[BreachExchange] 4 key takeaways on US government response to Colonial Pipeline ransomware attack

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 17 13:41:53 EDT 2021


https://abc7chicago.com/colonial-pipeline-ransomware-cyber-attack-biden-gas-prices/10641125/

Senior cybersecurity officials testified before a key Senate committee on
Tuesday after one of the nation's largest pipeline operators was hit by an
ongoing major ransomware attack that forced the company to shut down
operations.

CNN has learned that federal agencies and private cybersecurity firms are
investigating the attack on Colonial Pipeline but lawmakers made clear that
the incident only adds to their broader concerns about hackers who are
increasingly exploiting vulnerabilities in US infrastructure.

Here are some key takeaways from the hearing and CNN's reporting on the
government's response to the Colonial Pipeline ransomware attack.

Cyberattacks becoming 'more sophisticated, frequent and aggressive'

A top Biden administration cybersecurity official warned the Senate hearing
that cyberattacks on the nation's infrastructure are "growing more
sophisticated, frequent and aggressive."

"Malicious cyber actors today are dedicating time and resources towards
researching, stealing, and exploiting vulnerabilities, using more complex
attacks to avoid detection and developing new techniques to target
information and communication technology supply chains," acting
Cybersecurity and Infrastructure Security Agency Director Brandon Wales
told the Senate Homeland Committee, whose hearing was focused on a spate of
recent incidents impacting the US.

His comments come as US officials are not only grappling with fallout from
the Colonial Pipeline ransomware attack but a series of other recent
cyberincidents that have raised questions about the security of these
essential systems.

Ransomware locks out the rightful user of a computer or computer network
and holds it hostage until the victim pays a fee. Ransomware gangs have
also threatened to leak sensitive information in order to get victims to
meet their demands.

"That threat of ransomware is certainly by no means new," Department of
Homeland Security Secretary Alejandro Mayorkas said at a press briefing at
the White House later Tuesday. "As a matter of fact, last week I spoke ...
about the gravity of the threat. More than $350 million in losses are
attributable to ransomware attacks this year. "

He said that was more than a 300% increase over the previous year.

"There's no company too small to suffer a ransomware attack," Mayorkas
added. "We are seeing increasingly small- and medium-sized businesses
suffer ransomware attacks."

There are still questions about information sharing

Senior White House officials repeatedly said Monday their roles in
addressing the latest ransomware incident were limited because Colonial
Pipeline is a private company, even though it controls the gasoline supply
to most of the eastern US.

Colonial has yet to share information with the federal government about the
vulnerability that the ransomware group DarkSide took advantage of to
infiltrate the fuel company, according to a top official with the CISA.
This is because the investigation is ongoing; Colonial is working with the
federal government and is expected to share information when it gets it.

"Our understanding is that that is part of the investigation that
Colonial's response vendor is still undertaking. That information has not
yet been shared with the US government," CISA Executive Assistant Director
for Cybersecurity Eric Goldstein told CNN in a phone interview.

However, Goldstein said various agencies across the government are engaged
with Colonial and as part of an interagency effort to understand the
intrusion and identify information that can be shared broadly.

"Now, we are deeply focused on sharing information with other organizations
to protect themselves, both from this specific actor, the Darkside
ransomware group. And since we know that ransomware actors often use
similar techniques and procedures, making sure that all organizations
understand the steps that they could take to protect themselves," he added.

CISA is not providing technical assistance to Colonial Pipeline as of now,
according to Goldstein.

In the Senate hearing, Wales confirmed that DHS is still awaiting
additional technical information from the Colonial Pipeline ransomware
attack.

"I think right now we are waiting for additional technical information on
exactly what happened at Colonial so we can use that information to
potentially protect other potential victims down the road," Wales said.

Wales said it's "not surprising" that they haven't yet received information
since it's early in the investigation, adding that CISA has historically
had a "good relationship" with both Colonial and the cybersecurity firms
that are working on their behalf.

Colonial Pipeline also did not contact CISA in the wake of the cyberattack,
according to Wales.

"They did not contact CISA directly," he said. "We were brought in by the
FBI after they were notified about the incident."

Wales said the agency received information "fairly quickly in concert with
the FBI," when pressed by Senate Homeland Security Ranking Member Rob
Portman on whether it would have been helpful if Colonial reached out
"immediately."

Yet, Wales acknowledged that he did not believe Colonial would have
connected them without the FBI involvement.

Colonial has engaged a third-party incident response company that is
leading the investigation on their behalf, he said. CNN previously reported
that FireEye Mandiant was brought on to manage the incident response
investigation.

Biden administration officials frustrated with Colonial Pipeline

Biden administration officials have privately voiced frustration with what
they see as Colonial Pipeline's weak security protocols and a lack of
preparation that could have allowed hackers to pull off the ransomware
attack, officials familiar with the government's initial investigation into
the incident told CNN.

At the same time, US officials are working to track down the specific
actors responsible for the breach, according to two people familiar with
the federal response, a key part of the broader effort to bring the
individual hackers to justice.

The internal tensions underscore a stark challenge facing the
administration as it continues to grapple with the fallout from the brazen
attack on the country's critical infrastructure despite having limited
access to the private company's systems and technical information about the
vulnerabilities exploited by the hackers.

Colonial declined to comment on the matter.

Still, US officials want to go on the offensive, and believe identifying
the individual hackers who targeted Colonial Pipeline is one way of
deterring future ransomware attacks.

Private sector companies worked with government to disrupt attack

Private sector companies also worked with US agencies to take a key server
offline as recently as Saturday, disrupting ongoing cyberattacks against
Colonial Pipeline Co. and other ransomware victims, according to two
sources familiar with the matter.

The move to intervene, which allowed Colonial to recover some of its stolen
data, was taken in response to the Darkside attack against the fuel
pipeline company, one source told CNN, confirming the action first reported
by Bloomberg.

Federal agencies and private companies that control the US-based servers
were able to cut off key infrastructure used by the hackers to store stolen
data before that information could be relayed back to Russia, both sources
said.

Goldstein said CISA has no information about other victims at this time,
but he pointed out that the Darkside ransomware group is a well-known
threat actor that has compromised numerous victims in recent months.

Darkside is known to be based in Eastern Europe and carries out "double
extortion" ransomware attacks, which is where they will both encrypt a
victim's data and then also steal some of the data and threaten to release
it to cause reputational damage if the victim doesn't pay, he said.

Therefore, even if a victim has strong backups for their data that allows
them to restore the data that was encrypted, the bad actor still has
another way to extort the victim, he said.

"There has been some discussion that perhaps this actor tries to refrain
from attacking hospitals, schools and the like. But certainly, they're seen
as a pernicious ransomware group that has caused significant harm to its
victims, both in the US and elsewhere," Goldstein said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210517/49d6ab7d/attachment.html>


More information about the BreachExchange mailing list