DarkSide's attack on Colonial Pipeline was the worst yet on US critical infrastructure, closing 5,500 miles of pipeline that supplies much of the East Coast's diesel, petrol, and jet fuel. The group said it didn’t mean to create problems and that its only goal was to make money – but regardless of intent, this big game hunt still bled into operations.
The supposedly Russia-based group sees itself as reputable and, like any good business, puts customers at the fore. It grants these customers (see: victims) access to a live chat where they can negotiate a deal or learn about its third-party payment providers, and employs registered “recovery” companies to help. It even has a press office that shares early casualty lists with journalists who prove their credentials.
The group’s tactics, techniques, and procedures (TTPs), however, are not revolutionary; they mimic those used by the now-retired Maze threat group and rely heavily on techniques such as valid accounts (MITRE T1078) and external remote services (MITRE T1133) for initial access. It’s thought the latter is how DarkSide penetrated Colonial, with the pandemic forcing more of the company’s employees to control systems via remote access.
There is also a Robin Hood complex present; DarkSide targets the rich exclusively and claims to share its earnings with the poor. The bounds of this generosity are unclear, but the group made at least two donations to charitable causes in 2020 (despite one beneficiary, Children International, refusing the gift).
DarkSide may operate ransomware as a service (RaaS) and pose as legitimate, but the group is as ruthless as any, escalating attacks on non-compliant businesses by leaking data and cozying up to the media. It has even said it would notify crooked traders of attacks in advance so they can short a company’s stock price.
DarkSide’s Colonial strike
The group’s strike on Colonial is now considered the worst cyberattack on US critical infrastructure. It shut down the country's biggest pipeline (running from Texas to New Jersey) causing fuel prices to climb and spreading fear across the country. This was the first time that Colonial had taken down an entire pipeline, and parts of the US were forced to declare a state of emergency.
While the pipeline was back up and running within a few days, Colonial’s systems remained offline. The company may have downed these to protect itself from secondary attacks or to prevent spillover from information technology (IT) to operational technology (OT). It also paid a $5 million ransom to the hackers just days after President Biden signed an executive order to strengthen US cyber defenses.
How DarkSide got a foothold on Colonial is unknown, but it likely gained access to computer systems through the administrative side of the business rather than operational – perhaps by phishing or purchasing account credentials for remote desktop software such as TeamViewer. Whether the group wanted to impact operational capacity and threaten thermostats, valves and pumps – regardless of its admission – is uncertain.
DarkSide’s rapid demise
Less than a week after the attack, and despite only emerging in 2020, DarkSide announced that it was ceasing to operate. The group reportedly lost access to its website and payment server after the attack, which suggests US law enforcement had seized its IT infrastructure. This followed President Biden’s insistence that the US would “pursue a measure to disrupt [its] ability to operate”. It’s worth noting, however, that such groups often resurface under a new guise down the line, so this is unlikely the end of DarkSide.
Cyberattacks on critical infrastructure
Critical infrastructure is now so connected – that is, online – that any cyberattack on a company’s IT network can spill over into operations. Computers control many of the devices used to run modern infrastructure, and these are connected to a central system, providing plenty of scope for bad actors to infiltrate a network and progress to more sensitive areas. This ability to harm critical infrastructure was seen as early as 2015 when hackers – again reportedly Russia-based – struck Ukraine’s power grid and left 230,000 residents in the dark.
Unlike cyberattacks concerned with data, attacks on critical infrastructure are likelier to target industrial control systems. Such attacks involving ransomware are on the rise, as companies are likely to pay to avoid severe operational disruption. A joint report and survey by Trend Micro and the Organization of American States, which includes feedback from government agencies and security professionals representing critical industries, found 54% of US critical infrastructure suppliers had seen attempts to control systems, while 40% had experienced attempts to shut down systems.
Another survey of security professionals working across utilities, energy, health, and transport in six countries, including the US and UK, found 90% had been hit by at least one successful attack. In 2019, Kudankulam Nuclear Power Plant was hacked using targeted malware, and that same year Israel announced two cyberattacks had been carried out against its water infrastructure. This is evidently a real, current, and persistent problem globally.
Preparing to respond
The rise in cyberattacks on critical infrastructure means business leaders must expect the worst. Governments can pressure organizations to not pay ransoms, but this will fail so long as penalties for data loss are so harsh. It also seems the US Government changed tack and sanctioned Colonial’s ransom payment, knowing that the alternative – the pipeline remaining shut – would have severe implications.
Ransomware is not going away, so it’s imperative that enterprises practice responding to crises regularly. Good general cybersecurity hygiene is a start, but organizations cannot thwart every attack; they must therefore be equally strong “right of boom”.
Ben Hockman, Immersive Labs’ Crisis Management and Response SME, says: “You can have the best cyber pros and hottest tech in the world, but this amounts to nil if just one employee slips up. You are only as strong as your weakest link, and that means that a cyber crisis can occur almost anywhere.
“In the case of critical infrastructure, with so much at stake, it’s crucial to continuously practice responding under pressure. In other words, to exercise. Like any skill, crisis response and management must be trained and tested regularly and under realistic conditions to be effective – it’s about muscle memory, especially when the pressure’s on. This is emphasized by the fact this incident has prompted an executive order which – if passed through Congress – will ultimately mandate better incident and crisis response planning.”
Cyber Crisis Simulator
Immersive Labs’ Cyber Crisis Simulator throws decision-makers into an emerging attack scenario, allowing them to experience how human psychology affects an evolving crisis and see the impact of decisions made under pressure. Our cyber crisis threat response scenarios create rich, realistic storylines that twist and turn based on the choices you make, and you can see the knock-on effects of decisions reflected in real-time indicators. The simulator also collates responses in an auto-generated report, including rating participants’ confidence and decision justifications.
Our latest scenario, Ransomware: Double Barrel, was inspired by the Colonial Pipeline hack. It drops crisis management teams into an emerging crisis at a fictional company, Patriot Pipeline, which has suffered a ransomware attack impacting critical infrastructure operations. The scenario tests any infrastructure or energy company's response to a major cyber breach and is designed for leadership members and deputies of both cyber incident management and executive crisis management teams. It challenges participants’ decision-making, situational awareness, and communications skills as well as their adherence to, and knowledge of, best practice incident response strategies and tactics.
To see this timely new scenario in action and take the first step to human cyber readiness, book a demo today.
20 May 2021