Ransomware shuts down US pipeline

[JasonJ]

Quote

 

(Reuters) -A cyberattack that shut the largest U.S. gasoline pipeline and jeopardized supplies from Gulf Coast refining centers to cities including Washington, D.C., Baltimore and Atlanta put energy security back in the spotlight.

Colonial Pipeline halted operations to contain the threat after learning of Friday’s attack, the company said. It cut deliveries of 2.5 million barrels per day of gasoline, diesel, and jet fuel through 5,500 miles (8,850 km) of pipelines.

Stories:

COMMENTARY

PATRICK DeHAAN, PETROLEUM ANALYST, GASBUDDY

“I would not expect this to last long enough to make fuel pricing or supply an issue.

“Gas prices are not impacted yet, and should not be if Colonial’s operations return soon.”

ANDREW LIPOW, PRESIDENT, LIPOW OIL ASSOCIATES

“As every day goes by, it becomes a greater and greater impact on Gulf Coast oil refining. Refiners would have to react by reducing crude processing because they’ve lost part of the distribution system.”

“If the Colonial shutdown becomes more extended, to four or five days, (refiners) might have to reduce their operating rates to contain inventories. Colonial ships over 2 million barrels per day from the Gulf Coast and the alternative, the Plantation Pipe Line, carries 700,000 barrels.”

ALGIRDE PIPIKAITE, CYBER SECURITY LEAD, WORLD ECONOMIC FORUM’S CENTER FOR CYBERSECURITY

“This attack is unusual for the U.S. But, the bottom line is that attacks targeting operational technology – the industrial control systems on the production line or plant floor – are becoming more frequent.”

“Cybersecurity vulnerabilities have become a systemic issue. It needs strategic oversight to ensure that operations have preventative controls and an appropriate responses plan if and when attackers breach a system.”

MIKE CHAPPLE, PROF OF IT, ANALYTICS AND OPERATIONS, UNIVERSITY OF NOTRE DAME’S MENDOZA COLLEGE OF BUSINESS

“This pipeline shutdown sends the message that core elements of our national infrastructure continue to be vulnerable to cyberattack. Securing our energy infrastructure is a national security issue that involves several different federal agencies and requires centralized leadership.

“Last year, Congress authorized the creation of a national cybersecurity director within the White House, but this position remains unfilled by the Biden administration. In the wake of attacks like Colonial Pipeline and Solar Winds, it is clear that filling the role needs to be a higher priority.”

 

https://wtvbam.com/2021/05/08/cyberattack-on-pipeline-spotlights-holes-in-u-s-energy-security/

Cyber is makng its mark.

[Ivanhoe]

We are in a war, sadly the country in general is not aware of it.

The amazing thing, to me, is that this news story gets quotes from Mike Chapple, who is the real deal. The MSM usually gets a quote from a journo who reports on IT stuff, or some diplo droid.

I will point out that having a "cybersecurity czar" in the WH means nothing. The federal gov't has proven time and time again that it is irresponsible with data and systems. More regulations won't fix the problem; compliance is not security.

 

[DB]

Critical infrastructure should not have a connection to the internet. If the wage slaves want Netflix or porn when working, they can use their phones.

If it's connected to the internet for reasons of cheap remote management, then they ignored the security requirements in favour of cost (say it ain't so).

It's a pipeline. if you can't hang dedicated fibre along it for your own command and control, you're an idiot.

On the other hand, it will be interesting to see if the Feds can throw enough money and skill at the problem to get the criminals caught.

[BansheeOne]

 

Quote

Date 10.05.2021

Cyberattack on US pipeline carried out by criminal gang — reports

DarkSide, a group of veteran cybercriminals, is believed to be behind the ransomware attack on Colonial Pipeline, the worst cyberattack on critical US infrastructure to date.

The hackers behind the ransomware attack on a vital US pipeline operator are suspected to be a professional cybercriminal group called DarkSide, multiple people familiar with the investigation said on Sunday.

The cyberattack forced Georgia-based Colonial Pipeline to shut a critical fuel network that serves populous states on the East Coast.

It supplies nearly 45% of the fuel consumed in those states, the company said.

Colonial said it was hit by a ransomware attack, wherein hackers typically lock up computer systems by encrypting data and then demand a large ransom to decrypt it.

What is DarkSide?

DarkSide has been identified as one of the ransomware gangs that have "professionalized" a criminal industry that has cost Western nations tens of billions of dollars in such cyberattacks in the past three years.

The group claims that it does not steal from medical, educational, or government institutions, targeting only large corporations and donating a part of the ransom to charity.

