This is Not a Drill: Ransoming American Security

Washington, D.C., May 12, 2021 — This week’s ransomware episode involving Colonial Pipeline has exposed deep cracks in America’s digital armor.  However, lost in the flurry of calls for swift action to avoid future damage is the fact that such attacks have been predicted for some time, as a sampling of government records posted today by the National Security Archive shows.

In response to the Colonial Pipeline event attributed to the ransomware group DarkSide, the Biden Administration has announced an all-of-government effort to mitigate potential energy supply disruptions. On top of temporary actions to relieve fuel shortages, agencies such as the FBI and CISA have released advisory documents to “help [critical infrastructure] owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware.”

In addition, President Biden today signed an Executive Order designed broadly to “improve the nation’s cybersecurity,” although experts are already questioning whether the anticipated measures could have prevented any of the recent serious cyber events such as SolarWinds or Colonial Pipeline.

The documents compiled today by the Cyber Vault Project give a glimpse of the threat that ransomware and malicious cyber actors, even those without geopolitical aspirations, have long posed to America’s critical infrastructure.  The National Security Archive will post additional materials as events continue to unfold. 

*   *   *   *   *

This is Not a Drill: Ransoming American Security

By Cristin J. Monahan

The ransomware-incited shutdown of Colonial Pipeline is just the latest incident keeping cyber issues at the forefront of the Biden Administration’s first four months. On Saturday, May 8, Colonial Pipeline, a major conduit for fuel delivery for much of the East Coast, announced that it had been the victim of a ransomware attack, and had temporarily shut down all pipeline operations as a precautionary measure.

Concerns over fuel shortages led the Department of Transportation’s Federal Motor Service Carrier Safety Administration (FMCSA) to post a Regional Emergency Declaration (Document 1) for states spanning from Texas to New York. The declaration suspends hours of service regulations for “motor carriers and drivers providing direct assistance to the emergency in the Affected States in direct support of relief efforts related to the shortages of gasoline, diesel, jet fuel, and other refined petroleum products due to the shutdown.”

Similarly, the Environmental Protection Agency (EPA) issued a fuel waiver (Document 2) “to address the fuel supply emergency caused by a cyberattack on Colonial Pipeline’s computer networks.” The waiver temporarily suspends volatility gasoline regulations in Pennsylvania, Maryland, Virginia and the District of Columbia. The Biden Administration released a fact sheet (Document 3) on the Colonial Pipeline incident, highlighting the aforementioned efforts, as well as others, “focused on avoiding potential energy supply disruptions to impacted communities, the U.S. military, and other facilities reliant on gasoline, diesel, jet fuel and other refined petroleum products.”

Colonial Pipeline’s public updates have referenced their ongoing communications with law enforcement and federal agencies, “including the Department of Energy who is leading the Federal Government response.” At the time of writing, the Department of Energy has yet to release a statement on the incident. However, in a statement (Document 4) from the Federal Energy Regulatory Commission (FERC), Chairman Richard Glick and Commissioner Allison Clements call for a review and application of mandatory cybersecurity standards for the nation’s pipelines. The chair and commissioner note that unlike the bulk electric system, “there are no comparable mandatory standards for the nearly 3 million miles of natural gas, oil, and hazardous liquid pipelines that traverse the United States.”

On May 10, the FBI released a tersely worded statement confirming that “the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks.” A day later, in a Joint Cybersecurity Advisory with the Cybersecurity and Infrastructure Security Agency (CISA) entitled “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks” (Document 5), the FBI notes, “DarkSide actors have been targeting multiple large, high-revenue organizations … [the] group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments” (p.2).

In a recent post on DarkSide’s blog page (accessible via Tor browser), the group seems to claim responsibility for the Colonial attack, but also denies any motivations other than monetary. The post notes, “We [DarkSide] are apolitical… Our goal is to make money, and not creating problems for society.”

According to an assessment by Cyberreason, DarkSide malware first appeared in August 2020, and the group follows a “ransomware-as-a-service” (RaaS) business model. The group seems to target victims in English-speaking nations. Notably, the malware does not encrypt data on systems with languages found in the former Soviet Bloc (Russian, Ukrainian, Kazakh, etc.), suggesting DarkSide has Russian origins.

While the attack does not appear to be politically motivated, it may still have geopolitical consequences. While President Biden confirmed that American intelligence does not suggest that the Kremlin was involved in the attack, he noted “there's evidence that the actors' ransomware is in Russia – they [Moscow] have some responsibility to deal with this."

The attack comes after a year of increasingly frequent ransomware events, with increasingly worrying targets. In February 2020, CISA released an alert titled, “Ransomware Impacting Pipeline Operations” (Document 6), reviewing an instance in which “CISA responded to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility.” The alert notes that a lack of robust segmentation between the facility’s information technology (IT) and OT networks allowed the actor to disable assets and capabilities on both systems. However, all OT assets directly impacted by the attack were limited to a single geographic facility.” While Colonial Pipeline’s infection was limited to its IT networks, the company “proactively took certain systems offline to contain the threat, which…temporarily halted all pipeline operations.”  Unlike the 2020 case cited by CISA, the sheer size, volume and scope of the Colonial Pipeline has led to both regional and national impact.

Despite the recent focus on pipeline cybersecurity vulnerabilities, federal agencies have sounded the alarm about threat actors targeting different but equally critical sectors. In September 2020, CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint “Ransomware Guide” (Document 7), comprised of recommendations and operational insights from the author agencies. The document provided a list of “Ransomware Prevention Best Practices,” as well as a “Ransomware Response Checklist,” and advised IT practitioners that “engaging with your ISAC, ISAO, and with CISA will enable your organization to receive critical information and access to services to better manage the risk posed by ransomware and other cyber threats” (p. 2).

That same month, Universal Health Services, one of the largest healthcare providers in the U.S., was impacted by a Ryuk ransomware attack that left hospitals across the nation unable to access critical systems for weeks during the COVID-19 pandemic. In January 2021, the Department of Justice announced “a coordinated international law enforcement action to disrupt a sophisticated form of ransomware known as NetWalker.” The announcement (Document 8) asserted that, with other international partners, the DOJ was “striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims.” The action included charges against a Canadian national in relation to NetWalker activities, as well as the recovery of almost $500,000 in ransom payments, although the NetWalker scheme allegedly pilfered tens of millions of dollars from its victims.

In addition to the documents referenced above, the Cyber Vault has included additional relevant documents below. As the Colonial Pipeline situation continues to evolve, we will provide relevant updates as well as future postings relating to ransomware and other cybersecurity issues.

READ THE DOCUMENTS