts as a counterweight to such efforts. Reuters reports that some drivers in the southeast canceled trips to save gas; location technology company TomTom states that traffic congestion in large cities across the region fell last week compared to the week before. Since many people are deciding not to leave the house except for essential outings, local businesses are experiencing slow traffic. This could have a similar economic effect as the quarantine did earlier in 2020, as many stayed home and only left the house for necessities. While this could hurt the economy and local businesses, this could have a beneficial effect on the environment. Car pollution is one of the major causes of global warming, as cars emit carbon dioxide and other greenhouse gases into the atmosphere. With fewer cars on the street, the carbon footprint left behind by traveling Americans will decrease and essentially act as a break for the environment.
The shutdown of the Colonial Pipeline will most likely push forward President Biden’s mission to reduce greenhouse gas emissions. President Biden revoked the permit for the Keystone XL pipeline and temporarily paused drilling on federal lands and waters just hours into his administration, as he tries to transition the U.S. economy away from its reliance on fossil fuels. President Biden also reentered the U.S. into the 2016 Paris climate agreement, which seeks to strengthen international responses to climate change, and pledged to reduce greenhouse gas emissions from 2005 levels by at least 50% by 2030. This hack will likely speed up efforts by the Biden administration to reduce greenhouse gas emissions and incentivize many Americans to transition to electric cars.
Point 3 - Discuss similar attacks on the U.S.’s critical energy infrastructures.
Cyberattacks on critical infrastructures and resources have increased in frequency and scale since the start of the COVID-19 pandemic. On Thursday, December 17, 2020, the U.S. Department of Energy announced that they were countering a cyber breach on their systems resulting from a massive hack campaign that affected other government agencies in the U.S. The Colonial Pipeline attack sets a particularly important and concerning precedent, as it marks the first time that a cyberattack severely disrupted fuel supply and prices across several states in the U.S.
In light of the severe infrastructural and economic damage wrought by the Darkside Attack, other critical infrastructures must be closely monitored and secured, such as water supply and healthcare services, which have both been heavily impacted by cyberattacks in recent years. The attack is similar to the cyberattack against the Post Water District in Ellsworth, Kansas, in which a former employee remotely accessed one of the district’s computers on Wednesday, March 27, 2019, and shut down its cleaning and disinfecting procedures. A larger-scale attack occurred on Sunday, February 5, 2021, when a hacker remotely accessed an employee’s computer at a water treatment plant in Oldsmar, Florida, and attempted to poison the water by adding fatal levels of sodium hydroxide. Although the attempt was thwarted, the attack could have had devastating consequences had the attacker succeeded, as the plant provides water to over 15,000 people. The incident highlights the importance of updating and vetting third-party software, as it was caused by a security vulnerability in TeamViewer, which allows for remote access between computers.
Point 4 - What is being done to address the cyberattack?
In response to the attack, President Biden signed an executive order on Wednesday, May 13, 2021, aimed at improving U.S. national cybersecurity and protecting federal government networks. The order includes enhancing communications and information-sharing between IT service providers and the government, establishing baseline security standards for software sold to the government, and establishment of a Cybersecurity Safety Review Board. The Biden-Harris Administration also launched an “All-of-Government-Effort” to help provide fuel to affected areas. Shortly after Colonial Pipeline paid the $5 million ransom, the Federal Bureau of Investigation (FBI) advised ransomware victims not to pay the ransom to criminal actors, as it will only embolden cybercriminals and encourage other criminal actors to engage in ransomware activities. The success of this ransomware attack will likely inspire more ransomware attacks and other financially motivated cyber attacks. Ransomware attackers are demanding increasingly higher ransoms, and this incident will likely boost confidence among cybercriminals and lead to more aggressive ransomware campaigns.
To defend against ransomware attacks, organizations and individuals should routinely monitor networks and devices and strengthen their passwords and authentication protocols. The most common infiltration vectors for ransomware attacks are phishing emails, unauthorized remote access via insecure remote access ports, and unpatched or insecure software vulnerabilities. These threats can be mitigated with proper training and knowledge in detecting suspicious emails, securing remote access ports, and keeping IT systems and software up to date.
