US energy infrastructure under attack. What next?

The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

Shortly after the attack, investigators determined that the critical infrastructure was victim of a ransomware gang known as Darkside (organization that afterward publicly recognized the attack).

Ransomware gangs such as Darkside implements a double extortion approach: in addition to compromising victims’ infrastructure systems, they also exfiltrated information before encrypting files.

If the victims will refuse to pay the ransom trying to recover the encrypted data from their own backups, the ransomware gang will publish the stolen files on their “leak site.” This technique was devised to force the victim into paying the ransom to avoid further damage.

The Darkside group was very active in the latest months, it targeted many companies worldwide and demanded the payment of millionaire ransoms to the victims.

The Colonial Pipeline management had to shut down the 5.000 miles of the pipeline as result of the security breach, it also notified the Federal authorities in order to investigate the incident and to determine the extent of the intrusion. The critical infrastructure has fully recovered the operations after a few days, anyway the interruption of the fuel provisioning had an impact on the areas served by the pipeline.

Several media, citing people familiar with the matter, reported that the company had initially refused to pay the ransom.

However, the quick restoration of the operations is suspicious and suggests that the operators of the Colonial Pipeline have paid the ransom.

The New York Rime reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files. Because the tool was too slow, the company used its backups to restore the systems.

“The operator of a critical fuel pipeline on the East Coast paid extortionists roughly 75 Bitcoin — or nearly $5 million — to recover its stolen data, according to people briefed on the transaction, clearing the way for gas to begin flowing again but complicating President Biden’s efforts to deter future attacks.” reported the NYT.

“Colonial Pipeline made the ransom payment to the hacking group DarkSide after the cybercriminals last week held up the company’s business networks with ransomware, a form of malware that encrypts data until the victim pays, and threatened to release it online.”

According to the media, once the company has obtained the decryption key used it along with its backup system to quickly restore the impacted systems and resume pipeline operations.

All energy infrastructures in the world are at risk

This kind of incidents demonstrates that critical infrastructures worldwide are still too vulnerable to cyber-attacks, this implies that we need a different approach to cyber security to increase their resilience.

President Biden signed an executive order last week to improve the country’s defenses against cyberattacks; it represents an important move that comes shortly after the recent wave of attacks, such as the SolarWinds supply chain attack and the Colonial Pipeline attack.

The document titled Executive Order on Improving the Nation’s Cybersecurity aims at modernize the cybersecurity defenses to make the federal government’s infrastructure resilient to increasingly sophisticated attacks.

The order proposes a standardized Federal Government’s Playbook for responding to cybersecurity vulnerabilities and incidents, it also aims at improving the sharing of information related to threats and threat actors.

The order requires IT (information technology) and OT (operational technology) service providers to share information about cybersecurity threats and incidents.

The Colonial Pipeline attack took place a few days after US NSA (National Security Agency) published of a ‘cybersecurity advisory’ related to OT systems that provides recommendations on how to secure them from cyber-attacks.

OT technology allows monitoring and control of physical processes such as production and refining of oil&gas, energy generation and distribution. This technology is widely used in multiple industries, including the aerospace, maritime, railroads, energy, and public sectors.

Last year a joint alert published by the US NSA and CISA (Cybersecurity and Infrastructure Security Agency) recommended operators of critical infrastructures to adopt security measures to mitigate the exposure of OT systems to cyber-attacks.

Attacks escalate and everyone is now under threat

The cyber-attacks against organizations in the energy sector, conducted by both cyber criminals and nation-state actors, are increasing and are becoming even more sophisticated.

In April, while Covid-19 was spearing worldwide, threat actors targeted Oil& Gas companies with spear-phishing campaigns aimed at infecting victims’ systems with an info stealing malware known as Agent Tesla.

BitDefender experts pinpointed many attacks and a spotted a phishing campaign conducted by threat actors masquerading as the Egyptian company ENPPI (Engineering for Petroleum and Process Industries) and a delivery company. Companies of the O&G sector operating in Malysia, USA, Iran, South Africa, Oman and Turkey were targeted too.

In November 2019 another ransomware gang called DoppelPaymer infected about 5% of Mexico’s National Energy Company, PEMEX.

One of the largest cyber attacks of all times was the one that hit Saudi Aramco with a malware that wiped 30.000 computers of the oil giant.

Economic repercussions of these events can be dire. The interruption of the provisioning of fuel, any interference with transportation and distribution infrastructure could impact on fuel price and it have a dramatic domino effect on many sectors and activities.

A final question has yet to be responded; what would happen if a cyber attack was capable of totally disrupting a (critical) energy infrastructure?

Disclaimer: “The previous Italian version has been published on Quotidiano Energia on May 12 2021”

Read more on this subject: