Since last Thursday, May 7, the east coast of the United States has experienced an unprecedented situation. A ransomware attack has shut down the Colonial Pipeline company’s main oil pipeline.
This is an attack that has affected one of the most critical infrastructures in the country, through which 45% of all the fuel consumed on the east coast is transported: about 2 and a half million barrels of gasoline, diesel and kerosene – the pipeline serves 7 airports in 14 states – as well as fuel for domestic heating. This situation has led to an increase in the price of fuels: the average price rose to more than $ 3 per gallon, the highest price since 2014, also causing queues at most of the affected supply points.
How did the attack occur? The 7 days that put the system in check
Last Thursday, May 6, 2021, in just two hours the group kidnapped 100 gygabites of Colonial Pipeline via a ransomware attack.
On Tuesday, Colonial Pipeline closed operations to prevent the ransomware extension. The service of more than 8,000 km of pipeline is interrupted.
Contradicting reports that the company would not pay the ransom, the company decides to make a $5 million transfer in cryptocurrencies to hackers, a fact that would not be known until last Monday, May 13. (Source: Bloomberg).
Despite having the decryption keys, the tool provided by hackers to free up systems is so slow that the company continues to use backups to help restore service.
Three days later, the company reports that it is still devising a plan to reopen the pipelines. It manages to reopen sidelines between terminals and delivery points, although its four main supply lines will remain closed.
On May 10, various government agencies (including the FBI, CISA and NSA) assist the company and manage to paralyze key servers operated by hackers. This makes it possible to cut off the flow of stolen information to hackers.
The FBI co-signed the authorship: the Darkside hacker group.
On May 10, various government agencies (including the FBI, CISA and NSA) assist the company and manage to paralyze key servers operated by hackers. This makes it possible to cut off the flow of stolen information to hackers. The FBI co-signed the authorship: the Darkside hacker group.
A highly organized group of hackers with a totally innovative model
According to the FBI, the attack was organized by Russian hacker group Darkside, a group specializing in attacks on critical infrastructure. In the statements made public by this group, they refer to themselves as an “apolitical group”, although they have a clear objective of continuing to capture rescues.
Its highly professionalized structure is based on the search for new “partners” in the forums through an affiliate program to whom they offer their software to carry out attacks and then distribute benefits among them. In this way, partners get between 15 –25% of the total sum of each ransom (although some sources indicate that it can reach 75% depending on the importance of the attack).
With this model, the group has continued to refine its cyberattacks, financing its operations through its partners and consolidating what we could already call the cyberattack industry.
What measures are advisable to prevent such a ransomware attack on critical infrastructures?
1. SECURIZE THE WEAK LINK: USERS
• We cannot forget that, in most cyberattacks, users have been involved in one way or another. That is why it is important to carry out a social engineering audit and cybersecurity training.
Knowing the degree of awareness and maturity in cybersecurity of these is vital to be able to prepare specific training plans.
✓ At SOFISTIC we offer audit services in social engineering and different types of cybersecurity training. Contact us for more information.
2. PROTECT ENDPOINTS IN AN ADVANCED WAY
• The best way to protect your devices is through a next-generation antivirus that allows a level of protection that covers even attacks that are not yet known. To do this, this antivirus must analyze which processes are lawful or not (even analyzing behavior) rather than relying on a single knowledge base. This new approach turns out to be much more effective and agile in fighting what is known as zero-day attacks.
✓ At SOFISTIC we help our customers secure Microsoft 365 and even implement solutions such as Crowdstrike, an advanced antivirus with Artificial Intelligence that applies combined protection, based on user behavior and detection using malware signatures.
3. DETECT ANY VULNERABILITIES
• It is important to carry out internal and external intrusion tests. In these tests, in a similar way to how a cybercriminal acts, we will try to obtain the greatest amount of information available from the computers and take advantage of the vulnerabilities to access the company’s systems.
✓ SOFISTIC offers internal and external pentest services as a first step in vulnerability detection. It also detects immediate threats, configuration defects, backdoors, and dangerous configurations.
4. CONTROL THE TECHNOLOGICAL PERIMETER BY RESPONDING IN SECONDS
• As companies grow, it is more difficult to control the network infrastructure and all the devices connected to it. Only through advanced systems equipped with Artificial Intelligence, machine learning and responsiveness autonomously will it allow us to control and minimize the risks that we encounter in our network.
✓ At SOFISTIC we are specialists in the implementation of Darktrace, a threat detection system that acts in seconds on any threat that may occur on the network, even those that are yet to be discovered.
5. ESTABLISH MONITORING AND AN INCIDENT RESPONSE PLAN
• Given the company’s criticality, it is vitally important to have the service of an operations monitoring center (Atlantis SOC) that offers monitoring and an incident monitoring and response service of up to 24×7, with specialists ready to solve any problem.
✓ At SOFISTIC we have a continuous care SOC distributed between Panama and Spain, which provides greater efficiency by avoiding low productivity night shifts. The distribution in two locations minimizes all kinds of risks, such as meteorological risks, massive attacks, catastrophes at specific points, etc. Additionally, it provides close contact with CSIRTs / CERTs based on the location of the incident.
6. EXPAND THE SECURITY MESH, EVEN OUTSIDE THE COMPANY
• In line with the latest cybersecurity trends, it seeks to protect all devices that interact with the organization and with which the organization’s data is accessed, including everyone within the company’s cybersecurity mesh so that there are no interactions without protection. On many occasions, devices that are often left out of this security mesh are mobile phones with which company mail is accessed and even sensitive information is displayed.
✓ In this sense, SOFISTIC has developed UareSAFE, an app that allows the protection of mobiles by analyzing the most common risks in each OS, malware on Android and unsafe settings on iOS.
Other attacks on critical infrastructure:
🏭 February 2021: Attack on Florida water treatment plant
The company reported that some computers in the plant, which operated on an outdated version of Windows 7, were compromised by a hacker team that was also able to access the systems by hacking into the passwords that staff used in applications such as Teamviewer. Hackers had access to the water treatment system, which could have led to a more far-reaching security incident.
🏭 August 2017: Attack on Saudi Petro Rabigh’s Petrochemical Plant
On August 4, two emergency shutdown systems were able to prevent the release of toxic hydrogen sulfide gases that would have occurred because of a malware known as Triton, which disabled key control systems of the company. Far from seeking an economic return, the investigation showed that the attack sought to cause an explosion at the plant, which did not occur due to an error in the code. (Source: NY Times).
☢️ September 2010: Stuxnet worm attack on nuclear facilities in Iran
This worm malware attacked industrial control SCADA systems by exploiting a number of vulnerabilities in Siemens systems. While the Iranian authorities did not want to give it importance, the virus affected 1,000 machines (most centrifuges) at the Natanz nuclear power plant. The attack took place via an infected USB stick, and managed to reprogram the machines for their own destruction.