On May 7th, 2021 the Colonial pipeline fell victim to a large scale cyberattack. This resulted in the shutdown of several gas pipelines for days. Computer systems were breached, allowing the hackers to implement ransomware, effectively locking the company out of their own systems. In order to contain the breach, Colonial’s IT teams shut down the entire pipeline. The hackers demanded a payment of 75 Bitcoin (approximately $5 million at the time) to give back control of the systems, a ransom that was quickly paid.
While the FBI and other law enforcement agencies continue to investigate the issue, it is important to understand what happened and the far-reaching impact of this event. This will help companies and cybersecurity experts to be better prepared for this type of thing in the future, and hopefully prompt changes that will leave America (and other countries) less vulnerable to this type of attack.
Timeline of the Attack
As you might expect, while the malware attack was discovered and the pipeline shut down on May 7th, the actual hack took place before that. According to reports, the hackers breached the company systems on May 6th and stole approximately 100 gigs worth of data. This is likely also when they placed the malware onto the systems, allowing it time to propagate itself as needed.
On the 7th, the malware revealed itself by locking the company out of their systems that were used to manage the pipeline. When this was discovered, technical teams from the Colonial Pipeline Company quickly reacted by halting all operations. This was done to help prevent the malware from spreading further, and make sure that no physical damage to the pipeline systems occurred while they were trying to recover.
Payment of the Ransom
It was later learned that the malware attack demanded a ransom of 75 bitcoin in order to unlock the systems. Colonial reportedly paid this ransom within a few hours of the attack taking place. Since the only way to get past a ransomware attack without paying the hackers is to do a full restore from backup, paying the demanded ransom is quite common.
Once a payment is made, hackers almost always provide the software or keys needed to restore their systems. This is a common practice by hackers since it dramatically increases the chances that companies will pay the ransom. In this case, the hackers did provide the software application needed to bring their systems back online.
Restoring the Pipeline
While the company did get what they needed to restore operations very quickly, they took their time in bringing everything back online. This is because teams needed to make sure that all aspects of the malware were properly removed and that there were no other viruses that will cause problems in the future. It is almost certain that the cybersecurity teams working with Colonial also implemented a much-improved security strategy at this time as well.
They completed their restoration was completed by May 12th when the pipeline was brought back online.
Fallout from the Pipeline Shutdown
While this was a devastating attack for Colonial, it also revealed some major vulnerabilities to the economy and overall infrastructure of the United States. Having one major pipeline that is used to transport gas and jet fuel shut down for less than a week caused gas shortages in many states. Even many areas that were not directly impacted had runs on gas stations, resulting in a widespread impact.
Many experts blame the fact that in recent decades supply chains have been so heavily optimized that even a brief disruption can cause immediate shortages. This shortcoming of the incredible efficiency of the gas supply chain was illustrated clearly by this event, but the same vulnerabilities exist in just about every industry.
If something causes a disruption of any essential product (gas, iron, food, etc), the impact will be felt by millions of people throughout the country right away. Since redundancy and stocking excess inventory of any of these items has been looked at as wasteful for years, companies do not have a way to quickly recover from these types of events.
Suspects in the Case
Shortly after the hack was revealed to the public reports began that this was an attack that came from Russia. Russia has long been a hotbed of cybercriminal activity, which made this a very reasonable accusation. President Joe Biden quickly came out saying that there was no evidence to support the claims that Russia was responsible for this attack.
After their initial investigation, the FBI reported that they believe that the well-known hacking group, “DarkSide” was responsible for the attack. DarkSide is a large group of hackers that experts believe to be based in Russia or an Eastern European country. Despite the fact that this group is likely based out of Russia, they are not known to be state sponsored.
Of course, whenever dealing with this type of criminal activity, it is extremely difficult to know which groups operate independently, and which ones are government sponsored. Even those that are not directly supported by governments are often tolerated by the local governments because their actions are beneficial to them.
DarkSide is one of the better-known hacking groups. Since at least on the surface they are a for profit group, their wares can frequently be found on the dark web. Information they have stolen is sold to different individuals and groups, and many people believe they can even be hired to perform specific tasks. As with any type of hacking, however, it is notoriously difficult to accurately differentiate between actual members of the group and those who simply claim to be a part of it to boost their credibility.
In addition to the $5 million worth of Bitcoin that the company paid out to the hackers, this incident had tremendous downstream costs. Countless hours were spent by cybersecurity experts to help recover their system, many people were directly impacted by the fact that the gas was not flowing through the pipeline, and it was a major economic hit. In the hardest hit areas, people were unable to get the gas they needed for work, recreation, and more. It is nearly impossible to estimate the total cost of a major ransomware attack like this.
As the gas shortages became evident, President Biden warned gas stations and others that price gouging would not be tolerated. In addition, a bipartisan group of legislators introduced a bill that was aimed to help strengthen security for the nation’s pipelines. This bill, if passed, will require the Transportation Security Administration (TSA) to develop a strategy for pipeline security, which would also be funded.
These are just the first few steps that the government is taking in response to this hack. It is likely that in the coming weeks and months there will be other pieces of legislature proposed and passed with the intent of better protecting the country’s infrastructure.
In addition to taking steps to directly protect systems from this type of hack, many cybersecurity experts also hope that a greater focus will be given to fighting cyberterrorists directly. This would require dedicated teams to better monitor the dark web and be able to take action to disrupt activities or even fight back against them.
This is definitely a situation that anyone interested in cybersecurity will want to follow closely for months to come.