Darkside, according to cybersecurity experts, is composed of veteran cybercriminals focused on squeezing out as much money as they can from their targets.

"They're very new but they're very organized," said Lior Div, the chief executive of Boston-based security firm Cybereason.

"It looks like someone who's been there, done that."

The group first surfaced in August last year, and have since immediately unleashed a digital crimewave, Div told Reuters news agency.

It is also known to avoid targeting organizations in former Soviet republics, suggesting a possible link to these nations.

What is at stake?

Colonial delivers more than 100 million gallons (380 million liters) of gasoline and other fuels per day from refiners on the Gulf Coast to consumers in the mid-Atlantic and southeastern United States.

It operates a more than 5,500-mile (8,850 km) pipeline network stretching from Texas to New Jersey, which serves major US airports, including Atlanta's Hartsfield Jackson Airport — the world's busiest by passenger traffic.

US gasoline futures jumped more than 3 percent to $2.217 a gallon, the highest since May 2018, as trading opened for the first time since the cyberattack.

How has the US responded?

The White House said it was working closely with Colonial as its main fuel lines remain offline for the third straight day.

The Department of Transportation issued a regional emergency declaration Sunday, relaxing hours-of-service regulations for drivers carrying gasoline, diesel, jet fuel, and other refined petroleum products in 17 states and the District of Columbia.

The declaration allows them to work extra or more flexible hours to make up for any fuel shortage related to the pipeline outage.

[...]

https://www.dw.com/en/cyberattack-on-us-pipeline-carried-out-by-criminal-gang-reports/a-57479525

[Stuart Galbraith]

Criminal gang = They work for the FSB.

You know, something occurred to me earlier. Back in the 1980's the CIA managed, according to legend, to ammend some computer software that was going to the USSR to control oil pipelines and basically hack it so it would open and close pipelines randomly till it broke. The legend has it that they first learned of it working when they saw a huge explosion on a siberian pipeline. It would probably be the worlds first known computer hack, if it can be confirmed it happened.

You have to wonder if it was payback of some kind.

 

 

[Adam Peter]

3 hours ago, DB said:

It's a pipeline. if you can't hang dedicated fibre along it for your own command and control, you're an idiot.

Also, it is a theft, because it could be offer to rent. Railways done that here.

[Steven P Allen]

1 hour ago, Stuart Galbraith said:

You know, something occurred to me earlier. Back in the 1980's the CIA managed, according to legend, to ammend some computer software that was going to the USSR to control oil pipelines and basically hack it so it would open and close pipelines randomly till it broke. The legend has it that they first learned of it working when they saw a huge explosion on a siberian pipeline. It would probably be the worlds first known computer hack, if it can be confirmed it happened.

 

 

Isn't that the first coupla-three chapters of Red Storm Rising?

[Stuart Galbraith]

In RSR it was Islamic Terrorists, but yes, close enough to make you wonder if Clancy had got a sniff of it.

There has never been any confirmation from either side it actually happened, but there was certainly a CIA effort against KGB efforts to pick up industrial equipment. I think it was called Line X? The French managed to turn the KGB officer that was part of it, and the CIA by the mid 1980's was winding the effort up. So a sabotage effort against it was conceivable.

Im not saying this is justified in any way, Im just wondering if its some clue to their motivation.

[Ivanhoe]

7 hours ago, DB said:

Critical infrastructure should not have a connection to the internet. If the wage slaves want Netflix or porn when working, they can use their phones.

If it's connected to the internet for reasons of cheap remote management, then they ignored the security requirements in favour of cost (say it ain't so).

Welcome to reality.

Gurus and the federal gov't have been yelling at full volume about the vulnerability of industrial control systems (ICS), to little avail. The spice must flow.

ICSes should be airgapped, with max use of the zero-trust design philosophy to keep J. Random User from plugging an infected thumb drive into a work computer in the airgapped enclave and infecting the whole system. By that same logic, I should be sleeping with Naomie Harris (just watched Skyfall last night).

Simple truths beyond the ken of the suits:

- security cannot be bought

- compliance is not security

- you cannot outsource risk

 

[bojan]

5 hours ago, Steven P Allen said:

Isn't that the first coupla-three chapters of Red Storm Rising?

Huge explosion in Siberia was this thing: https://en.wikipedia.org/wiki/Ufa_train_disaster

Whole story is a well proven BS, paddled to those who have read a bit too much into RSR. Pretty much all Soviet pipelines at that time were manually locally controlled, and lack of centralized control was cited as a one of the reasons for the above disaster.

