{"id":64714,"date":"2021-05-27T06:00:42","date_gmt":"2021-05-26T20:00:42","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=64714"},"modified":"2021-05-26T22:00:03","modified_gmt":"2021-05-26T12:00:03","slug":"us-pipeline-hack-exposes-major-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/","title":{"rendered":"US pipeline hack exposes major vulnerabilities"},"content":{"rendered":"
<\/figure>\n

Almost inadvertently, US energy security has been threatened by a ransomware attack which demonstrated dramatically how the consequences of such hacks are escalating.<\/p>\n

This one probably won\u2019t be the worst, but it will change the way governments respond to ransomware.<\/p>\n

Colonial Pipeline carries gasoline, diesel and jet fuel from Houston to New York, with an array of branch lines servicing states across the eastern seaboard of the US. On Saturday 8 May Colonial announced<\/a> that it had been the victim of a ransomware attack and that to contain the threat it \u2018proactively took certain systems offline\u2019, which \u2018temporarily halted all pipeline operations\u2019.<\/p>\n

In a sense that highlights critical infrastructure\u2019s vulnerability. The halt to pipeline operations was entirely unintended by those who carried out the ransomware attack and the operational disruption was \u2018collateral damage\u2019.<\/p>\n

The hackers did not target the pipeline\u2019s industrial control systems to deliberately stop the flow of oil. Colonial itself shut down systems to prevent further spread of malware. This disruption would likely have been far worse had the group intended to disrupt the pipeline.<\/p>\n

As the shutdown continued over several days, petrol prices surged, service station queues lengthened, customers hoarded fuel as pumps ran dry and the US Consumer Product Safety Commission warned people to \u2018not fill plastic bags with gasoline\u2019<\/a>. The US Department of Transport temporarily loosened road transport rules to allow more road-based shipment of fuel as concern over shortages escalated within government.<\/p>\n

<\/figure>\n

Map of the Colonial Pipeline network.<\/em><\/p>\n

By Monday 10 May, the FBI announced<\/a> that DarkSide ransomware was responsible for the Colonial hack.<\/p>\n

DarkSide operates on a \u2018ransomware as a service\u2019 business model, providing centralised services<\/a> that their \u2018affiliates\u2019 can use to extort money from victim organisations. The affiliates conduct the \u00a0operations, but DarkSide receives a 10\u201325% cut of the ransom. Services fundamental to running ransomware operations include payment servers, encryption and decryption tools to lock and unlock victim data, and a blog to claim responsibility, advertise hacks and pressure companies.<\/p>\n

But beyond ransomware, DarkSide affiliates also steal data and threaten to leak it. As victims with good backups may still be motivated by the threat of sensitive data being leaked, this second method of extortion is increasingly common among ransomware gangs. In these instances, DarkSide would collect and store victim data on staging servers.<\/p>\n

Other services were even more innovative. It appears<\/a> that DarkSide was also willing to let paying customers know when they\u2019d hacked publicly listed companies ahead of their blog announcements, presumably so they could short sell stocks ahead of the news of a ransomware attack.<\/p>\n

While they were developing a portfolio of extortion tools and tactics, DarkSide was also attempting to manage its reputation to avoid attracting law enforcement attention. It stated that it would not attack medical facilities, schools and universities, non-profits, governments and the funeral sector.<\/p>\n

There\u2019s good evidence that the criminals are Russian. They recruit Russian-speaking affiliates and advertise on Russian language forums, they don\u2019t attack the former Soviet republics of the Commonwealth of Independent States and their malware won\u2019t attack devices<\/a> with Russian language settings.<\/p>\n

In the aftermath of the Colonial Pipeline hack, DarkSide issued a statement saying:<\/p>\n

We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.<\/p><\/blockquote>\n

In part this seems to be an attempt to distance DarkSide from the Russian government; parts of Eastern Europe and Russia are a permissive environment where cyber criminals are tolerated, but if gangs start to cause geopolitical problems local law enforcement could suddenly become motivated to act.<\/p>\n

And diplomatic pressure is being applied. US President Joe Biden said that although he didn\u2019t believe the Russian government was involved, the criminals were Russian. \u2018We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,\u2019 Biden said.<\/p>\n

Within a day of discovering the attack the CEO of Colonial Pipeline had decided to pay the ransom, saying later<\/a> that \u2018it was the right thing to do for the country\u2019. The pipeline returned to full operation within the week, although the decryption tool was reportedly<\/a> so slow that Colonial continued to restore from backups.<\/p>\n

Paying ransoms is clearly undesirable from a public policy point of view\u2014it encourages further ransomware attacks and funds the evolution of the ransomware ecosystem. Yet at the same time ransom negotiations will settle on a price where the cost\u2013benefit of paying can be justified and there are many situations where payment is clearly in the best interests of stakeholders.<\/p>\n

But cyber insurance should not be used to pay ransoms. Unlike many other types of insurance, cyber insurance deals with a human adversary and the threat is rapidly evolving. Current practice is a vicious circle where insurance payouts encourage and fund improved ransomware which extracts more insurance payouts. Perversely, ransomware hackers will search for their victims\u2019 insurance policies and then use the insured amount to set ransom demands.<\/p>\n

