Colonial Pipeline ransomware attack (2021)
Date | The threat actor gained access to the network on 29 April 2021.[1] Data was stolen on 6 May 2021.[2] Ransomware was deployed on 7 May 2021.[2] |
---|---|
Suspected actor | DarkSide[3] ransomware-as-a-service[4] cybercrime gang (also known as Gold Waterfall),[5] a private, for-profit Russian-speaking group likely based in Eastern Europe[6] that, according to some analysts, is plausibly tolerated by the Russian government.[7] |
Target | The Colonial Pipeline Company, a company based in Georgia, US[8] |
Target systems | Business-side systems[9] |
Method | The threat actor conducted a double extortion attack, in which the Colonial Pipeline Company was threatened with the leakage of stolen data in addition to the data on its systems remaining encrypted unless a ransom was paid.[2]
The threat actor initially gained access through a compromised virtual private network account, which allowed employees to remotely access the company’s network; however, it is unclear how the account credentials had been obtained.[1] The account credentials sufficed to breach the network since multifactor authentication had not been in use.[10] According to the company, ransomware was deployed against its systems.[11] |
Purpose | Data exfiltration for profit and ransom-seeking.[9]
In a public statement, the threat actor explained that it is an “apolitical” organisation and stated that “our goal is to make money”.[12] |
Result | Nearly 100 gigabytes of data were stolen.[2]
According to the company, its operational systems were unaffected by the attack.[13] However, the billing system was compromised by the attack.[14] The Colonial Pipeline Company precautionarily shut down the entire pipeline,[15] which transports at least 2.5 million barrels of fuel daily.[10] Temporary gas shortages resulted throughout the South and East Coasts of the United States due to panic buying,[16] causing sudden hikes in gas prices[17] and unavailability of fuel at many gas stations across Georgia, North Carolina, South Carolina, Virginia, and Washington.[18] At the peak, 16,200 gas stations experienced outages.[18] Jet fuel prices also spiked[19] and up to seven airports suffered from reduced availability of fuel.[20] As a result, the governors of Georgia,[21] Louisiana,[22] North Carolina,[23] and Virginia[24] declared a state of emergency. The Colonial Pipeline Company paid a ransom of 75 bitcoins (then equivalent to $4.4 million)[25] in exchange for a decryption key, of which 63.7 bitcoins (then equivalent to $2.3 million) were later recovered by the US officials.[26] |
Aftermath | After receiving the ransom, the threat actor provided the company with a decryption tool to restore its disabled network; however, the tool was reportedly so slow that the company ended up using its own backups to restore the system.[27]
The Colonial Pipeline was restarted, after six days, on 12 May 2021;[28] however, operations were not fully restored for at least several weeks thereafter.[29] It was expected that it would cost the company tens of millions of dollars and take several months to completely restore its systems.[28] Although he did not attribute the cyber-attack to the Russian state, US President Joe Biden asserted that Russia has “some responsibility to deal with this [incident].”[30] Russia has denied any involvement.[31] Russian President Vladimir Putin also denied knowledge of and involvement in the cyber-attack.[26] DarkSide accepted responsibility and expressed regret at “creating problems for society”.[32] DarkSide also stated that “We [will] introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”[33] In January 2022, Russia’s Federal Security Service arrested 14 alleged members of the REvil ransomware gang,[34] following direct requests from US authorities.[35] As affirmed by US officials, the individual allegedly responsible for the Colonial Pipeline attack was among those arrested.[36] He presumably joined the REvil group, which had allegedly carried out other major cyber operations, including against the U.S. software provider Kaseya,[34] after the dissolution of DarkSide in mid 2021.[37] |
Analysed in | Scenario 06: Cyber countermeasures against an enabling State |
Collected by: Darryl Chan
- ↑ 1.0 1.1 William Turton, Kartikay Mehrotra, ‘Hackers Breached Colonial Pipeline Using Compromised Password’, Bloomberg (4 June 2021)
