Many in mainstream media have characterised the DarkSide attack on Colonial Pipeline, which operates a significant portion of the nation’s critical energy infrastructure, as a wake-up call for CIOs and CISOs. If that is the case, then they are hard of hearing as this klaxon has been sounding for many years, as company after company fends off ransomware attacks.
A senior administration official, speaking on background, commented how “these incidents are a reminder that our adversaries will use multiple methods of attack, whether hunting for coding errors or compromising our supply chains to create opportunity.”
The official continued how incidents such as the SolarWinds, Microsoft Exchange and the Colonial Pipeline attacks share commonalities. The first being, “a laissez-faire attitude toward cyber security.” The second being “poor software security and current market development of ‘build, sell, and maybe patch later.’”
The fallout from the attack is winding down with the company restarting operations the evening of May 12 (local time). Prior to the restart, the White House and the Cybersecurity and Infrastructure Security Agency (CISA) both issued updates and guidance for use by enterprises and small/medium businesses.
According to Bloomberg, US$5 million in cryptocurrency was paid to the cyber criminal entity within hours of the attack, yet it still took Colonial days to bring their system online. Colonial in its most recent public statement makes no reference to having paid the ransom, focusing instead on assuring the markets that product was flowing and would be back to normal by end of day Thursday, May 13.
The morning of May 14, DarkSide allegedly began to experience “issues” that caused DarkSide to shutter its ransomware-as-a-service operations. It is reported that it lost access to the public portion of its infrastructure, which was followed by loss of access to its cryptocurrency wallets and payment server. It is further reported that other purveyors of ransomware-as-a-service have taken their offerings off Russian cyber crime forums.
Before CISO’s take a sigh of relief that ransomware cyber criminals may have met their match, Intel471 cautioned, “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants.”
President Biden noted that there was no evidence that DarkSide was operating at the behest of the Russian government. That said, the fact that Russia allows them to act with impunity should be enough for all to realise that these actions are advancing the Russian agenda of fomenting chaos.
There is a reason these criminal groups aren’t attacking Russia companies or government entities as to do so would remove their top cover which they currently enjoy. Even when indicted and global warrants issued, the individuals are not touchable by western law enforcement while they remain within the Russian Federation.
Colonial was reportedly unprepared for an attack
Colonial is alleged to have had a weak IT infrastructure according to the AP. The AP reporter interviewed Robert F. Smallwood of iMerge Consulting, who conducted a comprehensive operational audit in 2018. Smallwood characterised the Colonial network security as severely deficient, “… an eighth-grader could have hacked into that system,” he told the AP.
Fast forward three years and we see that while Colonial may not have a CISO, it does have a CIO, Mary Mouchet, who has been in the seat since 2016, and a senior director of technology solutions Susan Adams, who was hired in late 2019. Smallwood claims the confidential report he provided to Colonial included recommendations, some of which he believed they had taken on board and implemented.
US government response to DarkSide attack
The White House briefed the media last week on the physical aspects of the disruption of fuel delivery and stores in the southeastern United States. On the technical side of the house, the FBI and CISA issued an alert (see below). The Department of Energy in conjunction with the FBI and CISA are working to ensure the Industrial Control Systems Cybersecurity initiative is available and in the hands of other operators of critical infrastructure so they to do not fall victim.
The evening of May 12 saw the President issue an Executive Order on Improving the Nation’s Cybersecurity. Much of the content of the EO pre-dates the Colonial compromise, given the depth of actions required and recommended. The primary areas of focus which should be absorbed by information security teams within the EO are:
- Remove barriers to threat information sharing between government and the private sector.
- Modernise and implement stronger cyber security standards in the federal government.
- Improve software supply chain security.
- Establish a cyber security safety review board.
- Create a standard playbook for responding to cyber incidents.
- Improve detection of cyber security incidents on federal government networks.
- Improve investigative and remediation capabilities.
Then on May 14 the takedown of DarkSide’s infrastructure occurred. This allegedly included their service provider cooperating with an unidentified law enforcement entity. Whether this was the long-arm of US justice reaching out remains to be seen.
What one can be certain of is that the US intelligence community was tasked with dissecting DarkSide (and other’s) infrastructure and identifying the individuals behind this group. Furthermore, once identified one may expect the Department of Justice to pursue indictments and EO-14024 to be used to sanction the individuals and those who supported them.
CISA alert AA-21-131
CISA's robust advisory alert AA-21-131 provides to CISOs a plethora of resources and advice on how to prepare and successfully weather a ransomware attack that does not include paying the ransom to the cyber criminals. CISA notes that there is no indication that DarkSide penetrated or corrupted the operational technology networks, aka SCADA, and the compromise is limited to the information technology network. Both CISA and the FBI recommend against paying a ransom, as it emboldens the criminals to target additional organisations.
CISA and the FBI recommend that critical infrastructure owners take the following actions if they are victim of a ransomware attack:
- Isolate the infected system.
- Turn off other computers and devices.
- Secure your back-ups.
- Refer to AA-20-245A which is the CISA advisory on "Technical Approaches to Uncovering and Remediating Malicious Activity."
CISA and the FBI recommend all owners of critical infrastructure immediately implement the following:
- Implement robust network segmentation between IT and OT (operational technology) networks.
- Organise OT assets into logical zones.
- Identify OT and IT network interdependencies and develop workarounds and manual controls.
- Regularly test manual controls.
- Implement regular data backups
- Ensure backups are tested regularly
- Store your backups separately
- Maintain regularly updated “gold images” of critical systems in the event of a need to rebuild
- Retain backup hardware
- Store source code or executables
- Ensure user and process accounts are limited.
CISA's recommended steps to prevent a successful ransomware attack include:
- Require multi-factor authentication.
- Create strong spam filters to prevent phishing emails.
- Implement training programs to emulate spear phishing.
- Filter network traffic, blocking known malicious IP addresses.
- Limit access to resources over networks.
- Regularly execute antivirus/antimalware scans.
- Implement unauthorised execution by:
- Disabling scripts within Microsoft Office
- Implementing application allowlisting to only allow systems to execute programs known and permitted by security policy
- Monitoring or blocking inbound connections from TOR exit nodes or other anonymisation services
- Deploying signatures to detect or block Cobalt Strike servers and other exploitation tools
As the White House administration official noted, to continue the status quo of rushing from one incident to the next is unacceptable.
CIOs and CISOs will be well served to embrace the mandates found within the executive order, while taking on board the CISA recommendations on being prepared to repel a ransomware attack.