Last Updated on June 9, 2021 by Admin
In one article, I highlighted the rise of ransomware attacks around the world and cited Colonial Pipeline hacking as one of the classical examples. In this article, we explore how the attackers managed to pull off one of the biggest ransomware attacks and how authorities responded.
The ransomware attack
In early May 2021, Colonial Pipelines was hit by a ransomware attack and was forced to shut down about 5500 miles of pipelines delivering gas to U.S. East coast.
The company posted this statement on their website when the attack took place:
“On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”
A ransomware strain called Darkside, named after the attackers, was used to compromise Colonial Pipeline and investigations by Cybereason reveal that it was mainly used against English-speaking countries while avoiding former Soviet-bloc nations.
Developers of the ransomware used an affiliate program to spread the malware, while they were responsible for handling payments and maintaining the ransomware.
How did these attackers breach the security?
Joseph Blount, the Chief Executive of Colonial Pipeline Company, revealed to the media that hackers breached the system via a VPN that was no longer in use.
The hackers got hold of login credentials and managed to infiltrate the company’s system.
There was no multi-factor authentication to provide security to the VPN network and this contributed to easy access by unauthorized users.
Further digging showed that the password used to gain access to the VPN was inside a batch of stolen passwords found on the Dark Web.
Most likely an employee reused the same password with multiple accounts on the web.
Good cyber hygiene practices are essential to protect businesses and individuals from common cyberattacks.
After the attack, Colonial Pipeline Company quickly paid the ransom to the cybercriminals to avoid further damage, which could have been worse if they didn’t pay it.
The cybercrime syndicate, Darkside, also stole 100 Gb of data from Colonial Pipeline as an act of double extortion and this forced the company to shell out $4.4 million as ransom payment.
What have authorities done?
A security directive was issued by U.S. Transportation Security Administration on the 28th of May 2021.
In this directive, all pipeline operators are required to promptly report any cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours.
“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
In addition, all facilities were mandated to submit assessment reports highlighting any cybersecurity gaps in their current practices within 30 days of the directive.
Recovery of the ransom
Colonial Pipeline Company paid a ransom of about 75 bitcoins (~$4.4 million dollars) and on the 7th of June 2021 the Department of U.S. Justice (DoJ) said it had recovered about 63.7 bitcoins (~$2.3 million dollars).
On May 14, a week after the attack, Darkside disbanded, indicating to their affiliates that a law enforcement entity had seized their servers and cryptocurrency stash.
The note passed to affiliates read:
“Starting from version one, we promised to speak about problems honestly and openly. A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the
- Payment server
- CDN servers
At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked.”
The DoJ followed the money trail left by the Darkside gang and this led to a specific Bitcoin address.
Using a private key (not clear how they got hold of it), the FBI managed to access the assets in the wallet linked to the address and recover part of the loot.
In a statement that should sent shock waves to cybercriminals, the FBI Deputy Director Paul Abbate said:
“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors. We will continue to use all of our available resources and leverage our domestic and international partnerships to disrupt ransomware attacks and protect our private sector partners and the American public.”
The recovered funds were reserved for affiliates, while the rest of the loot went to the Darkside gang.
To further protect companies and the public, DoJ formed the Ransomware and Digital Extortion Task Force to recover any funds stolen by cybercriminals.
Hopefully, Colonial Pipeline Company continues to be on the alert to prevent a similar incident.
Ransomware attacks can also occur to prominent individuals as long as attackers see a potential huge payday.
When you are using the internet, make sure you hide your identity and secure your data.
One of the ways to achieve this is by using a reliable VPN and we recommend the following:
NordVPN – Best for security (Editor’s Choice)
- 30-day money-back guarantee
- 68% off a 2-year plan
Surfshark VPN – Low cost VPN
- All standard features at a fraction of a cost
- 83% off a 2-year plan
- Strictly no logs policy
- No DNS leaks
CyberGhost VPN – User friendly VPN
- Widespread coverage
- Strong anonymity while browsing
- 83% off a 3-year plan
- 45-day money-back guarantee
Make sure you join our newsletter so that you don’t miss fresh cybersecurity updates. Share the article with your friends and leave comments below.