Colonial Pipeline take-away for CISOs: Embrace the mandates

Many in mainstream media have characterized the DarkSide attack on Colonial Pipeline, which operates a significant portion of the nation’s critical energy infrastructure, as a wake-up call for CIOs and CISOs. If that is the case, then they are hard of hearing as this klaxon has been sounding for many years, as company after company fends off ransomware attacks.

A senior administration official, speaking on background, commented how “these incidents are a reminder that our adversaries will use multiple methods of attack, whether hunting for coding errors or compromising our supply chains to create opportunity.” The official continued how incidents such as the SolarWinds, Microsoft Exchange and the Colonial Pipeline attacks share commonalities. The first being, “a laissez-faire attitude toward cybersecurity.” The second being “poor software security and current market development of ‘build, sell, and maybe patch later.’”

The fallout from the attack is winding down with the company restarting operations the evening of May 12. Prior to the restart, the White House and the Cybersecurity and Infrastructure Security Agency (CISA) both issued updates and guidance for use by enterprises and small/medium businesses.

According to Bloomberg, $5 million in cryptocurrency was paid to the cybercriminal entity within hours of the attack, yet it still took Colonial days to bring their system online. Colonial in its most recent public statement makes no reference to having paid the ransom, focusing instead on assuring the markets that product was flowing and would be back to normal by end of day Thursday, May 13.

Colonial Pipeline

The morning of May 14, DarkSide allegedly began to experience “issues” that caused DarkSide to shutter its ransomware-as-a-service operations. It is reported that it lost access to the public portion of its infrastructure, which was followed by loss of access to its cryptocurrency wallets and payment server. It is further reported that other purveyors of ransomware-as-a-service have taken their offerings off Russian cybercrime forums. Before CISO’s take a sigh of relief that ransomware cybercriminals may have met their match, Intel471 cautioned, “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants.” 

President Biden noted that there was no evidence that DarkSide was operating at the behest of the Russian government. That said, the fact that Russia allows them to act with impunity should be enough for all to realize that these actions are advancing the Russian agenda of fomenting chaos. There is a reason these criminal groups aren’t attacking Russia companies or government entities as to do so would remove their top cover which they currently enjoy. Even when indicted and global warrants issued, the individuals are not touchable by western law enforcement while they remain within the Russian Federation.

Update: The Department of Justice’s Ransomware and Digital Extortion Task Force, created to combat the growing number of ransomware and digital extortion attacks, successfully recovered 63.7 of the 75 bitcoins paid by Colonial Pipeline to DarkSide.The warrant for seizure was issued on June 7 and the acquisition of the bitcoins followed. The DOJ advises that they had the “private key” used by the cyber criminals to access the bitcoins, which made the seizure possible. Deputy Attorney General Lisa O. Monaco highlighted how the DOJ would continue to target the entire ransomware ecosystem and noted the importance of “early notification to law enforcement” when an entity falls victim to a ransomware attack.

Colonial was reportedly unprepared for an attack

Colonial is alleged to have had a weak IT infrastructure according to the AP. The AP reporter interviewed Robert F. Smallwood of iMerge Consulting, who conducted a comprehensive operational audit in 2018. Smallwood characterized the Colonial network security as severely deficient, “… an eighth-grader could have hacked into that system,” he told the AP.

Fast forward three years and we see that while Colonial may not have a CISO, it does have a CIO, Mary Mouchet, who has been in the seat since 2016, and a senior director of technology solutions Susan Adams, who was hired in late 2019. Smallwood claims the confidential report he provided to Colonial included recommendations, some of which he believed they had taken on board and implemented.

US government response to DarkSide attack

The White House briefed the media last week on the physical aspects of the disruption of fuel delivery and stores in the southeastern United States. On the technical side of the house, the FBI and CISA issued an alert (see below). The Department of Energy in conjunction with the FBI and CISA are working to ensure the Industrial Control Systems Cybersecurity initiative is available and in the hands of other operators of critical infrastructure so they to do not fall victim.

The evening of May 12 saw the President issue an Executive Order on Improving the Nation’s Cybersecurity. Much of the content of the EO pre-dates the Colonial compromise, given the depth of actions required and recommended. The primary areas of focus which should be absorbed by information security teams within the EO are:

• Remove barriers to threat information sharing between government and the private sector.
• Modernize and implement stronger cybersecurity standards in the federal government.
• Improve software supply chain security.
• Establish a cybersecurity safety review board.
• Create a standard playbook for responding to cyber incidents.
• Improve detection of cybersecurity incidents on federal government networks.
• Improve investigative and remediation capabilities.

Then on May 14 the takedown of DarkSide’s infrastructure occurred. This allegedly included their service provider cooperating with an unidentified law enforcement entity. Whether this was the long-arm of US justice reaching out remains to be seen. What one can be certain of is that the US intelligence community was tasked with dissecting DarkSide (and other’s) infrastructure and identifying the individuals behind this group. Furthermore, once identified one may expect the Department of Justice to pursue indictments and EO-14024 to be used to sanction the individuals and those who supported them. 

CISA alert AA-21-131

CISA’s robust advisory alert AA-21-131 provides to CISOs a plethora of resources and advice on how to prepare and successfully weather a ransomware attack that does not include paying the ransom to the cybercriminals. CISA notes that there is no indication that DarkSide penetrated or corrupted the operational technology networks, aka SCADA, and the compromise is limited to the information technology network. Both CISA and the FBI recommend against paying a ransom, as it emboldens the criminals to target additional organizations.

CISA and the FBI recommend that critical infrastructure owners take the following actions if they are victim of a ransomware attack:

• Isolate the infected system.
• Turn off other computers and devices.
• Secure your backups.
• Refer to AA-20-245A which is the CISA advisory on “Technical Approaches to Uncovering and Remediating Malicious Activity.”

CISA and the FBI recommend all owners of critical infrastructure immediately implement the following:

• Implement robust network segmentation between IT and OT (operational technology) networks.
• Organize OT assets into logical zones.
• Identify OT and IT network interdependencies and develop workarounds and manual controls.
• Regularly test manual controls.
• Implement regular data backups
  • Ensure backups are tested regularly
  • Store your backups separately
  • Maintain regularly updated “gold images” of critical systems in the event of a need to rebuild
  • Retain backup hardware
  • Store source code or executables
• Ensure user and process accounts are limited.

CISA’s recommended steps to prevent a successful ransomware attack include:

• Require multi-factor authentication.
• Create strong spam filters to prevent phishing emails.
• Implement training programs to emulate spear phishing.
• Filter network traffic, blocking known malicious IP addresses.
• Limit access to resources over networks.
• Regularly execute antivirus/antimalware scans.
• Implement unauthorized execution by:
  • Disabling scripts within Microsoft Office
  • Implementing application allowlisting to only allow systems to execute programs known and permitted by security policy
  • Monitoring or blocking inbound connections from TOR exit nodes or other anonymization services
  • Deploying signatures to detect or block Cobalt Strike servers and other exploitation tools

As the White House administration official noted, to continue the status quo of rushing from one incident to the next is unacceptable. CIOs and CISOs will be well served to embrace the mandates found within the executive order, while taking on board the CISA recommendations on being prepared to repel a ransomware attack.

Editor’s note: This article, originally published on May 17, 2021, has been updated to include news of the US government’s seizure of some of the ransom payment.