Pipeline Ransomware Attack

Those of you on the East Coast have my sympathy. Your gas prices (when you can even get it) are going to be through the roof. Here's a good article on what happened and what's currently being done.
https://www.npr.org/2021/05/10/995405459...al-u-s-pipeline

It attack isn't at all surprising. Similar ransomware attacks have shut down hospitals and even cities. It's one more thing you need to keep in mind. My brother used to be in charge of the IT security for a powerplant up in Alaska and he said back eight years ago they were attacked multiple times per day. I'm sure it's even worse now.
-Blast

Please note that while I work in this field I am not involved in this investigation in any way; all I know about the attack is what's been reported publicly.

Historically, most nation-state threat actors do not use ransomware. Almost all ransomware threat actors are financially motivated. If this attack were targeted at the pipeline company, I would have expected the attacker to take measures to be sure to get paid, rather than shut down the pipeline.

Based on what I know so far, I don't think that this specific threat actor is particularly low or high in sophistication. A low sophistication threat actor would have had challenges attacking these systems. A high sophistication threat actor would be attacking financial systems, or similar activity that has a higher percentage of success.

In other words, the threat actor probably regrets this attack due to not getting paid for success and due to the extra attention they will receive from law enforcement and private entities that work on attribution.

Seems the attackers didn't shut down the pipeline, but was shutdown as a "precautionary measure".

It seems Colonial's automatic invoicing system has been affected. So they can't invoice their clients.

https://zetter.substack.com/p/biden-declares-state-of-emergency

I have been reading Brian Kreb's blog for years due to the in-depth and knowledge he has on many different types of security issues. His latest post is on the Colonial Pipeline ransomware attack and is a very good (and long) read.

https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/#more-55529

Krebs is freaking awesome.

It appears Colonial's website is fubar. Throwing 502s and also advertising it's using a 3 year old version of nginx. *facepalm*

Yes, I imagine being reclassified from "criminal nuisance" to "terrorist actor" could introduce all sorts of pesky complications into one's business plan.

Story update

https://www.bloomberg.com/news/articles/...llion-in-ransom

Seems Colonial paid $5 million ransom.

Well, that will certainly discourage future attacks.

Good article, thank you Ren.

With regard to paying ransoms, I personally oppose it.

Many companies don't have a comprehensive incident response plan, one that goes beyond IT to include Legal, Public Relations, other internal stakeholders, and external stakeholders like business partners and law enforcement. In these events, companies are learning as they go. Often those lessons are quite a bit more painful without a plan.

I don't know about the victim in this case, but if we suppose for the sake of the argument that they had an excellent plan including all relevant stakeholders, I imagine their thinking could have gone like this:

• We're losing $BIGNUM per hour
• The ransom will save us way more money than it will cost
• We're obligated to our shareholders to stop the losses

Barring a Board of Directors policy forbidding the payment of ransom, the executive leadership of the victim company may very well feel legally compelled to pay it to preserve shareholder value.

Well said, Chaos. I wonder if it's becoming a cost of doing business, akin to settling petty lawsuits instead of fighting them in court. I think ransomware insurance is also available now, and that becomes part of the calculation.

Does seem to be on the rise, or it's just getting more widely reported.

The DC Metropolitan police were prepared to pay $100,000 to prevent officer's records being released publicly.

https://arstechnica.com/gadgets/2021/05/...c-police-stall/

Ransomware has gone from “it isn’t a concern” to being highly visible at the Board of Directors level.

One more useful tidbit about the Colonial Pipeline case; it’s been reported on Twitter (I am choosing to not link to that platform) that it was the billing system that was hit with ransomware.

I wonder why companies don't:

(1) Take everything offline
(2) Restore from backups
(3) Bring up networks internally only
(4) Fix security flaws
(5) Carefully open minimal external networking
(6) Monitor, monitor, monitor
(7) Reevaluate if they need such a large online presence
(8) Implement an online presence that it isolated from your internal infrastructure and databases

If you have to pay ransom, that would imply you don't have a good backup strategy in place.

Your list is excellent, haertig.

Based on public sources, it appeared that the victim in this case had good backups. Restoring backups can be very time-consuming. Ransomware operators in general are also stealing data and threatening to release it if the ransom isn’t paid.

Addressing specific points from your list:

1) Networks are borderless more often than not. Most employers would struggle badly here in keeping employees in the field productive without remote access to the network. Going all VPN might not be a big difference to how things operate now, assuming that sufficient VPN capacity exists to try this. This was even more critical during the office shutdowns brought on by the pandemic.

2) Backup tech has gotten a lot better, so we won’t be digging through a mountain of tapes to get everything back. Keeping remote workstation backups recent is far easier.

4) This is INCREDIBLY hard for most organizations. They don’t have the capacity to see where known security vulnerabilities are or to patch them in a reasonable timeframe. There’s an entire industry around outsourcing this critical, fundamental task, and most of the vendors I see who do this for other companies are terrible or worse.

6) The skillset to implement monitoring tools is hard to find; hiring and keeping the people to do the monitoring effectively is very expensive. There’s an entire industry around outsourcing this critical, fundamental task, but unlike in (4) there are some services that are extremely good here. But it’s very expensive.

7) Much of the online presence that is customer-facing is cloud based or otherwise outsourced for many companies. It’s keeping their knowledge workers productive that produces most of the network requirements in many organizations.

8) For sure.

I meant those as a sequence of steps to remedy the current problem. e.g., "(1) Take everything offline" is a limited duration step to allow restoring from backups and fixing of security flaws before going back online in step "(5) Carefully open minimal external networking".

"Take everything offline" (permanently!) would be a very good security precaution, but totally unworkable in today's world. Employees should remotely accesses company infrastructure via VPN at a minimum, with customers accessing only what customers need to access in a totally isolated area (cloud instances, or whatever). Customers may need to see their accounts, but you don't implement that by giving them access to your internal billing database. Even if you have roles and security defined (which you should,for employees), you still don't give customers the chance to even touch your internal infrastructure. It is certainly easier and more convenient to do so, but there goes your security if you travel down that path.

It's quite a demonstration of a companies incompetence. Critical infrastructure should be expected to hold up against state actors. Never mind some group trying to make a buck.

Guess they got access pretty easily, much like the Florida water plant attack awhile back. The plant was running a remote desktop server (team viewer IIRC) on the machine that also had the software to control the amount of which chemicals were added to the water.

Bruce Schneier

Is 85% of US Critical Infrastructure in Private Hands?

https://www.schneier.com/blog/archives/2...vate-hands.html

Big update on the reported threat actor for the Colonial Pipeline attack: https://krebsonsecurity.com/2021/05/dark...n-stash-seized/

Oh, what a tangled web we weave ...

I apologize for not being clear; I did understand your meaning.

For many organizations, it's safe to say that they do not believe that they can do this without suffering catastrophic financial losses, losses far greater than those caused directly by the ransomware attack. Whether or not that's actually true is a different story. The reputational hit that comes from a shutdown can also be perceived as being too expensive.

"(2) Restore from backups"
Not a sure thing. One of my colleagues got hit, and evidently the ransomware was injected months before the attack, so the backup was infected also.

Certainly the quicker you discover a problem, the more likely you are to be able to fix it. Different backup strategies can help. For example, my backups are automated. I keep daily snapshots for six computers on my backup server. Those rollover and are replaced with newer backups when the disks get full. Currently I have a bit less than a years worth of daily file backups for each computer available. And half a years worth of monthly image backups for the Windows computers (I don't do image backups for the Linux ones). This is a more sophisticated backup system than most people have at home.