A ransomware attack has taken down the largest gasoline pipeline in the USA – the Colonial Pipeline carrying 2.5 million barrels per day of gasoline and other refined fuels. The pipeline runs from refineries in Texas to destinations throughout the eastern USA. This is the biggest impact for a cyber attack on physical operations at a critical infrastructure in US history. Some reports attribute the attack to a criminal group called “DarkSide,” known for ransomware attacks. A recent report by Cyberreason estimates that the group has targeted well over 40 victims, with ransom demands ranging from $200,000 to $2 million USD per incident.
This attack on the Colonial pipeline is consistent with recent trends. In a recent survey of 2020 cyber incidents that impacted physical operations, Waterfall Security Solutions observed that all such attacks were targeted ransomware – ransomware that was deliberately planted using modern targeted attack techniques.
While next-level details of the pipeline attack have not yet been released, targeted attacks generally start with phishing or spear-phishing attacks designed to steal remote access credentials, or to activate malware. The malware may be embedded in emailed attachments or may be malicious downloads that victims are deceived into downloading and running. In all these cases, the planted malware is a RAT – a remote access trojan.
The malware connects to an Internet-based command and control center (C2) and the attackers use the C2 to remotely control the RAT. The attackers use the RAT to steal additional credentials and move through the victim’s network until they find valuable informational or operational assets. They generally steal copies of those assets and then encrypt everything they can reach.
The really bad news is that these targeted attack techniques – spear phishing, RATs, a C2 and manual operation of the RAT via the C2 – these techniques were used pretty much exclusively by nation-state attackers only 5-10 years ago. Criminal groups seem to be trailing nation-states by roughly a handful of years in their capabilities. This is bad. If this trend continues, we should expect criminal groups only a few years from now to be targeting us with attacks as sophisticated as the recent nation-state SolarWinds or Pulse VPN breaches.
The good news is that robust defenses against these kinds of attacks targeting critical infrastructures are absolutely do-able – that was the topic of my 2019 book Secure Operations Technology (SEC-OT). The book documents the security practices of the world’s most secure industrial sites.
The heart of the SEC-OT methodology is cataloguing information flows. Ransomware is cyber sabotage, and all cyber-sabotage attacks are information. The only way an industrial system can change from an un-sabotaged to a sabotaged state is for attack information to enter the industrial system through a cyber perimeter. That perimeter may be online – a firewall – or offline – a USB drive carried past security into the site. A comprehensive inventory of ways that information can enter an industrial system is also a comprehensive inventory of cyber sabotage attack vectors.
With such an inventory in hand, secure sites set about systematically controlling all of those information flows and attack vectors, preferably with physical, un-hackable security controls. These sites do use software security tools as well but see those tools as secondary security measures in a defense-in-depth posture, behind the primary, physical mitigations.
Targeted ransomware has emerged the most capable of today’s “commonplace” attacks. We should expect nation states to continue inventing more powerful kinds of attacks. We should expect ransomware groups to adopt nation-state techniques over a course of years. This means that we should all start looking to what today’s most secure industrial sites do to address these threats, as we seek to strengthen our own industrial security programs.
To this end, Waterfall continues to make the SEC-OT book available for free to qualified practitioners – please click here if you would like a copy.
Read Waterfall’s special coverage of the Colonial Pipeline cyber attack