Technology systems

Colonial Pipeline disconnects operational technology systems to silo the ransomware threat

Dive brief:

  • The Biden administration, led by the Ministry of Energy, works with Colonial Pipeline officials to consolidate fuel supplies to critical East Coast markets facing soaring gasoline prices and fuel shortages as a result of last week’s ransomware attack.

  • The FBI and the Cybersecurity and Infrastructure Security Agency issued an alert on Tuesday with additional information on the techniques used by DarkSide as well as steps to help critical infrastructure providers protect their systems against ransomware attacks.
  • Colonial Pipeline said so disconnected its OT systems as a way to protect against DarkSide ransomware that has been deployed on its IT infrastructure. There is no indication that the hackers were able to move sideways through the system, the FBI and CISA said.

Dive overview:

Security researchers have warned that the DarkSide attack on Colonial may be just a precursor to criminal and national campaigns targeting sensitive facilities in the United States

The attack on the Colonial Pipeline is a foretaste of future attacks on critical infrastructure targets, Grant Geyer, director of products at Claroty, said in a statement.

“As cybercriminals and foreign adversaries seek opportunities for financial gain and power projection, our national critical infrastructure is an easy target,” Geyer said. “Industrial environments operate with an infrastructure that typically maintains outdated technology that cannot be patched, and personnel that are often not as cybersecurity savvy as they should be to keep attackers at bay. “

Pipelines are found in highly distributed environments, which makes them particularly vulnerable because the tools used to enable remote connectivity are designed for easy access and not for enhanced security, Geyer said.

the The FBI provided indicators of compromise and mitigating information to critical infrastructure companies since the attack, according to the White House. The FBI has confirmed that it has issued a TLP Green flash alert, designed for security officials and private sector partners, but that level of detail has not been offered publicly, a spokesperson said.

According to the alert, DarkSide gained access to these companies through phishing and exploitation of remotely accessible systems as well as virtual desktop infrastructure. The attackers were observed using Remote Desktop Protocol (RDP) to maintain persistence within systems, according to the joint FBI / CISA alert released Tuesday evening.

Darkside uses The Onion Router (TOR) and Cobalt Strike for command and control, according to the alert.

The colonial attack illustrates a growing level of anxiety among corporate security officials about the potential impact of ransomware among critical infrastructure providers, said Bryson Bort, founder and CEO of Scythe.

“It hits everyone,” he said. “And it hurts. I have already, in the last four months, received tons of questions and interest from security officials [who] are all like “What should I do about ransomware?” “How can I even test for this. ‘”

Colonial Pipeline expects to resume normal operations by the end of the week and has stepped up efforts to deliver fuel to some markets that are experiencing supply shortages and markets that are not served by other delivery systems. , according to a company update.

The governors of Florida, Georgia, Virginia and North Carolina declared a state of emergency as gas stations began to run out of fuel and some long-haul commercial airline flights made temporary refueling stops.

Since going offline, Colonial has delivered 967,000 barrels to various delivery points in its markets, including Atlanta; Baltimore; Woodbury and Linden, New Jersey; Belton and Spartanburg, South Carolina and Charlotte and Greensboro, North Carolina