 

Edited May 10, 2021 by bojan

[Stuart Galbraith]

I remember several historians who 'proved' the Able Archer nuclear crisis was a complete myth, some as recently as a year ago. Then there was recently found a letter from a USAF General Perroots asserting  most of the combat aircraft in GSFG and NGF had gone on alert for a week, and suddenly the mythbusters went very quiet. That was despite most Russian sources they interviewed having claimed they never even heard of Able Archer. 

Is it true? I don't know, but as the source was the Secretary of the air force under Gerald Ford, and an side to President Reagan, I wouldn't be quite so quick to assume it wasn't done, even if it didn't work as advertised. 

https://en.m.wikipedia.org/wiki/At_the_Abyss

We do know other technical disruption operations certainly  happened, most memorably the French who disrupted a KGB effort to get tire scrapeings  from Concorde, and swapped it for a  concoction with the consistency or marshmellow. Probably kept them busy for weeks reverse engineering it.

 

 

 

[bojan]

What part of "vast majority of pipelines did not have any centralized control" you fail to understand?

 

[bojan]

29 minutes ago, Stuart Galbraith said:

... Probably kept them busy for weeks reverse engineering it.

Sad to see that you are also clueless about why such things would be acquired.

[wilhelm]

You don't understand.

It's a chance to pollute yet another thread with his anti-Russian hatred.

When the USN managed to crash one of its destroyers a while back, he "wondered" in that thread whether the Russians did it through "jamming". The penny dropped then with me that this is basically pathological.

It's become ridiculous, and has ruined this site ages ago. Almost every f*cking thread... relentlessly.

Edited May 11, 2021 by wilhelm

[rmgill]

He ain't all that bad. He's not ruined the site. Don't be so Stuart in your hyperbole. 

[BansheeOne]

It's certainly no worse than the proliferation of "Ukraine is corrupt Nazi regime, and also US is crumbling system just like late USSR" throughout threads by certain other posters. It all fades against the domestic US politics injected in about any topic, by about everyone, anyway. 😁

[RETAC21]

1 hour ago, BansheeOne said:

It's certainly no worse than the proliferation of "Ukraine is corrupt regime, run by Russians nazis, and also US is crumbling system just like late USSR" throughout threads by certain other posters. It all fades against the domestic US politics injected in about any topic, by about everyone, anyway. 😁

FIFY

In all, it's like Polandball, but with words.

[BansheeOne]

But corrupt Russo-Ukrainian Nazis are totally relevant to threads about COVID, Donald Trump, Bernie Sanders, Chinese dissidents, mass shootings in New Zealand, the re-conversion of Hagia Sophia to a mosque, Brexit, Kosovo, Venezuela, Texas, and the US in general!

Meanwhile the alleged hackers say it's just about the money, so you know.

Quote

US fuel pipeline hackers 'didn't mean to create problems'

By Mary-Ann Russon
Business reporter, BBC News

Published 12 hours ago

A cyber-criminal gang that took a major US fuel pipeline offline over the weekend has acknowledged the incident in a public statement.

"Our goal is to make money and not creating problems for society," DarkSide wrote on its website.

The US issued emergency legislation on Sunday after Colonial Pipeline was hit by a ransomware cyber-attack.

The pipeline carries 2.5 million barrels a day - 45% of the East Coast's supply of diesel, petrol and jet fuel.

The operator took itself offline on Friday after the cyber-attack. Work to restore service is continuing.

On Monday, the FBI officially confirmed that DarkSide was responsible for compromising Colonial Pipeline's networks, saying that it was continuing to work with the firm and other government agencies on the investigation.

During a speech about the economy at the White House on Monday, US President Joe Biden said that he was being "personally briefed" on the situation with the pipeline each day.

[...]

A number of cyber-security researchers, including firms contacted by the BBC, have speculated that the cyber-criminal gang could be Russian, as their software avoids encrypting any computer systems where the language is set as Russian.

Mr Biden said that the US government was concerned about this aspect of the cyber-attack.

"I'm gonna be meeting with President Putin and so far there is no evidence, based on our intelligence people, that Russia is involved," he said.

"Although, there's evidence that the actors' ransomware is in Russia - they have some responsibility to deal with this."

DarkSide posted a statement on its website on Monday, describing itself as "apolitical".

"We do not participate in geopolitics, do not need to tie us with a defined government and look for... our motives," the group said.

The group also indicated it had not been aware that Colonial was being targeted by one of its affiliates, saying: "From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."