________________________________________________________________________ The Counterterrorism Group (CTG)
 Colonial Pipeline Hacker DarkSide Says It Will Shut Operations, TheWallStreetJournal, May 2021, https://www.wsj.com/articles/web-site-of-darkside-hacking-group-linked-to-colonial-pipeline-attack-is-down-11621001688
 Russia-linked Cyberattack on US Fuel Pipeline is 'Criminal Act,' Biden Says, VOANews, May 2021, https://www.voanews.com/economy-business/russia-linked-cyberattack-us-fuel-pipeline-criminal-act-biden-says
 Colonial Pipeline Paid Roughly $5 Million in Ransom to Hackers, New York Times, May 2021, https://www.nytimes.com/2021/05/13/us/politics/biden-colonial-pipeline-ransomware.html
 Number of ransomware attacks grew by more than 150%, HelpNetSecurity, March 2021, https://www.helpnetsecurity.com/2021/03/08/ransomware-attacks-grew-2020/
 Shining a Light on DARKSIDE Ransomware Operations, FireEye, May 2021, https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
Colonial Pipeline Ransomware Attack: What We Know So Far, Digital Shadows, May 2021, https://www.digitalshadows.com/blog-and-research/colonial-pipeline-ransomware-attack/
 Gas grows hard to find in U.S. south as pipeline hack bites, BNN Bloomberg, May 2021, https://www.bnnbloomberg.ca/gas-stations-run-dry-as-pipeline-races-to-recover-from-hacking-1.1602085
 U.S. Department of Transportation’s Federal Motor Carrier Administration Issues Temporary Hours of Service Exemption in Response to the Unanticipated Shutdown of the Colonial Pipeline, U.S. Department of Transportation, May 2021, https://www.transportation.gov/briefing-room/us-department-transportations-federal-motor-carrier-administration-issues-temporary
 Colonial Pipeline fiasco foreshadows impact of Biden energy policy, Fox Business, May 2021, https://www.foxbusiness.com/markets/colonial-pipeline-fiasco-foreshadows-impact-of-biden-energy-policy
 Colonial Pipeline back to “normal operations” following ransomware attack, KLTA, May 2021, https://ktla.com/news/nationworld/colonial-pipeline-back-to-normal-operations-following-ransomware-attack/
 Colonial Pipeline cyberattack reveals economic impact of ransomware, Blog Barracuda, May 2021, https://blog.barracuda.com/2021/05/12/colonial-pipeline-cyberattack-reveals-economic-impact-of-ransomware/
 U.S. gas stations still shut, prices at 7-yr high in slow recovery from cyberattack, Reuters, May 2021, https://www.reuters.com/business/energy/us-gasoline-prices-climb-even-colonial-reopens-after-hack-2021-05-17/
 Effects of Car Pollutants on the Environment, Sciencing, March 2018, https://sciencing.com/effects-car-pollutants-environment-23581.html
 FACT SHEET: President Biden Sets 2030 Greenhouse Gas Pollution Reduction Target Aimed at Creating Good-Paying Union Jobs and Securing U.S. Leadership on Clean Energy Technologies, The White House, April 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/22/fact-sheet-president-biden-sets-2030-greenhouse-gas-pollution-reduction-target-aimed-at-creating-good-paying-union-jobs-and-securing-u-s-leadership-on-clean-energy-technologies/
 Cyberattack on U.S. Department of Energy a 'grave threat', DW, December 2020, https://www.dw.com/en/cyberattack-on-us-department-of-energy-a-grave-threat/a-55981368
 Feds say man broke into public water system and shut down safety processes, Arstechnica, April 2021, https://arstechnica.com/information-technology/2021/04/man-indicted-for-allegedly-tampering-with-computer-at-public-water-plant/
 IOTW: A Thwarted Poisoning Attempt In A Small Florida County Serves As A Warning To Municipalities Across The Country, Cyber Security Hub, February 2021, https://www-cshub-com.cdn.ampproject.org/c/s/www.cshub.com/attacks/articles/iotw-a-thwarted-poisoning-attempt-in-a-small-florida-county-serves-as-a-warning-to-municipalities-across-the-country/amp
 FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks, The White House, May 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/
 FACT SHEET: The Biden-Harris Administration Has Launched an All-of-Government Effort to Address Colonial Pipeline Incident, The White House, May 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/11/fact-sheet-the-biden-harris-administration-has-launched-an-all-of-government-effort-to-address-colonial-pipeline-incident/
 Colonial Pipeline Paid the Ransom. Bad Move., Bloomberg Opinion, May 2021, https://www.bloomberg.com/opinion/articles/2021-05-14/colonial-pipeline-hack-whatever-you-do-don-t-pay-the-ransom
 Top 3 Attack Vectors Ransomware Loves to Exploit, Digital Defense, n.d., https://www.digitaldefense.com/blog/top-3-attack-vectors-ransomware-loves-to-exploit/