"Colonial Pipeline Ransomware Attack"

OT-ISAC WHITE - Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

 

Issue Date:  10-05-2021 | TLP: WHITE | Alert ID:  20210510-02

 

Overview of Incident

 

On 7th May 2021 (Friday), Colonial Pipeline reported that it was a victim of a ransomware attack which caused them to take certain systems offline to contain the threat and proactively halt all pipeline operations. The suspension of pipeline operations impacted multiple states across the U.S. East Coast including Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia.

 

Colonial Pipeline operates 5,500 miles of pipelines that carry fuel from refineries on the Gulf Coast to customers in southern and eastern United States, transporting 2.5 million barrels a day or 45 percent of the East Coast's supply of diesel, gasoline and jet fuel.

 

Multiple sources have confirmed that the ransomware attack was caused by a cyber-criminal gang called DarkSide, who infiltrated Colonial's network and took almost 100GB of data hostage.

 

Colonial has engaged FireEye to carry out an investigation into the nature and scope of the incident and are in contact with law enforcement and other federal agencies including the Department of Energy. The company is developing a system restart plan for its main pipeline and smaller lateral lines between terminals and delivery points are currently operational.


Timeline of Events

  • 7 May – Ransomware operators infiltrate Colonial’s network.

  • 8 May – Colonial releases first media update on ransomware attack

  • 9 May – Colonial releases second media update on ransomware attack

  • 9 May – U.S. government issues Regional Emergency Declaration 2021-002 - 05-09-2021 which grants relief from Parts 390 through 399 of Title 49 Code of Federal Regulations

 

Impact of Pipeline Shutdown

Colonial Pipeline serves critical industries and services in multiple states including several airports such as Atlanta's Hartsfield Jackson Airport, Nashville, Tenn.; Baltimore-Washington; and Charlotte and Raleigh-Durham, N.C. Depending on the duration of the shutdown, some smaller airports may face jet fuel shortages within the week. The closure of the main pipelines may also result in a rise in gasoline prices.

 

In response to the cyber incident, the US government issued emergency legislation (Regional Emergency Declaration 2021-002-05-09-2021) which grants a temporary hours of service exemption to those transporting gasoline, diesel, jet fuel and other refined petroleum products to the 18 affected States. This is expected to ease some supply shortages but is insufficient to mitigate the impacts of the pipeline disruption.

 

Ransomware Attacks on the Rise

Ransomware attacks on industrial organizations and critical services are on the rise. In 2020, OT-ISAC tracked over 450 ransomware incidents that impacted organizations across the aviation, energy, government, healthcare, manufacturing, maritime, transportation and water sectors; majority of these incidents were from the manufacturing sector. Ransomware operators continue evolve their tactics, techniques, and procedures in 2021, exploiting the latest vulnerabilities (e.g., MS Exchange Server zero-day vulnerabilities released in March 2021) and leveraging high profile clients of suppliers and vendors to make ransom demands more effective (as in the case of Apple supplier Quanta).

Key Recommendations

  • Patch critical vulnerabilities to mitigate risk of exploitation and initial access. Apply mitigating controls in cases where patching is not possible. Ensure your systems are updated with the latest security patches.

  • Enforce monitoring of privilege accounts including lockout after a specified number of failed attempts, logging of login attempts, detection of suspicious account behavior

  • Apply multi-factor authentication (MFA) to privileged accounts.

  • Implement cybersecurity user awareness and training program to help staff identify and report suspicious activity.

  • Educate employees on the common vectors for phishing, which is the most common source of ransomware.

  • Conduct organization-wide phishing tests to periodically gauge staff’s awareness and reinforce importance of identifying potentially malicious emails.

  • Employ the use of EDR applications to ensure that any attempts at exploitation are quarantined before any damage can be done.

  • Block post exploitation frameworks such as default Cobalt Strike SSL certificates to prevent lateral movement and command & control

  • Have a data backup and recovery plan in place for any mission-critical information and have the most critical information stored isolated from the network. Regularly test these backups to ensure they function correctly and gauge their performance in the event of a real crisis.

 

Open-Source Intelligence References

About OT-ISAC

Operational Technology Information Sharing and Analysis Center (OT-ISAC) is a secure threat information sharing community for Operational Technology asset owners and operators headquartered in Asia Pacific. A member company can securely and anonymously share threat information with OT-ISAC analysts who further enrich and disseminate actionable alerts, intelligence and best practices for all community members to defend themselves and take mitigating action against malicious actors, their tools, and system exploits.

 

OT-ISAC also partners with government, private vendors and other information sharing organisations to acquire and disseminate timely and relevant information for the resilience of member companies.

 

Interested organisations in energy, water, and other OT-using sectors may contact AJ Eserjose to inquire about membership: aeserjose@grf.org. Learn more on Twitter and LinkedIn or visit www.otisac.org