On May 7, Colonial Pipeline, a fuel pipeline operator, and an integral part of the nation’s critical infrastructure suffered a ransomware attack which affected their operations. Colonial supplies 45% of the East Coast’s supply of diesel, gasoline, and jet fuel. On May 9, the US Department of Transportation issued an emergency declaration for the 17 affected states allowing the ground transport of gasoline, diesel, jet fuel, and other refined products. The cyber attack has been attributed by the FBI to cybercriminals known as the “DarkSide.”
The DarkSide, a Russian-speaking cybercriminal group, has cast a wide net in their attacks on commercial entities. Their doctrine is such that they do not operate against Russia or Russian speaking entities, suggesting a geographical link to the Russian Federation. In addition, they claim they will not support the targeting of “healthcare and vaccine distribution facilities, schools, public sector and non-profit.”
Reuters has reported that the hackers absconded with over 100 gigabytes of Colonial’s data and demanded a ransom be paid or the information would be published.
Israeli cybersecurity research entity, Kela, noted in March 2021 that DarkSide claimed to be operational against Windows and Linux systems. In addition, the cybercriminals operate their business both directly and through an affiliate program where they provide “ransomware as a service.” Successful affiliates receive between 10 and 25 percent of the paid ransom to DarkSide.
The fuel pipeline operator, in a statement, noted that they were taking their four mainlines moving fuel offline. In addition, they said they were working with third-party cybersecurity experts and the U.S. government, including law enforcement and the Department of Energy. They attest that they are taking additional, non-publicized, actions “to help further monitor and protect the safety and security of its pipeline” and is working on a restart plan.
Commerce Secretary Gina Raimondo said on “Face the Nation” how ransomware attacks are “becoming more frequent.” She continued how “It’s an all-hands-on-deck effort right now, and we are working closely with the company, state and local officials to make sure they get back up to normal operations as quickly as possible and there aren’t disruptions in supply.”
DiD Russia hand in the Cyber attack?
While attribution has pointed to the DarkSide group, there has been, as yet no confirmation that this attack is anything more than a cybercriminal activity. That said, there is no doubt that investigators are digging in and intelligence requirements are being led to determine if this is attack against the U.S. critical infrastructure was officially sanctioned by the Russian Federation and DarkSide provides a fig-leaf of plausible deniability.
U.S. intelligence noted in the 2021 Annual Threat Assessment how Russia had used energy as a foreign policy tool to coerce cooperation. The example provided took place in 2009 when Russia cut off gas flows to the Ukraine, including transit gas. The net effect? Ukraine and portions of Europe suffered a 13-day shortage. Furthermore, the assessment highlights how “Russia continues to target critical infrastructure, including … industrial control systems.”
As work proceeds to bring Colonial back online, the disruption to the east-coast fuel supply will begin to be noticeable as on-hand reserves begin to be drawn down. The American Automobile Association told Reuters that an outage lasting several days could have a significant impact on the southeastern United States fuel supplies.
Whether Colonial can reconstruct their cyber infrastructure and avoid paying a ransom or not is unknown. The company’s statement references only they are working on a restart plan. FSO’s would be well served to engage with their information technology teams to ensure they have in place a response plan so as not to be faced with a decision to “pay or not to pay a ransom” in the event they are subjected to a similar attack on their unclassified infrastructure.