Initially identified on May 7th, Colonial Pipeline was the victim of a ransomware attack that forced them to take critical services offline. This attack led to gas shortages in seven states and an uptick in gas prices. While it is not the first attack on critical infrastructure, it may be one of the largest and most impactful. Nevertheless, Colonial Pipeline reported on May 17th that they have returned to full operation.
On Wednesday, 5/19/21, Colonial Pipeline admitted that they paid the $4.4M extortion fee to regain control of their systems. Considering the scope and downstream effects of the attack, this fee may have been on the smaller side. For comparison, CNA Financial recently paid $40M to hackers when they were targeted with ransomware back in March, according to reports.
The criminal gang reportedly responsible for the attack against Colonial Pipeline is known as DarkSide, which has been making quite the name for itself in the past year as they have reportedly collected over $90M in ransomware payments in the last 9 months. However, the organization might not have too much more time to enjoy their payouts. According to Hacker News, DarkSide has gone dark and all of its servers and services have gone offline after a reported law enforcement seizure. While some speculate that this may simply be a ploy to avoid investigations after the highly publicized Colonial Pipeline attack and that we will see DarkSide again, although perhaps under a different name, the organization has certainly proven that ransomware is a lucrative business and other organizations will soon fill whatever void they leave behind. It is therefore crucial for businesses to plan for and mitigate the risk of ransomware against their organizations, a topic we covered in a previous post.
Federal Policy Changes
As anyone who has ever worked in government knows, the federal government tends to move very slowly in making changes. Therefore, it is safe to assume that the policy changes published on May 12, 2021, have been in the works for some time. Nevertheless, it is certainly no coincidence that these updates were pushed through immediately after the Colonial Pipeline attack.
The full White House briefing can be reviewed here. Fortunately, the White House also provided a summary fact sheet. To summarize the summary, President Biden’s executive order dictates that the federal government will:
Remove Barriers to Threat Information Sharing Between Government and the Private Sector
Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
Improve Software Supply Chain Security
Establish a Cybersecurity Safety Review Board
Create a Standard Playbook for Responding to Cyber Incidents
Improve Detection of Cybersecurity Incidents on Federal Government Networks
Improve Investigative and Remediation Capabilities
Even the greatest of plans can get hung up on the details, so we will be keeping tabs on how these policies are implemented in practice over the coming months and years. For companies in the private sector, these new policies will only be directly relevant if you do business with the federal government.
While Colonial Pipeline stole the majority of headlines, numerous other companies have been targeted with ransomware recently as well:
A global insurance company, AXA, was hit with ransomware that may have also exfiltrated data. According to the Avaddon ransomware group’s leak website, 3 TB of sensitive data was stolen from AXA Asian branches.
Toshiba Tec Group was attacked with ransomware at its European subsidiaries. At this time, limited information is available and it is still unclear whether data was exfiltrated or not.
While most ransomware victims tend to try limiting their exposure and minimize the amount of information shared, Norwegian technology company Volue, is bucking that trend, paradoxically resulting in glowing praise from the security community. Many are arguing that Volue’s transparency is inspiring more confidence in them as a company and their security than the usual response of covering their tracks would have. We will see if more companies adopt this trend or not, especially after the new federal policies around information sharing.
Finally, as reported by Dark Reading, the attack known as “credential stuffing” is on the rise, with over 193 billion failed login attempts against websites in 2020. This “credential stuffing” attack occurs when hackers reuse breached/disclosed credentials against other sites and services. This attack is based on the safe assumption that users will often reuse passwords across multiple accounts. This type of attack is why compliance requirements always recommend unique passwords for all services and regular recycling of existing passwords. Fortunately, security researchers and professionals have also created services to help us businesses defend themselves against these types of attacks. One example is Troy Hunt’s haveibeenpwned.com, that allows users to check whether their own credentials have been disclosed in data breaches and allows organizations to safely monitor accounts across their entire domain space.