Oil and Ransomware Don’t Mix
June 21, 2021
By Rahul Mahna and Richard Stepler
On May 7, 2021, there was a massive ransomware attack that led to the shutdown of the Colonial Pipeline gas systems. On a daily basis, the pipeline carries approximately 100 million gallons of gasoline-refined products predominantly throughout the East Coast, and approximately 45% of all gasoline products for that same region. The attack was so damaging that it took almost five days for the pipeline to get back online, causing massive shortages throughout many states. This disruption was felt throughout the country as gas carrier trucks were diverted to assist with the shortages and panic ensued as people started hoarding gas through various “creative” means.
DarkSide, an Eastern Europe-based group, claimed responsibility. DarkSide is a software company that develops ransomware. They provide this software as service to their clients, who in turn use it to extort money out of companies. The people who deploy this software do not have to be technically savvy, but rather use their nefarious skills to get company employees to “click” on something that contains the malicious payload. As it’s generally stated, the software that DarkSide delivers is classified as “double extortion” style of ransomware. As with the Pipeline case, the software company generally first extracts all the computer data and threatens to release it if the ransomware is not paid. Then, as a second incentive to ensure they’ll get their ransom paid, they use the software to lock the computer.
As one can imagine, this was a very complicated cyber attack that caused significant damage to the country and its supply chain, as well as a financial impact to Colonial Pipeline. It’s been estimated they paid millions of dollars in cryptocurrency to be released from the ransomware operated by DarkSide. At this time, it remains unclear how the actual penetration occurred, but early indications released show it was due to a user account that was not deleted when the employee left the organization and the credentials of that employee were then found on the dark web. Multi-factor authentication was not in place; this ‘doorway’ was then exploited in a well-orchestrated and organized breach.
Government agencies have taken an active role in response to this cyber attack, with recent news indicating a part of the ransomware paid was reclaimed. In what seems an additional rapid response by the government, President Joe Biden issued a 34-page executive order for improving cybersecurity protocols when dealing with government agencies. In this executive order, there are very aggressive timelines, goals and checklist items to accomplish. To help create the governance, he called on the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) to create a new level of software and cloud protocols to be adhered to. These standards should help create enhanced security protocols for any government agency and how they operate in a more secure manner.
Cybersecurity has clearly come into the spotlight; agencies are enforcing regulations to help stop the spread of the destruction that ensues. While regulations continue to improve, there are some strong steps your organization can deploy to set the foundation for a strong cybersecurity program. Basic ideas include:
- Multi-Factor Authentication – This step of security adds another verification to ensure the person requesting the access is in fact that person. This is a small extra step in operations that creates a massive increase in cyber hygiene.
- Patching – The simplest thing can create the most powerful results. Keeping all systems up-to-date with the latest security and software updates from the manufacturer is essential.
- Assessments – Using a framework like NIST is a tremendous method to check how the current IT setup is running and where gaps might have been created that need to be addressed.
Although cybersecurity can be daunting, it is an essential part of keeping any organization operating. Supply chain and infrastructure organizations have been feeling this impact for some time and it appears these pressures will continue to increase as the level of impact severity commands a higher level of reward to the hackers. It is also a possibility that the publicity of this event will lead to an increase of attacks against supply chain vendors. Following guidelines set by the government and working with established organizations that consult in cybersecurity threats is essential to operating an organization in the most secure manner possible.