Running out of gas: five questions about the colonial pipeline cyberattack

Gasoline pumps closed. Long queues for gas stations still open. Relentless motorists who are forced to go to work on a mountain bike. And panic in the Facebook group of a group of friends in Asheville, an average city of 100,000 people in the mountains of the US state of North Carolina. “Go get your essence!” “Make sure you fill up with gas quickly,” said one of the friends. There was no gasoline available throughout town on Tuesday.

The cyber ransomware attack on Colonial Pipeline, the largest US oil transport company that manages nearly half of the fuel transport in the eastern part of the country, is starting to hit the lives of American citizens.

Colonial Pipeline reported on Friday that hackers had broken into its computer systems. They would hijack the company’s networks and data and demand a ransom to give Colonial back access to its information technology. As a precaution, the company concerned has closed its entire pipeline network. For example, the transportation of fuels from Texas to the northeastern United States has stopped.

Five questions about one of the biggest ransomware attacks on critical US infrastructure to date.

1 What does America notice?

Colonial Pipeline operates an 8,850 kilometer pipeline system for the transportation of gasoline, diesel, kerosene and other refined products. For example, the company transports 15% of its fuel consumption through the United States. According to experts, 13,000 tankers per day would be needed to support the transport of oil from the blocked pipeline.

Reuters news agency reported on Tuesday that gasoline and diesel prices at the pump are at their highest levels for three years. In some areas, motorists are said to be already accumulating. The American Automobile Association, the American ANWB, urges motorists not to do this.

Colonial Pipeline also supplies kerosene directly to seven airports in the Southeastern United States. They are now noticing the problems with the pipeline there. American Airlines, one of the largest US airlines, has decided that its flights from Charlotte, North Carolina to Honolulu and Boston make an additional stop at airports en route to get more fuel. .

The hacked company said Monday it expects most systems to be back up and running “by the end of the week.”

2 Who are the culprits?

On Monday, the Reuters news agency already mentioned the hacker collective DarkSide. And on Tuesday, the FBI confirmed that suspicion. According to the intelligence service, they are Russian-speaking hackers. The malware used by the group is said to be programmed not to attack computers with a Cyrillic keyboard. US President Joe Biden said on Monday that investigative services had so far found no evidence that the Russian state was involved in the cyberattack. The Russian Embassy in the United States on Tuesday denied any responsibility.

DarkSide, which first appeared in August last year, previously said the group’s goal is to make money. “And not to cause trouble in society.” Security experts say the group operates like a professional criminal organization. However, the collective would not use very advanced technology.

If the group fails to do so, it may also sell the stolen databases to other cybercriminals, according to the French news agency AFP. The group is also reportedly threatening to release the stolen data. According to French security experts, a group like DarkSide demands a ransom of between $ 200,000 and $ 2 million (1.6 million euros).

DarkSide does not always perform cyber attacks itself. Many cybercriminals have been working on a distributed model for two to three years: they often purchase services from various “vendors”.

Hackers sometimes pose as digital Robin Hoods: they rob rich companies and donate to the poor. the The BBC reported in October that the group had donated $ 10,000 in bitcoins to the humanitarian organization Children International. The NGO then refused “the stolen money”, according to the BBC.

3 How did they manage to carry out the attack?

It is not yet known how the hackers entered Colonial Pipeline. Experts note that the oil company was attacked via unsecured remote access.

“The pandemic and mobility restrictions of the past year have prompted many organizations to allow remote access from their homes,” said Stefan van der Wal of the Dutch branch of US IT security firm Barracuda. “But as we have seen in other operational technology security incidents, many systems used for this purpose are not properly secured.”

It highlights the importance of encryption (data encryption), multiple permissions (not just a username and password) and the possibility that remote employees cannot log into the entire system, but only to the part of the corporate network where they can actually do it. Something.

In addition, e-mail remains a weak link in a corporate network. Through “social engineering,” the intelligent temptation of employees, someone quickly clicks on a link that can infect the PC (and the rest of the network). Think of emails with a link to participate in a video conference, to collaborate on a shared document or a track-in-tracemessage of an order.

4 Do you have to pay the authors?

Ransomware attacks are a growing problem for businesses, governments, and other organizations. Not only in the United States, but also in the Netherlands and the rest of the western world. Paying a ransom to regain access to networks and sensitive business information is discouraged by law enforcement. The FBI pointed out this week that you only cheer on other perpetrators.

Dutch digital police, the National Cyber ​​Security Center (NCSS), also say it’s better not to pay. The victims who have paid seem to still have great difficulty in recovering all access and all information. Plus, you never know if the perpetrators left a back door open to break in later.

Also read: Negotiate ransomware: “We took 10 million, didn’t we?”

A White House spokesman declined to say on Monday whether Colonial Pipeline had now paid a ransom. The company itself does not make any statement about payments. Some experts see it as proof that we are talking about hostage takers.

5 What is the US government doing?

The White House is working on a plan to bolster US cyber defense. This mainly comes down to increased cooperation between business and governments and increased international cooperation. “We urgently need to invest in the security of our critical infrastructure,” US President Biden said on Monday. The incident, according to a White House spokesman, shows once again how vulnerable the United States is in this regard. In recent months, US governments (upper and lower) have fallen victim to cybercriminals much more. There are now dozens of incidents. The US energy regulator on Monday called for stricter safety standards by pipeline operators.