A relatively unsophisticated ransomware attack that caused a days-long shutdown of America’s largest fuel pipeline last week — resulting in gas shortages, spiking prices and consumer panic — is exactly the sort of situation that cybersecurity experts have warned about for years.
And it could have been worse, said Nick Merrill, a researcher with the Center for Long-Term Cybersecurity at the UC Berkeley School of Information.
“The first thing that comes to my mind is: Thank God this wasn’t water,” Merrill said. “Unfortunately, it doesn’t surprise me that this happened.”
Other aging, critical utilities potentially at risk include electrical systems and nuclear power plants, Merrill said. And it’s not just physical infrastructure: the hack of tools such as point-of-sale software commonly used by small businesses could wreak havoc on the economy.
Experts are hoping the Colonial Pipeline hack — and the real-world impact it had on everyday Americans — will finally be a wake-up call for companies and governments to acknowledge these vulnerabilities and take action to address them. Similar targeted attacks are expected to become more frequent and, potentially, more damaging.
There are some signs that’s already happening. This week, shortly after the pipeline shutdown, US President Joe Biden signed an executive order aimed at strengthening the government’s cyber defenses.
But experts say companies should be doing more to avoid becoming the next target. Around 85% of critical US infrastructure and resources is owned by the private sector, according to the Department of Homeland Security.
Here’s what corporate America needs to know about these kinds of attacks and how to prevent them.
Who was behind the Colonial attack?
For years, it was generally believed that only a state-supported bad actor would be able to hack into and paralyze critical US infrastructure — and that such a thing was unlikely because doing so could be tantamount to declaring war.
But that’s not the case anymore. DarkSide, the criminal gang that the FBI has confirmed was behind the Colonial attack, isn’t believed to be state-backed.
Now, “a private group that was established in 2020 suddenly has the capability to stop the supply of gas,” said Lior Div, CEO of cybersecurity firm Cybereason.
What is DarkSide? Experts believe the criminal group is likely operating from Russia because its online communications are in Russian, and it preys on non-Russian speaking countries. Russian law enforcement typically leaves cybercriminal groups operating within the country alone, if their targets are elsewhere, Div said.
Cybersecurity experts say the group emerged in August 2020.
DarkSide runs what is effectively a “ransomware-as-a-service” business. It develops tools that help other criminal “affiliates” carry out ransomware attacks, wherein an organization’s data is stolen and its computers locked, so victims must pay to regain access to their network and prevent the release of sensitive information. When affiliates carry out an attack, DarkSide gets a cut of the profit. (In the Colonial case, it’s not clear whether the attack was from DarkSide or an affiliate.)
“It sounds a lot like a business, and ultimately, that’s because it is,” said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security. “A lot of these ransomware groups have customer service, they have chat support … all of these different mechanisms that you would see in a normal business.”
After the Colonial shutdown, DarkSide said on its website that it is a “profit motivated” entity and not a political organization. And several experts said they don’t think DarkSide intended to cause such a debacle.
“Their business is to stay quiet and get paid and move onto the next target,” Div said, adding that sometimes hackers often don’t know who they’re attacking until they’re inside a network. “The last thing that they want is to see a briefing of the president of the United States talking about them.”
By Thursday, DarkSide’s website had been shut down, according to Jon DiMaggio, chief security officer at threat intelligence platform Analyst1. US law enforcement may have been involved in removing it, he said, because typically, ransomware groups typically would post a notice to their site and leave some of the stolen data up for a period of time before vanishing, in hopes of extorting victims out of additional money.
When happens when you are hit with ransomware?
Once a company has been hit by ransomware, its first course of action is usually to take much or all of its system offline to isolate the hackers’ access and make sure they can’t move into other parts of the network.
That may be among the reasons why Colonial shut down its pipeline — to disconnect the machines running the fuel line. People briefed on the matter told CNN that the company halted operations because its billing system was also compromised and feared they wouldn’t be able to determine how much to bill customers for fuel they received.
Experts generally encourage ransomware victims not to pay any ransom: “You’re basically funding those (criminal) groups,” Div said.
But a company’s ability to get back online without paying hackers may depend on whether it has protected backups of its data. In some cases, hackers can delete their target’s backups before locking its files, leaving the victim organization with no recourse.
Colonial Pipeline ended up paying DarkSide this week as it tried to get back up and running, sources told CNN. The group demanded nearly $5 million, but the sources did not say how much the company paid.
Similar ransomware incidents could range from anywhere in the hundreds of thousands of dollars to around $10 million, experts said.
What can be done to prevent it?
By now, organizations of all sizes should be using good “cybersecurity hygiene” — for example, requiring regular password changes by its employees and two-factor authentication. But even those best practices may not always be enough to keep a bad actor out of a network.
When it comes to ransomware, the best-case scenario is if organizations can catch hackers while they’re inside the network gathering data but before they’ve fully executed an attack and files are locked. Bad actors typically penetrate a network up to three weeks before a company gets a ransom notice, according to Analyst1’s DiMaggio.
He added that artificial intelligence tools could be helpful to companies in tracking users on the network and identifying suspicious behavior.
That’s how tools like Cybereason work — when the technology identifies a pattern of behavior consistent with a bad actor inside the network, it immediately removes that user’s access.
“Basically what we’re doing is proactive threat hunting,” Div, of Cybereason, said. “(You have to have) the mindset that you’re going to get breached and somebody will try to hit you with ransomware, so it’s helpful to have a research group that’s going after those (bad actors), understanding what they’re doing … and can be a step ahead of them constantly.”
Going forward, the US government could also play a greater role in helping to reduce the threat of ransomware attacks. For example, US officials could use diplomatic channels to encourage Russia and other countries to prosecute cybercriminal gangs, Merrill, of Berkeley, said.
This week, IBM CEO Arvind Krishna suggested that the US government create a “NASA-style program” to facilitate investment and public private partnerships in cybersecurity.
Government could play a larger role in coordinating an overall cybersecurity plan for businesses rather than letting each company go it alone, GuidePoint’s Schmitt said.
“Ultimately, cybersecurity should be addressed as one of the main concerns when we’re talking about critical infrastructure,” he said.