- ↑ 2.0 2.1 2.2 2.3 Jordan Robertson, William Turton, ‘Colonial Hackers Stole Data Thursday Ahead of Shutdown’, Bloomberg (9 May 2021)
- ↑ ‘FBI Statement on Compromise of Colonial Pipeline Networks’, Federal Bureau of Investigation (10 May 2021)
- ↑ ‘Joint CISA-FBI Cybersecurity Advisory on DarkSide Ransomware’, Cybersecurity & Infrastructure Security Agency (11 May 2021)
- ↑ ‘Gold Waterfall’, SecureWorks (undated, accessed 8 June 2021)
- ↑ Dustin Volz, ‘U.S. Blames Criminal Group in Colonial Pipeline Hack’, Wall Street Journal (10 May 2021)
- ↑ Nicolas Rivero, ‘Hacking collective DarkSide are state-sanctioned pirates’, Quartz (11 May 2021)
- ↑ ‘Colonial Pipeline CEO paid ransom to swiftly restart pipeline – testimony’, Reuters (8 June 2021)
- ↑ 9.0 9.1 Charlie Osborne, ‘Colonial Pipeline attack: Everything you need to know’, ZDNet (13 May 2021)
- ↑ 10.0 10.1 Michael Novinson, ‘Colonial Pipeline Hacked Via Inactive Account Without MFA’, CRN (05 June 2021)
- ↑ Marisa Penazola, ‘Ransomware Attack Shuts Down A Top U.S. Gasoline Pipeline’, NPR (09 May 2021)
- ↑ Joseph Menn, Raphael Satter, ‘Pipeline hackers say their aim is cash, not chaos’, Reuters (10 May 2021)
- ↑ Kim Lyons, ‘Colonial Pipeline says operations back to normal following ransomware attack’, The Verge (15 May 2021)
- ↑ Natasha Bertrand, Evan Perez, Zachary Cohen, Geneva Sands, Josh Campbell, ‘Colonial Pipeline did pay ransom to hackers, sources now say’, CNN (13 May 2021)
- ↑ Christopher Bing, Stephanie Kelly, ‘Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ Biden briefed’, Reuters (8 May 2021)
- ↑ Clifford Krauss, Niraj Chokshi, David E. Sanger, ‘Gas Pipeline Hack Leads to Panic Buying in the Southeast’, The New York Times (12 May 2021)
- ↑ Vanessa Romo, ‘Panic Drives Gas Shortages After Colonial Pipeline Ransomware Attack’, NPR (11 May 2021)
- ↑ 18.0 18.1 Stephanie Kelly, Laura Sanicola, ‘U.S. capital running out of gas, even as Colonial Pipeline recovers’, Reuters (14 May 2021)
- ↑ Leslie Josephs, ‘New York jet fuel gets pricier due to Colonial Pipeline outage’, CNBC (12 May 2021)
- ↑ Leslie Josephs, ‘Pipeline outage forces American Airlines to add stops to some long-haul flights, Southwest flies in fuel’, CNBC (10 May 2021)
- ↑ ‘Carr: Kemp Declares State of Emergency due to Colonial Pipeline Cyber Incident, Invokes Price Gouging Statute’, Office of the Attorney-General of the State of Georgia (11 May 2021)
- ↑ 84 JBE 2021 State of Emergency - Colonial Pipeline.pdf ‘PROCLAMATION NUMBER JBE 2021-84’, State of Louisiana (12 May 2021)
- ↑ ‘EXECUTIVE ORDER NO. 213’, State of North Carolina (10 May 2021)
- ↑ ‘Executive Order NUMBER SEVENTY-EIGHT (2021)’, Office of the Governor of the Commonwealth of Virginia (11 May 2021)
- ↑ Ian Carlos Campbell, ‘Colonial Pipeline CEO confirms company paid $4.4 million ransom it wasn’t supposed to pay’, The Verge (19 May 2021)
- ↑ 26.0 26.1 Chris Strohm, Alyza Sebenius, ‘Colonial Pipeline’s Bitcoin Ransom Mostly Recouped by U.S.’, Bloomberg (08 June 2021)
- ↑ William Turton, Michael Riley, Jennifer Jacobs, ‘Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom’, Bloomberg (13 May 2021)
- ↑ 28.0 28.1 Sara Morrison, ‘How a major oil pipeline got held for ransom’, Vox (19 May 2021)
- ↑ Mary Louise Kelly, ‘The Colonial Pipeline CEO Explains The Decision To Pay Hackers A $4.4 Million Ransom’, NPR (3 June 2021)
- ↑ ‘Biden Says Russia Has 'Some Responsibility' In Pipeline Ransomware Attack’, Radio Free Europe (10 May 2021)
- ↑ ‘Russia has nothing to do with cyberattack on Colonial Pipeline – Kremlin’, TASS (11 May 2021)
- ↑ Mary-Ann Russon, “US fuel pipeline hackers 'didn't mean to create problems'”, BBC (10 May 2021)
- ↑ Charlie Osborne, ‘DarkSide explained: The ransomware group responsible for Colonial Pipeline attack’, ZDNet (14 May 2021)
- ↑ 34.0 34.1 Robyn Dixon and Ellen Nakashima, ‘Russia arrests 14 alleged members of REvil ransomware gang, including hacker U.S. says conducted Colonial Pipeline attack’, Washington Post (14 January 2022)
- ↑ Sean Lyngaas, ‘US officials believe Russia arrested hacker responsible for Colonial Pipeline attack’, CNN (14 January 2022).
- ↑ DW, ‘US 'welcomes' Russian arrests of REvil ransomware gang’ (15 January 2022); Pierluigi Paganini, ‘One of the REvil members arrested by FSB was behind Colonial Pipeline attack’, Security Affairs (15 January 2022).
- ↑ Rachel Lerman, Ellen Nakashima and Drew Harwell, ‘DarkSide group that attacked Colonial Pipeline drops from sight online’, Washington Post (14 May 2021).