The Colonial Pipeline hack was not the first domino to fall in a world-ending spate of sudden attacks on America’s critical infrastructure, according to several cybersecurity experts.
It was more likely the product of sloppy internal security practices and a textbook hack-and-pay gone wrong.
The FBI says that DarkSide, a group relatively new to the ransomware scene, is behind the attack. Signs point to this being a case of a bungled extortion plot, rather than the coordinated work of hackers intent on compromising America’s energy grid.
Whatever the motivation, the impact was real.
The federal government issued an emergency declaration for 17 states and D.C. after the country’s largest fuel pipeline went down. Gasoline price hikes and shortages were reported across the U.S., though the supply crunch is likely more to do with panic buyers heading to the pump, rather than the attack itself. Colonial paid nearly $5 million as a ransom to unlock its systems.
While the episode has laid bare how vulnerable America’s critical infrastructure is to cybercriminals, it does not mean we’re suddenly facing a new risk of widespread shutdowns. Ransomware attacks like this are common, but they typically don’t aim to knock infrastructure offline. It appears as if DarkSide, like most attackers, was motivated by financial gain rather than compromising America’s supply of gas.
Meanwhile, the attack drew new government attention to the surge in ransomware attacks and spurred the Biden administration to sign an executive order Wednesday, with an aim to strengthen its cyber defenses.
“Depending on the U.S. government response to [the Colonial Pipeline attack], it could really make other groups say, ‘Hey, we’re not going to target these sectors at all,’” said Rick Holland, chief information security officer at Digital Shadows, a cyber threat intelligence company.
A common attack
While the effects of this attack were dire, the type of attack was not new or unique in any way. In fact, ransomware attacks – where criminals install software that freezes or locks computer systems until a company pays them a ransom, usually in bitcoin or another cryptocurrency – happen all the time.
“Everyone is reporting on this ransomware attack because it affects the networks involving an oil pipeline,” said Katie Nickels, the director of intelligence at the cybersecurity firm Red Canary.
“The thing that is interesting for myself and a lot of other cybersecurity professionals is that these ransomware attacks have been going on for years. And it seems like this one, just because it involved critical infrastructure in the U.S., has struck a particular nerve,” continued Nickels.
In the last year and a half in particular, there has been a rapid uptick in these types of attacks, explained former CIA case officer Peter Marta, who now advises companies about cyber risk management as a partner with law firm Hogan Lovells.