In total, DarkSide appears<\/a> to have extracted at least US$90 million in ransoms since August, and more than US$9 million in the month of May alone. That was made up of US$4.4 million from a chemical distribution company<\/a> and US$5 million from Colonial Pipeline<\/a>. With increasing attention\u2014Biden said the US would \u2018pursue a measure to disrupt their ability to operate\u2019\u2014the sum seems to have been enough for the hackers.<\/p>\n

The day after Biden\u2019s statement the DarkSide hackers said<\/a> they\u2019d lost access to their infrastructure including their blog and payment servers and would be shutting their service. Lightning-fast US retaliatory action seems unlikely given the time required to prepare for a cyber operation, and the DarkSide crew may simply have taken the money instead of paying their affiliates.<\/p>\n

In the short term, DarkSide may have disappeared but, given the sheer volume of money available, other criminals will fill the void. Beyond improving defences, this story also shows that a promising approach is to focus on the ransomware ecosystem and its incentives.<\/p>\n

DarkSide and similar groups actively try to avoid law enforcement attention and minimise associations with the state in which they operate. Western nations need to align diplomatic, intelligence and law enforcement efforts to make it much harder for ransomware crews to operate with impunity.<\/p>\n","protected":false},"excerpt":{"rendered":"

Almost inadvertently, US energy security has been threatened by a ransomware attack which demonstrated dramatically how the consequences of such hacks are escalating. This one probably won\u2019t be the worst, but it will change the …<\/p>\n","protected":false},"author":618,"featured_media":64716,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[713,2559,475,1948],"class_list":["post-64714","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-cyberattack","tag-fuel-security","tag-infrastructure","tag-ransomware"],"acf":[],"yoast_head":"\nUS pipeline hack exposes major vulnerabilities | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"US pipeline hack exposes major vulnerabilities | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Almost inadvertently, US energy security has been threatened by a ransomware attack which demonstrated dramatically how the consequences of such hacks are escalating. This one probably won\u2019t be the worst, but it will change the ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-26T20:00:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-05-26T12:00:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/05\/GettyImages-1232851559.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"683\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Tom Uren\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tom Uren\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/05\/GettyImages-1232851559.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/05\/GettyImages-1232851559.jpg\",\"width\":1024,\"height\":683,\"caption\":\"FAYETTEVILLE, NC - MAY 12: An out of service bag covers a pump handle at a gas station May 12, 2021 in Fayetteville, North Carolina. Most stations in the area along I-95 are without fuel following the Colonial Pipeline hack. The 5,500 mile long pipeline delivers a large percentage of fuel on the East Coast from Texas up to New York. (Photo by Sean Rayford\/Getty Images)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/\",\"name\":\"US pipeline hack exposes major vulnerabilities | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/#primaryimage\"},\"datePublished\":\"2021-05-26T20:00:42+00:00\",\"dateModified\":\"2021-05-26T12:00:03+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b143103fc9b3a4ae0d5e4b22c5eba93a\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"US pipeline hack exposes major vulnerabilities\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b143103fc9b3a4ae0d5e4b22c5eba93a\",\"name\":\"Tom Uren\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/216436cb30ac616a4eacffdffe5ff739?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/216436cb30ac616a4eacffdffe5ff739?s=96&d=mm&r=g\",\"caption\":\"Tom Uren\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/thomas-uren\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"US pipeline hack exposes major vulnerabilities | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/","og_locale":"en_US","og_type":"article","og_title":"US pipeline hack exposes major vulnerabilities | The Strategist","og_description":"Almost inadvertently, US energy security has been threatened by a ransomware attack which demonstrated dramatically how the consequences of such hacks are escalating. This one probably won\u2019t be the worst, but it will change the ...","og_url":"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2021-05-26T20:00:42+00:00","article_modified_time":"2021-05-26T12:00:03+00:00","og_image":[{"width":1024,"height":683,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/05\/GettyImages-1232851559.jpg","type":"image\/jpeg"}],"author":"Tom Uren","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Tom Uren","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/05\/GettyImages-1232851559.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2021\/05\/GettyImages-1232851559.jpg","width":1024,"height":683,"caption":"FAYETTEVILLE, NC - MAY 12: An out of service bag covers a pump handle at a gas station May 12, 2021 in Fayetteville, North Carolina. Most stations in the area along I-95 are without fuel following the Colonial Pipeline hack. The 5,500 mile long pipeline delivers a large percentage of fuel on the East Coast from Texas up to New York. (Photo by Sean Rayford\/Getty Images)"},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/","url":"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/","name":"US pipeline hack exposes major vulnerabilities | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/#primaryimage"},"datePublished":"2021-05-26T20:00:42+00:00","dateModified":"2021-05-26T12:00:03+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b143103fc9b3a4ae0d5e4b22c5eba93a"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/us-pipeline-hack-exposes-major-vulnerabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"US pipeline hack exposes major vulnerabilities"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/b143103fc9b3a4ae0d5e4b22c5eba93a","name":"Tom Uren","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/216436cb30ac616a4eacffdffe5ff739?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/216436cb30ac616a4eacffdffe5ff739?s=96&d=mm&r=g","caption":"Tom Uren"},"url":"https:\/\/www.aspistrategist.ru\/author\/thomas-uren\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/64714"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/618"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=64714"}],"version-history":[{"count":7,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/64714\/revisions"}],"predecessor-version":[{"id":64717,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/64714\/revisions\/64717"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/64716"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=64714"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=64714"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=64714"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}