Expert Insights on Cybersecurity for Mid-Market Businesses | Managed XDR Blog

Detailing the Ransomware Attack That Shut Down a Major US Gas Pipeline

Written by Katie MacDonald | Jan 15, 2022 1:38:00 PM

The Colonial Pipeline has resumed operations following one of the most disruptive cyberattacks in U.S. history. The pipeline, which carries gas, diesel, and jet fuel, serves much of the South and nearly half of the East Coast’s fuel supply. The attack caused widespread gas shortages, rising prices, and long lines at gas stations as consumers scrambled to fill up. While the pipeline is back online, the incident highlights the vulnerability of critical infrastructure to ransomware attacks and the significant disruptions they can cause.

Ransomware Attack Forces Shutdown

Colonial Pipeline confirmed that a ransomware attack on its computer systems forced a shutdown of its 5,500 miles of pipeline. Company officials feared that cybercriminals had gained access to information that could allow them to attack various parts of the pipeline, leading to the precautionary halt in operations. In recent months, ransomware attacks have surged, with cybercriminals encrypting data and demanding ransom for the decryption key. Government agencies, schools, hospitals, and even police departments have been targeted. In this case, the FBI, Energy Department, and Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) were called in to investigate. FireEye, a private cybersecurity firm, also assisted in the investigation.

The FBI’s Stance on Ransom Payments

The FBI advises victims of ransomware not to pay the ransom, warning that there is no guarantee the data will be returned. However, according to Bloomberg News, Colonial Pipeline did pay nearly $5 million in cryptocurrency to the cybercriminals. Although the company has not confirmed the payment, multiple sources reported that Colonial received the decrypting tool from the attackers.

Sophistication Behind Ransomware Attacks

Many victims of ransomware are shocked by the level of sophistication and organization behind these attacks. Cybercriminal groups often operate like businesses, complete with help desks, press centers, and support services. Some even offer to decrypt a small portion of data to prove they can reverse the encryption. If the ransom is paid, some hackers provide the decryption key, while others do not. Notably, DarkSide, the group behind the Colonial Pipeline attack, operates a Ransomware-as-a-Service (RaaS) model, allowing other hackers to use its platform to launch attacks.

DarkSide’s Role in the Colonial Pipeline Attack

The FBI identified DarkSide, a Russian-speaking hacking group, as the culprit behind the Colonial Pipeline attack. DarkSide operates using a double extortion model, demanding payment for the decryption key and a separate payment for the promise to delete stolen data. After the attack, DarkSide claimed responsibility for three more attacks but later announced it was disbanding, citing pressure from law enforcement and the U.S. government. Security experts warn, however, that cybercriminal groups frequently disband only to re-emerge under a new name.

U.S. Government Response and Biden’s Executive Order

In response to the attack, President Joe Biden issued an Executive Order aimed at improving the nation’s cybersecurity. The order focuses on enhancing security standards for software vendors supplying the federal government, though it does not directly address critical infrastructure. The Justice Department has also launched a new task force focused on prosecuting ransomware criminals. Additionally, the Biden administration recently imposed sanctions on Russia for its role in the SolarWinds attack, which targeted U.S. government agencies and corporations. While DarkSide has not been linked to the Russian government, officials believe its operatives may reside in Russia.