Politico | What you need to know about the US Colonial Pipeline hack
- Colonial Pipeline, which delivers about 45 per of fuel for US East Coast, shut down Friday after ransomware attack
- Incident has shone a spotlight on the growing threat of digital extortion schemes
This story is published in a content partnership with POLITICO. It was originally reported by Eric Geller on politico.com on May 10, 2021.
The cyberattack that forced the shutdown of the US East Coast’s largest fuel pipeline has prompted fresh questions about the vulnerability of the country’s critical infrastructure to cyberattacks.
Here’s a rundown of how a criminal gang managed to infiltrate Colonial’s systems and why the tool they used – ransomware – is such a persistent threat.
How did computer hackers shut down a pipeline?
On Friday, Colonial Pipeline said it learned that hackers had infected its computer networks with ransomware, malicious code used to seize control of computers and extract payments from victims. The breach affected Colonial’s business networks, which it uses for tasks such as managing payrolls and reporting data to regulators.
Colonial deactivated those systems, but it also shut off the much more sensitive technology that runs its pipeline operations – a precaution aimed at preventing the hackers from reaching it if they hadn’t already. These systems monitor the flow of gas for impurities and leaks, control power levels and perform other automated tasks to keep the pipeline running smoothly.
What exactly has been shut down?
Does this mean the price of petrol is going up?
The outage briefly pushed up wholesale gas prices in the financial markets in the affected region, but that rally briefly lost steam during trading on Monday. And while some petrol retailers may try to add a few pennies a gallon to the price at the pump, no reports emerged of shortages at the suppliers that serve those retail outlets.
Market analysts said the pipeline outage would need to last until at least the middle of the week to start to affect supplies in some areas of the Southeast, and that Houston’s refineries would not begin to reduce their output unless the Colonial was out of service till next week.
Overall, the US was sitting on 235 million barrels of petrol in storage, enough to supply the country for nearly a month. Still, retail petrol prices have been climbing steadily in recent weeks, and any jitters could accelerate the increase as the country approaches the Memorial Day weekend, which the industry sees as the start of the heavy-demand “summer driving season”.
Apple focus of US$50 million ransomware hack at supplier Quanta
How bad could this get?
It depends on whether the shutdown turns into a prolonged crisis for Colonial’s customers, which include busy airports and US military bases. Some customers may be able to buy fuel from foreign suppliers, but they will face more financial pressure the longer Colonial’s pipeline network remains offline.
What is ransomware, anyway?
Ransomware is software that hackers deploy to lock up victims’ data so they can’t access or use it – in the worst case, essentially shutting down entire companies or government offices. Then, the hackers demand a ransom payment in exchange for providing a digital key that will unlock the files.
Why aren’t pipelines and power plants better protected against ransomware?
The private companies that operate much of the United States’ critical infrastructure – its power plants, dams, natural gas pipelines and other vital facilities – have often neglected to implement government-recommended cybersecurity protocols.
While defending against foreign government hackers sometimes requires sophisticated technology that small critical infrastructure operators cannot afford, defending against ransomware does not. Using strong passwords, training employees not to click suspicious links and requiring workers to use multi-factor authentication – which involves typing in a randomly generated number after entering one’s password – can prevent all but the most advanced hacks, including ransomware. Despite years of warnings from government officials and cybersecurity experts, most companies outside the highly regulated financial sector have not taken many of these steps.
Suspected state-backed Chinese hackers hit US, EU: cybersecurity firm
And even the organisations that try to take cybersecurity seriously can be foiled by small gaps. A long-overlooked back-office employee or ancient computer in a closet is often the weak link that opens an organisations’ doors to hackers.
With so many companies leaving themselves easy targets, more cyber criminals have begun using ransomware to make money. By picking victims that they know cannot afford downtime, these criminals virtually guarantee themselves an easy profit. In addition, many ransomware operators have begun tapping into a secondary profit stream: reselling stolen data on the dark web, where sensitive personal information can fetch hefty sums.
Sitting in between victims and hackers is the burgeoning cryptocurrency ecosystem, which includes unscrupulous payment facilitators that are happy to process ransom transactions and stonewall law enforcement.
How often do victims pay the ransom?
The US government discourages ransomware victims from paying their attackers to regain access to their data. While some ransomware operators honour their agreements and unlock victims’ files to cultivate trust and increase their chances of receiving future ransom payments, many of these criminals simply take the money and disappear. Paying ransoms also encourages cyber criminals to continue their attacks.
“We recognise that victims of cyberattacks often face a very difficult situation, and they have to balance the cost-benefit when they have no choice with regard to paying a ransom,” Anne Neuberger, the deputy national security adviser for cyber and emerging technology, told reporters Monday.
What is DarkSide, the group behind the attack?
The FBI has confirmed that the Colonial Pipeline hack was the work of the DarkSide ransomware gang. This group is a relatively new entrant into the ransomware ecosystem, but it is already known for its professionalism, patience and large ransom demands.
“So far, there is no evidence … from our intelligence people that Russia is involved,” Biden said Monday afternoon. Still, he added: “There’s evidence that the actor’s ransomware is in Russia. They have some responsibility to deal with this.”
Chinese hackers blamed for hundreds of cyberattacks in Japan
Like other ransomware gangs, DarkSide operates on a model known as “ransomware-as-a-service”, in which it provides code to less sophisticated hackers and helps them conduct their intrusions in exchange for a cut of their profits.
“Our goal is to make money,” the statement said, “and not creating problems for society.”
What is the US government doing about it?
The White House has created a working group composed of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency; the Transportation Department’s Pipeline and Hazardous Materials Safety Administration; the FBI; and the departments of Energy, Treasury, and Defence.
Those agencies are working together to prepare for various scenarios if the pipeline remains shut down, including planning for shortages and higher gas prices.
What don’t we know?
Here are a few questions that remain unanswered:
– Is Colonial sure that the ransomware didn’t infect any of its operational technology – the computers that actually run its pipeline infrastructure – before it shut down its systems?
– Have the hackers demanded a ransom payment, and if so, has Colonial paid it?
– How effectively is the Biden administration, with several key cybersecurity positions still vacant, supporting Colonial in its recovery and supporting other affected energy companies in their damage-control efforts?
– How long will it take for Colonial to fully restore its pipeline operations?
– What long-term damage could the hack do to Colonial?
– Are other critical infrastructure operators upping their cybersecurity defences in the wake of the Colonial breach?
Read Politico’s story.