Out of Gas: Five Questions About the Colonial Pipeline Cyber ​​Attack

July 8, 2020 by No Comments

Closed gas pumps. Long lines for gas stations that are still open. Inveterate motorists who are forced to go to work by mountain bike. And panic in the Facebook group of a group of friends in Asheville, a medium-sized city of 100,000 inhabitants in the mountains of the US state of North Carolina. ‘Go get your gas!’ ‘Make sure you get gas quickly’, said one of the friends. There was no petrol in the entire city on Tuesday.

The cyber-attack with ‘ransomware’ on Colonial Pipeline, the largest US oil transport company that handles nearly half of the fuel transport in the east of the country, is beginning to affect the lives of American citizens.

On Friday, Colonial Pipeline announced that hackers had broken into its computer systems. They would take networks and corporate data hostage and demand a ransom to give Colonial access to its information technology again. As a precaution, the affected company shut down its entire pipeline system. For example, the transportation of fuels from Texas to the northeast of the US stopped.

Five questions about one of the largest ransomware attacks on critical infrastructure in the US to date.

1 What does America notice?

Colonial Pipeline operates a network of 8,850 kilometers of pipelines to transport gasoline, diesel, kerosene and other refining products. For example, the company transports 15 percent of its fuel consumption in the entire US. According to experts, 13,000 tankers would be needed every day to take over the oil transport from the blocked pipeline.

Reuters news agency reported on Tuesday that the price of petrol and diesel at the pump is at the highest level in three years. In some regions, motorists are already said to be hoarding. The American Automobile Association, the American ANWB, urges motorists not to do that.

Colonial Pipeline also supplies kerosene directly to seven airports in the southeastern US. They are now noticing the problems with the pipeline. American Airlines, one of the largest airlines in the US, decided to stop its flights from Charlotte, North Carolina, to Honolulu and Boston, at airports en route to refuel.

The hacked company said on Monday that it expects most systems to be operational again “by the end of the week”.

2 Who are the perpetrators?

On Monday, the Reuters news agency already mentioned the hacker collective DarkSide. And on Tuesday, the FBI confirmed that suspicion. According to the intelligence service, these are Russian-speaking hackers. The malicious software used by the group is allegedly programmed not to attack computers with a Cyrillic keyboard. US President Joe Biden said on Monday that the investigative services had so far found no evidence that the Russian state was involved in the cyber attack. The Russian embassy in the US rejected any responsibility on Tuesday.

DarkSide, which first appeared in August last year, previously stated that the group’s goal is to make money. “And not to cause problems in society.” Security experts say the group operates as a professional criminal organization. However, the collective would not use very advanced technology.

If the group doesn’t get its way, it could also resell the stolen databases to other cybercriminals, France’s AFP news agency said. The group would also threaten to publish the stolen data. According to French security experts, a group like DarkSide demands a ransom between 200,000 and 2 million dollars (1.6 million euros).

DarkSide does not always carry out the cyber attacks itself. Many digital criminals have been working for two to three years now via a distributed model: they often purchase services from various ‘suppliers’.

The hackers also occasionally pose as digital Robin Hoods: they steal from rich companies and donate to the poor. The BBC reported in October that the group had donated $10,000 in bitcoins to aid organization Children International. The NGO then refused the “stolen money,” according to the BBC.

3 How could they carry out the attack?

How the hackers penetrated Colonial Pipeline is not yet known. Experts note that the oil company was attacked via unsecured remote access.

“The pandemic and mobility restrictions of the past year have prompted many organizations to enable remote access from home,” said Stefan van der Wal of the Dutch branch of US computer security company Barracuda. “But as we have seen with other security incidents on operational technology, many of the systems used for this are not properly secured.”

He emphasizes the importance of encryption (encryption of data), multiple authorization (not just one username and password) and the possibility that remote employees cannot log in to the entire system, but only to the part of the company network where they really have something to do. have search.

Furthermore, e-mail remains a weak link in a corporate network. Via ‘social engineering’, cleverly seducing employees, someone quickly clicks on a link that can infect the PC (and the rest of the network). Think of emails with a link to join a video meeting, to collaborate on a shared document or a track-en-tracemessage of an order.

4 Do you have to pay perpetrators?

Ransomware attacks are a growing problem for businesses, governments and other organizations. Not only in the US, but also in the Netherlands and the rest of the western world. Paying ransom to regain access to networks and business-sensitive information is discouraged by law enforcement. The FBI emphasized this week that you only encourage other perpetrators.

The Dutch digital police, the National Cyber ​​Security Center (NCSS), also says that it is better not to pay. Victims who have paid still appear to have great difficulty in restoring all access and information. Moreover, you never know whether the perpetrators have left a back door open to break in again later.

A White House spokesman declined to say Monday whether Colonial Pipeline has since paid ransom. The company itself does not make any statements about payments. Some experts see that as evidence that the hostage takers are being talked to.

5 What is US government doing?

The White House is working on a plan to bolster US cyber defenses. This mainly comes down to more cooperation between companies and governments and more international cooperation. “We urgently need to invest in the security of our critical infrastructure,” US President Biden said Monday. The incident shows again how vulnerable the US is in this regard, a White House spokesperson said. In recent months, (higher and lower) governments in the US have been much more victims of cybercriminals. The incidents now number in the dozens. The US energy regulator called on Monday to demand stricter security standards from oil pipeline operators.