IT experts at the hacked Colonial Pipeline did a good job in mitigating the May 7 cyberattack and successfully stopped it when discovered by shutting down the network. But the attack was mostly invisible in the weeks-long initial stages, according to a briefing NTT Security executives conducted Tuesday.
“It’s very difficult to say what they could have done better because we will not be part of the investigation,” Bruce Snell, vice president of security strategy and transformation of the security division of NTT Security, told journalists invited to a briefing on the incident.”
Colonial Pipeline reportedly paid the DarkSide ransomware-as-a-service (RaaS) criminal group close to $5 million in cryptocurrency to decrypt locked systems earlier this month. But cyber experts warn that more potential damage may still be festering undetected deep within the company’s network.
The May 7 cyberattack impacted the fuel shipping systems for close to a week. It forced Colonial Pipeline to temporarily close down its operations and freeze IT systems to isolate the infection.
While pipelines are now back in business, it will be days before normal service resumes. The fuel supply shortages so far have caused panic buying across some cities and fistfights among motorists waiting on gas station lines.
Security experts worry that DarkSide affiliates may also have embedded double-extortion tactics that will surface with more stolen documents and more network threats. A double extortion scheme may also involve further demands to pay additional ransom money to prevent stolen corporate files from being leaked.
“Over the past year or so we have started seeing a kind of double extortion going on where it is a kind of double dipping. Holding your information hostage, but then basically telling you now pay to delete the information that they have already extracted,” said Snell.
Three key takeaways from the attack struck Khiro Mishra, CEO at NTT Security.
Until now, ransomware and other cyberattacks on critical infrastructure or energy sector pipelines or electric grid were different. They were presumed to have been motivated by nation-state actors; most with some geopolitical inspiration behind them.
“This was the first time we got to hear that this was financially motivated by a group of people who did not have any direct affiliation towards any nation state,” he said.
A second interesting aspect was the involvement of DarkSide. This group took responsibility for the hack. The hacker group developed a platform by bundling the technology and processes together. Then they made their expertise available to others to run similar apps or attack other organizations.
“That democratization of ransomware expertise is essentially pretty alarming, and the intensity and the volume of attack that we might witness may be a bit higher than what we have seen in the past because now, any other hacker could also access a platform by paying a small percentage of the ransom fee if they were successful,” he warned.
The third issue is the public safety factor. For most of the ransomware attacks, we look at things around critical infrastructure. We look at the design of the security model more from a confidentiality, integrity, and availability standpoint of the computer system.
“This gas pipeline or critical infrastructure hack has a very important aspect of safety to it. So when we look at future designs of security models, safety is going to take precedents in cases like that,” Mishra predicted.
Long, Sordid Growth
Ransomware attacks are nothing new. They happen all the time now and the fallout is typical, observed Azeem Aleem, vice president for consulting and head of UK and Ireland at NTT Security. Usually, people change passwords and monitor their credit reports for the next six to nine months when a network they use is infiltrated.
Aleem has been investigating ransomware attacks for the last 10 years. He found much of its origins targeting online betting systems.
“The Russians were aiming for the online betting companies, and they were already utilizing the ransomware to bisect the company and also ask for ransom, so it has always been there,” he said.
Now ransomware is picking up more media news coverage because high profile victims are in the limelight. The production of ransomware is in two phases. One involves developers. The other involves affiliate developers.
In this case, a cybercriminal developer produced ransomware called DarkSide and released it into the affiliate market. Sometimes it is picked up by the affiliates, and then they are the ones that spread it around.
“So this model has been going on for ages, and that is why it is so difficult to mark the tactic or the kind of intelligence back to a certain group. Many people are involved in that process,” Aleem said.
Change of Fallout
This time, however, the fallout from the cyberattack is different. Snell suspects that the repercussions will extend to trust.
From a trust perspective, in the past where there have been very large-scale breaches for other industrial menus and manufacturers. The result was a drop in stock prices because of a lack of competence by the board or the investors, Snell explained.
“Colonial really should be paying attention to and looking out for other pieces of ransomware hiding out somewhere,” he suggested. “Researchers see a lot of advanced persistent threats that come in.”
The attacks will make their infiltration but then lay dormant for six or 12 months. He thinks that researchers have been able to isolate this one incident. But Colonial’s IT department needs to spend a lot more time looking around and seeing where else there may be troubles right.
“If I were in Colonial’s boat right now, I would be going through everything with a fine-tooth comb to make sure that there is not still something hiding out there to kind of come around and bite them in another couple months,” said Snell.
Charting the Attack Vectors
The continuing forays into digital transformation is a potential contributing factor to cyberattack successes, warned the cybersecurity experts.
“We are seeing a lot of digital transformation, and this is one of that kind of double-edged sword,” Snell said.
Digital transformation is getting improvement of processes with more improved efficiencies and improved reporting across the board on the operation technology (OT) side. But security teams are also seeing a lot of organizations opening themselves up for attacks, noted Snell.
Much of the pathway for the attack no doubt centered on exploiting the known common vulnerabilities with network software. The attacks tried to breach into the system through the old mechanism and vulnerabilities to escalate privileges.
Then they tried to do internal reconnaissance and bilateral movement. The process is a race to succeed before exposure time. That is the interval from when the hacker goes into the environment and the time it takes you to find out, Snell explained.