Ransomware Attack on Colonial Pipeline
There is an increasing trend of cybercriminals "kidnapping" data and holding it to ransom. This is achieved by encrypting stolen data and only releasing it after the extortionists' demands are met. Another component of this crime is threatening to publish the victims' sensitive data if they do not cooperate and pay the ransom.
A current example of this taking place in the USA is causing an international sensation, raising many social and political questions and clarifying how professionally cybercriminals carry out their illicit activities.
In May this year, a ransomware attack disrupted the fuel supply on the east coast of the USA. Although the information security for the operation of the pipeline itself was not affected, the company nevertheless shut it down on 7th May, 2021.
Colonial Pipeline is responsible for 45% of the fuel consumed in the region and transports 2.5 million barrels (400 million litres) of petrol, diesel and paraffin through its pipelines every day.
During the six-day pipeline shutdown, public sentiment was highly tense. The disruption in the supply chain caused more than 12,500 petrol stations to run out of fuel, according to the price comparison portal "Gasbuddy".
The capital, Washington D.C., was particularly hard hit by the shortage: at times, 88% of local petrol stations ran out of fuel. This shortage led to several instances of panic hoarding and culminated in many grotesque scenes taking place. For example, people trying to hoard the scarce petrol and stuffing it into plastic bags, pick-up trucks with tarpaulins covering their beds to transport fuel.1 In desperation, people did not understand how dangerous this behaviour was. The Minister of Transport, Pete Buttigieg, had to issue a warning that fuel must only be filled directly into the tank or approved containers. Even when the oil started flowing again, it took quite a while for the situation to calm down. Violent clashes sometimes broke out at the petrol pumps. Meanwhile, the price of a gallon of petrol rose to over three USD: a level that occurred across the board for the first time in seven years. Major companies, such as American Airlines, also suffered from the fuel shortage.2 As a result, the airline had to change travel routes to cope with the situation. The government declared a regional state of emergency.
How did this devastating situation come about? Reconstructing the events sheds light on the activities of the cybercriminals and their motives.
Hackers were able to gain access to Colonial Pipeline's network as early as 29th April through a "virtual private network account". This network allows Colonial employees to access the systems from outside, for example, when working from home. The account used by the hackers was out of service at the time of the attack but could still be used to gain access to the network. The password of this account has since been discovered in a bundle of leaked documents on the darknet.3 This suggests that one of Colonial's employees used the same password for another account that had previously been hacked.
The attack highlights the importance of having a strong and complex password. Read more about this in our blog article creating secure passwords.
Whether the hackers actually gained access to Colonial's systems using the outdated and published password remains unclear.
On 7th May at around 5 a.m. local time, a ransom note appeared on Colonial's control room computers.
The hackers demanded 75 Bitcoins, one of the most popular cryptocurrencies, which equated to almost 5 million dollars at that time. In return, the data was to be decrypted and made usable again. After receiving this news, Colonial Pipeline's entire pipeline network was shut down for the first time in its 57-year history. The ransom that was paid on 8th May was for nothing, as resorting to backups proved faster than using the decrypting tool. Joseph Blount, head of the largest U.S. gasoline pipeline, authorised the transaction. He told the Wall Street Journal that his decision was highly controversial and did not come easily.
By the time the systems were brought back up on 12th May 2021, some 50,000 kilometres of the pipeline had been inspected for visible damage, and detection tools had been used to scan the operating systems for further access by the hackers. Nevertheless, no perpetrators could be found after this intensive search.
However, it quickly became clear that the criminal organisation "DarkSide" was behind the attack. They stole 100 gigabytes of sensitive data, which the hackers threatened to publish if the ransom was not paid.
Who are the people behind DarkSide, those responsible for this digital, predatory blackmail?
Several clues point to an Eastern European origin. For instance, the DarkSide malware spares those computers that are set in Russian. Geographically, the attacks are never in the former Soviet Union, and in earlier attacks, cybersecurity experts were able to identify I.P. addresses in Russia. The nationality of the hackers matters insofar as it contributes to a strain on foreign policy. The White House does not believe that the Russian government was involved in the Ransomware attack on Colonial Pipeline. Nevertheless, in a phone call between the superpower leaders in early July 2021, Biden called on Putin to take responsibility. Otherwise, the United States would "take whatever action is necessary to protect its people and its critical infrastructure in the face of this ongoing challenge". Putin countered with a warning not to politicise the issue.
But that has long since happened, at least domestically. The discourse between Republicans and Democrats has been reignited. The Republican opposition compared President Biden to Jimmy Carter, the incumbent president during the 1979 oil crisis. Still, civilian voices were also raised on Twitter blaming President Biden's policies for high petrol prices. Under the hashtag #BidensAmerica, many vented their anger.
But what are the methods behind the attack and the far-reaching consequences for the population and international politics? What are DarkSide's motives?
DarkSide offers ransomware, among other things, as a service, known in the industry as RaaS (Ransom as a Service), which was also the case with Colonial Pipeline.4 They act extremely professionally and offer customer service and individualised code. The group focuses on financially strong victims. Their methods are sophisticated: the group tries to infiltrate a Windows computer via TOR. If this is successful, access to the system is disguised by deleting login data so that it is never (or only later) possible to trace that unauthorised access has been gained. Subsequently, other computers in the system are infected, and file permissions are changed so that more users have permissions to give the hackers access to as many files as possible. Then, backups are deleted, and selected files are encrypted. They are then released after a ransom demand has been paid. If the victim refuses, they threaten to publish the files.
Despite this profit-oriented criminal strategy, DarkSide says it follows a moral compass and does not attack critical infrastructures such as hospitals or schools. The hackers behind DarkSide recognised that their latest attack had far-reaching social and political consequences and issued a statement that sounded almost like an apology.5 In it, they describe themselves as apolitical; it is futile to attribute them to a government. They also indicated that they were not aware of the attack on Colonial. They announced that they would show moderation and carefully examine every company that was to be encrypted by their clientele to avoid social consequences in the future. Their core statement was: "Our goal is to make money, not problems for society" - On the contrary, DarkSide had repeatedly tried to donate part of their profit to charitable organisations. Whether there is generosity behind this or whether the group wants to stage itself as a modern Robin Hood remains speculation. In any case, most of the organisations refused to accept the questionable donation.
Meanwhile, in the case of the Colonial Pipeline, there has been a significant victory for law enforcement. The FBI managed to track and seize 63.7 Bitcoins.6 That cryptocurrency is anonymous is a common misconception. In fact, all transactions in the blockchain are public, and the FBI was able to use explorer software to determine which routes the ransom money took. They found that attempts were made to "launder" the Bitcoins by transferring them to many different wallets (the equivalent of bank accounts) and then transferring them on. Nevertheless, the equivalent of 2.3 million USD was found and seized in a single wallet.7 Officials were able to do this by gaining access to the wallet's private key and obtaining judicial approval through a federal court seizure warrant. It remains to be seen whether the whereabouts of the remaining ransom can be traced.