Colonial Pipeline was the victim of a ransomware attack by the DarkSide group, a relatively new cybercrime group that first began attacks in August 2020. The group is supposedly made up of experienced ransomware operators and operates a Ransomware as a Service (RaaS) business model where they sell access to their malware to other hacking groups.
The initial infection vector for the attack on Colonial Pipeline is unknown pending further investigation. The attack targeted the business side of the organization’s operations but spread to the operations side, resulting in a shutdown of the pipeline’s operations. A week after the attack, the pipeline is still largely offline with a single pipe operating under manual controls.
Implications of the Attack
The Colonial Pipeline attack took down a pipeline that supplies 45% of the fuel to the East Coast. As a result, the US government has declared the incident a national emergency for the duration of the shutdown since it poses a potential threat to national security. The resulting shortages of fuel in some areas and their impacts on logistics and shipping may have wide-reaching business effects.
The Colonial Pipeline attack also demonstrates the capabilities of the DarkSide group to exploit even large organizations. This hacking group is known for highly-targeted attacks reinforced by in-depth research. This enables the group to not only identify potential infection vectors for their malware but also to tailor ransom demands to a company’s resources and target key decision-makers within an organization.
In the week since the Colonial Pipeline attack, the DarkSide group claims to have exploited three more companies, demonstrating that this is not an isolated incident. The DarkSide group is known for employing “double extortion” tactics. Before encrypting a compromised computer, their malware exfiltrates sensitive data from it, and the group threatens to publish this data online if a ransom is not paid.
Like the recent SolarWinds breach, the Colonial Pipeline hack has demonstrated that many organizations are vulnerable to exploitation by sophisticated cyber threat actors. These attacks have prompted a recent executive order on improving the nation’s cybersecurity posture.