On May 6th, a single ransomware attack paralyzed the Colonial Pipeline, the lifeblood for oil for the entire east coast. Furthermore, in just a week, this attack has prompted an executive order from President Biden targeting national cybersecurity infrastructure, a new cybersecurity compliance law signed by Gov Greg Abbott, and the creation of a national Cyber Incident Review Board. In short, this incident was an abrupt reminder to elected officials and everyday citizens that cybersecurity is a matter of national security and deserves to be a focus.

So How Exactly Did the Colonial Pipeline Attack Happen?

To give some background, the Colonial Pipeline is one of the nation's most critical pipelines that runs 5500 miles from the Gulf Coast to terminals as far as New York. The pipeline provides an estimated 2.5 million barrels of oil a day, 45% of the total fuel going to the east coast. On May 6th, Colonia Pipeline made a public statement that they'd been the victim of a ransomware attack. In the statement, a spokesperson said that the attack "temporarily halted all pipeline operations and affected some of our IT systems." According to the BBC, over 100 gigabytes of data were taken hostage by a hacker group that reportedly locked the data on some computers and servers and threatened to leak it to the internet if the undisclosed ransom was not paid. This completely halted all pipeline operations and set off a series of gas shortages and price hikes throughout the southeastern U.S. Due to the severity of the attack. Colonial reportedly contacted the White House the same day for guidance on the situation.

At a White House media briefing on Monday, homeland security adviser Elizabeth Sherwood-Randall said that the Colonial Pipeline had shut down operations as a "precautionary measure to "ensure that ransomware could not transfer from business systems to those that control and operate the pipeline." While details surrounding how exactly the attack occurred are still unknown, experts speculated that the attack was likely helped by the coronavirus pandemic, with more systems engineers remotely accessing control systems for the pipeline from home. 

Reports emerged on Friday that Colonial Pipeline paid a 75 bitcoin ransom worth approximately 5 million dollars in an attempt to restore their systems. While the company has denied paying any ransom, experts claim it's highly likely that they did. As one expert from the Washington Post put it, "With such high stakes, it is no surprise that victims feel they have no option but to negotiate with their attackers. The vast majority of victims do not have cyber insurance and try to handle the situation on their own, experts said."

In another statement made by Elizabeth Sherwood-Randall, the White House domestic security adviser, "This weekend's events put the spotlight on the fact that our nation's critical infrastructure is largely owned and operated by private sector companies," said Elizabeth Sherwood-Randall, the White House domestic security adviser. "When those companies are attacked, they serve as the first line of defense, and we depend on the effectiveness of their defenses."

Who Was Responsible For the Attack?

Immediately after news of the event surfaced, the FBI announced that they had a suspect in mind. On Monday, the FBI confirmed in a brief statement that they believe a relatively new hacker group known as DarkSide was responsible for the ransomware attack. They also claimed that the FBI had been aware of and was investigating DarkSide since October 2020. 

In a briefing, President Biden went further to say that "There is a strong reason to believe that the actor's ransomware is in Russia, though "so far there is no evidence from our intelligence people that Russia is involved."

Shortly after the president's comments, DarkSide reportedly told its criminal partners that they had lost control of their computer servers and were shutting down. Many experts and U.S officials warned that this could be part of an "exit scam" to fool government agencies into thinking they were out of business, only to reappear at a later date with a different name.

At a more recent White House briefing, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, described the attack as "ransomware as a service variant" in which "criminal affiliates conduct attacks and then share proceeds with the ransomware's developers." This model has helped DarkSide rack up scores of victims beginning late last summer, ranging from oil field services companies to law firms to banks.

The Aftermath

Last Wednesday, Colonial Pipeline claimed that it had "initiated the restart of operations," implying that the ransomware threat had been dealt with. According to the New York Times, as of Wednesday, Colonial Pipeline was managing to deliver fuel to Georgia, Maryland, New Jersey, and North and South Carolina but was still in the process of recovering. Finally, in a tweet last Saturday, Colonial Pipeline claimed that the entire system had resumed normal operations delivering "100 million gallons of fuel  a day." While details surrounding how exactly Colonial Pipeline regained access to their systems are still unknown, the public will likely get more information once a formal investigation is conducted.

In the wake of the attack, both the oval office and state governments have taken several legislative steps to secure the United States infrastructure from similar attacks in the future. To read more about the specifics of Biden's cybersecurity executive order, Governor Abbot's cybersecurity compliance law, and more stay on the lookout for our official blog breakdown.

To learn more about how you can protect your SMB from ransomware, check out this post:

https://www.zeguro.com/blog/ransomware-on-the-rise-during-the-pandemic-what-to-know