FBI says Colonial Pipelines’ network disruption was DarkSide ransomware handiwork

DarkSide ransomware

The Federal Bureau of Investigation (FBI) has detected that the DarkSide ransomware was responsible for the compromise of the Colonial Pipeline networks, which led the company to take certain systems offline to contain the threat. Colonial had a temporary halt of all pipeline operations with some of its IT systems also affected, and currently in the process of restoring. 

“We continue to work with the company and our government partners on the investigation,” the federal agency said in a Monday statement. The agency has been working with the company and government partners, after it was notified of a network disruption at Colonial Pipeline on May 7. 

“We have remained in contact with law enforcement and other federal agencies, including the Department of Energy who is leading the Federal Government response,” Colonial Pipeline said in its latest statement on the cybersecurity attack. 

The DarkSide ransomware operators published a statement on their dark web site stating that, “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives,” according to a Twitter message posted by Dmitry Smilyanets, a cyber threat intelligence expert from cybersecurity firm Recorded Future. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

DarkSide operators did not take responsibility for the Colonial Pipeline attack or publicly dump any data belonging to the company at the time of this report, threat analyst firm Intel471 wrote in a blog post. The operators of the DarkSide ransomware are known to be savvy, and launched their ransomware operation via a press release on their Tor domain last August. 

The developer of the DarkSide ransomware is said to have “debuted” the ransomware on a Russian-language hacker forum XSS in November, advertising that he was looking for partners in an attempt to adopt an affiliate “as-a-service” model, according to Intel471. Soon after, the ransomware was spotted to be behind numerous attacks, including several incidents targeting manufacturers and law firms in Europe and the U.S.

Earlier this year, the DarkSide ransomware developer rolled out a number of new features in an effort to attract new affiliates. These included versions for targeting Microsoft Windows and Linux-based systems, enhanced encryption settings, a full-fledged and integrated feature built directly into the management panel that enabled affiliates to arrange calls meant to pressure victims into paying ransoms, and a way to launch a distributed denial-of-service (DDoS).

The popularity and increasing maturity of the ransomware-as-a-service model combined with the aging systems that control energy systems is a compounding problem, according to Intel147. 

As threat hackers continue to observe ransomware’s operational success, more cybercriminals likely will want to get in on the action due to its thriving sub-industries and higher returns when compared to other crimes. “It’s imperative that companies responsible for critical infrastructure understand that insecure systems present a juicy ransomware target to the cybercriminal underground, and proactive defenses will go a long way in preventing future incidents like what happened with Colonial Pipeline,” Intel147 added.

Colonial Pipeline operates the largest refined products pipeline in the U.S., moving some 2.5 million barrels per day through its combined infrastructure. The shuttered portion of the pipeline, which connects 29 refineries and 267 distribution terminals, accounts for about 12 to 15 percent of daily oil capacity in the U.S. Gasoline and home heating oil prices are expected to rise, putting further stress on the sector. 

“A shutdown of this magnitude has the potential to net a negative economic impact all across the eastern seaboard, and it reiterates the need to safeguard our critical industrial systems,” Alex Bagwell, Tripwire’s vice president for industrial sales, wrote in a company blog post. 

“Within operational technology (OT) environments, such as those in oil and gas and other critical infrastructure, legacy equipment is frequently front-and-center. While these systems are old, they are reliable, and ensure the availability and safety coveted within industrial operations,” industrial cybersecurity company Claroty said in a blog post on Monday. 

As more OT networks and industrial control systems (ICS) are converged with IT systems and managed centrally, critical systems that were once air-gapped now have some exposure to the internet, according to Claroty. Thus, a vulnerable legacy Windows system overseeing industrial processes would now be accessible from outside the OT network if not configured properly or segmented from the business network.

“Further complicating matters is the fact that some of this obsolete technology can’t be patched, and all too often, this technology is maintained by staff that frequently are not as cyber-savvy as they need to be to keep attackers at bay,” the Claroty research team wrote in the post. “This leads to a situation where cybersecurity risk levels are below acceptable tolerances, and in some cases, organizations are blind to the risk.”

“While Colonial has been mostly transparent, it is still unclear how effective their incident response has been to date,” Ron Brash, Verve Industrial’s director of cybersecurity insights, wrote in a company blog post. “It may have been highly effective, with early detection providing enough warning to allow defenders to quickly disconnect IT and OT and prevent the spread of the ransomware into critical OT systems. Or they may have just been lucky that the malware did not bridge into OT. It’s too early to know for sure.”

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp

Author

Join over 5,000 Industrial OT & Cyber professionals

Weekly Newsletter direct to your inbox