[...]

In addition to a notice on their computer screens, victims of a DarkSide attack receive an information pack informing them that their computers and servers are encrypted.

The gang lists all the types of data it has stolen, and sends victims the URL of a "personal leak page" where the data is already loaded, waiting to be automatically published, should the company or organisation not pay before the deadline is up.

DarkSide also tells victims it will provide proof of the data it has obtained, and is prepared to delete all of it from the victim's network.

According to Digital Shadows, a London-based cyber-security firm, DarkSide operates like a business.

The gang develops the software used to encrypt and steal data from companies.

It then provides ransomware to "affiliates" who pay DarkSide a percentage of their earnings from any successful attacks.

When it released new software in March that could encrypt data faster than before, the gang issued a press release and invited journalists to interview it.

It even has a website on the dark web where it lists all the companies it has hacked and what was stolen, and an "ethics" page where it says which organisations it will not attack.

DarkSide also works with "access brokers" - nefarious hackers who work to harvest the login details for as many working user accounts on various services as they can find.

Rather than break into these accounts and alert users or the service providers, these brokers sit on the usernames and passwords and sell them off to the highest bidders - cyber-criminal gangs who want to use them to carry out much larger crimes.

[...]

Digital Shadows' research shows the cyber-criminal gang is likely to be based in a Russian-speaking country, as it avoids attacking companies in post-Soviet states including Russia, Ukraine, Belarus, Georgia, Armenia, Moldova, Azerbaijan, Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan and Uzbekistan.

https://www.bbc.com/news/business-57050690

Edited May 11, 2021 by BansheeOne

[Adam Peter]

Them sophisticated nation-state sponsored hackers try to convince you they aren't Russian at all - don't fall, vigilance!

On the other hand who would think sophisticated nation-state sponsored hackers hit and run attacking does not really want to build a relationship with the victim, as ransomware users usually do ...

[RETAC21]

2 hours ago, Adam Peter said:

Them sophisticated nation-state sponsored hackers try to convince you they aren't Russian at all - don't fall, vigilance!

On the other hand who would think sophisticated nation-state sponsored hackers hit and run attacking does not really want to build a relationship with the victim, as ransomware users usually do ...

If youa re other than Nazi-Russo-Ukrainians-Al Qaida-Chinese-BLM-anti-Tramp hackers, ie, a state hacker, it's better to explore and exploit the vulnerability by not having the victim know it's there (ie Solarwinds) for The Day it's needed.

[JasonJ]

59 minutes ago, RETAC21 said:

If youa re other than Nazi-Russo-Ukrainians-Al Qaida-Chinese-BLM-anti-Tramp hackers, ie, a state hacker, it's better to explore and exploit the vulnerability by not having the victim know it's there (ie Solarwinds) for The Day it's needed.

I don't know, it seems pretty difficult to apply countermeasures to cyberattacks other than just making a cybercounter attack. So the expected penalty to a cyber attack that's in ambiguity of intention is kind of low.

Also, like anything else, I'd imagine there's an arms race of sorts in the software technology between offensive and defensive cyber abilities. That back and fourth surely already had been existing for two or decades in the form of spyware, trojans, malware, and computer viruses. So a cyber ability currently affective can't be counted on working at a later time.

 A cyber attack on a large energy supply line just for money may be the case but can it really be the only possible case just because Darkside says so? 

[RETAC21]

18 minutes ago, JasonJ said:

I don't know, it seems pretty difficult to apply countermeasures to cyberattacks other than just making a cybercounter attack. So the expected penalty to a cyber attack that's in ambiguity of intention is kind of low.

Also, like anything else, I'd imagine there's an arms race of sorts in the software technology between offensive and defensive cyber abilities. That back and fourth surely already had been existing for two or decades in the form of spyware, trojans, malware, and computer viruses. So a cyber ability currently affective can't be counted on working at a later time.

 A cyber attack on a large energy supply line just for money may be the case but can it really be the only possible case just because Darkside says so? 

You are right, but this is a bit armor vs ammunition, it's better not to say what the actual armor is and keep the other side guessing, and conversely, if you know yuor ammo will penetrate the armor, better keep it quiet in case the other side up armours

[JasonJ]

25 minutes ago, RETAC21 said:

You are right, but this is a bit armor vs ammunition, it's better not to say what the actual armor is and keep the other side guessing, and conversely, if you know yuor ammo will penetrate the armor, better keep it quiet in case the other side up armours

I hate to push after you have given credit with your opening, but a part of my post still addresses what you just said which was:

"I'd imagine there's an arms race of sorts in the software technology between offensive and defensive cyber abilities. That back and fourth surely already had been existing for two or decades in the form of spyware, trojans, malware, and computer viruses. So a cyber ability currently affective can't be counted on working at a later time."

How can we be sure that it really is like the analogy with armor vs ammunition as you stated is a constant for a meaningful amount of time? Armor vs ammunition can be a constant for 20 years even as tanks with their same armor and gun/ammunition stay in service for decades. Surely software evolution occurs much faster. An effective cyber attack program may on be valid for a few years. A short shelf life if you will. So use before its of little use.

[RETAC21]

17 minutes ago, JasonJ said:

I hate to push after you have given credit with your opening, but a part of my post still addresses what you just said which was:

"I'd imagine there's an arms race of sorts in the software technology between offensive and defensive cyber abilities. That back and fourth surely already had been existing for two or decades in the form of spyware, trojans, malware, and computer viruses. So a cyber ability currently affective can't be counted on working at a later time."

How can we be sure that it really is like the analogy with armor vs ammunition as you stated is a constant for a meaningful amount of time? Armor vs ammunition can be a constant for 20 years even as tanks with their same armor and gun/ammunition stay in service for decades. Surely software evolution occurs much faster. An effective cyber attack program may on be valid for a few years. A short shelf life if you will. So use before its of little use.

I am no expert, but it seems some of this stuff remains for a long time:

https://www.wired.com/story/windows-defender-vulnerability-twelve-years/

https://us-cert.cisa.gov/ncas/alerts/aa20-014a

"Measuring the length of the vulnerability window can be difficult, as attackers do not announce when the vulnerability was first discovered. Developers may not want to distribute data for commercial or security reasons. They also may not know if the vulnerability is being exploited when they fix it, and so they may not record the vulnerability as a zero-day attack. However, it can be easily shown that this window can be several years long. For example, in 2008, Microsoft confirmed vulnerability in Internet Explorer, which affected some versions that were released in 2001. The date the vulnerability was first found by an attacker is not known; however, the vulnerability window in this case could have been up to seven years."

"The sale of zero-day exploits [2,3] has become a major underground business with some reported to sell for hundreds of thousands of dollars. Costs are usually a function of the vulnerability window, the time between discovery of the exploit and the installation of a patch."

https://www.sciencedirect.com/topics/computer-science/vulnerability-window

I suspect this is one of those areas where public perception and rreality diverge...

Edited to add, see the example of Stuxnet https://www.sciencedirect.com/topics/computer-science/stuxnet

"Stuxnet is a name given to a malware pairing that apparently included a worm stored on a USB drive designed to map out the workings of a nuclear power plant and a virus that slowly destroyed the nuclear centrifuges by surreptitiously manipulating the rate of spin, while ensuring feedback to operators monitoring the centrifuges reflected nothing amiss. It is reported to have been created as a part of a joint US and Israel project with the aim of disrupting Iran's ability to develop their nuclear capability [9].

The Stuxnet attack is an example of a nation-state attack that highlights the risks to industrial control systems which may be connected to a computer, much less the Internet itself. In some cases, those computers are connected to the Internet themselves, and as the next example demonstrates, makes this type of attack on the industrial or civilian infrastructure an ominous complement to the accomplishment of military objectives."

Edited May 11, 2021 by RETAC21

[JasonJ]

13 minutes ago, RETAC21 said:

I am no expert, but it seems some of this stuff remains for a long time:

https://www.wired.com/story/windows-defender-vulnerability-twelve-years/

https://us-cert.cisa.gov/ncas/alerts/aa20-014a

"Measuring the length of the vulnerability window can be difficult, as attackers do not announce when the vulnerability was first discovered. Developers may not want to distribute data for commercial or security reasons. They also may not know if the vulnerability is being exploited when they fix it, and so they may not record the vulnerability as a zero-day attack. However, it can be easily shown that this window can be several years long. For example, in 2008, Microsoft confirmed vulnerability in Internet Explorer, which affected some versions that were released in 2001. The date the vulnerability was first found by an attacker is not known; however, the vulnerability window in this case could have been up to seven years."

"The sale of zero-day exploits [2,3] has become a major underground business with some reported to sell for hundreds of thousands of dollars. Costs are usually a function of the vulnerability window, the time between discovery of the exploit and the installation of a patch."

https://www.sciencedirect.com/topics/computer-science/vulnerability-window

I suspect this is one of those areas where public perception and rreality diverge...

Ok, that's really interesting, thank you.