We, cybersecurity professionals, need to understand what happened in the Colonial Pipeline ransomware attack. Though internal details are not public, based upon what little we know from the media, let’s try to put ourselves in the shoes of the cybersecurity professionals who had to respond to this attack.
Why Colonial Pipeline
Founded in 1962 and headquartered in Alpharetta, Georgia, privately-held Colonial Pipeline is one of the largest pipeline operators in the United States and provides roughly 45% of the East Coast's fuel, including gasoline, diesel, home heating oil, jet fuel, and military supplies. The company says that it transports over 100 million gallons of fuel daily across an area spanning Texas to New York. Being such an integral part of critical infrastructure, we can imagine why criminals looking for ransom, would want to target it.
What happened: Timeline
Throughout the week of May 10, 2021, headlines thrived on the havoc a ransomware attack against Colonial Pipelines wrought across the United States. As people rushed to gas stations, some filling plastic bags with gasoline, the federal government declared a state of emergency in 17 states and DC.
- Thursday, May 6: The hackers gained access to the Colonial Pipeline’s networks and started installing the malware across all the systems.
- Friday, May 7: Colonial pipeline found out about the attack and immediately notified government authorities. To prevent additional systems from getting infected, Colonial took certain systems offline.
- Later that day, Colonial hired the cybersecurity company FireEye to help mitigate the attack.
- Saturday. May 8: Colonial reported that in addition to ransomware, the criminal group also stole approximately 100 GB of data from company servers, and that all 4 major pipelines will remain offline until further notice.
- Sunday, May 9: President Joe Biden declared a state of emergency in the affected states.
- Monday, May 10: FBI confirmed that it was in fact a criminal act by a notorious apolitical hacker group “Darkside” using their own inhouse brand of ransomware.
- Tuesday, May 11: The fuel shortage is now so bad in such a short span of time that oil traders had begun the arrangements to have fuel shipped over from Europe on Tankers.
- Wednesday, May 12: Colonial pipelines revealed that they had delivered 967,000 barrels of fuel equal to approximately 41,000,000 gallons to various major delivery points along their pipeline routes since the 4 major pipelines have been offline.
At this point, the pipelines have been halted for 5 days now with the US East coast losing over 1.2 million barrels of gasoline supply per day.
- On May 13, Bloomberg reported that the company paid a ransom demand of close to $5 million in return for a decryption key.
Who/What is DarkSide
“DarkSide actors” or the “DarkSide group” refers to the cybercriminals deploying the ransomware and targeting organizations through phishing attacks or exploiting remotely accessible accounts, systems, and Virtual Desktop Infrastructures.
DarkSide is a type of Ransomware-as-a-Service (RaaS), not a group of attackers. According to the joint Cybersecurity and Infrastructure Security Agency (CISA) and FBI release, the RaaS developers receive a share of proceeds whenever a cybercriminal group deploys it.
Interestingly, the DarkSide actors engage in these exploits purely for commercial purposes. Unlike nation-state actors, they have no geopolitical agenda. Additionally, nation-state actors, aware of the threat of retaliation and the vulnerability of critical infrastructure, typically do not execute attacks against energy resources of other nations. Darkside, as a purely commercial enterprise, does not have that standard – though they do publicly state that they have a code of conduct prohibiting attacks on hospitals and schools. In fact, they have attempted to donate money to charities on several occasions.
How the DarkSide Ransomware Works
From a high level, DarkSide actors leverage an initial compromise stage where they gain access to a device, masquerading as a legitimate user so that they can install the malicious code on the compromised endpoint. Then, they escalate privileges to gain access to sensitive information. Finally, they encrypt business-critical processes, request a ransom, show “proof of life” over the exfiltrated data, and decrypt everything only after the target pays them.
It is not yet publicly known how this attack specifically was perpetrated (technically speaking), however, researchers have, time to time, tried to form a modus operandi of all the known attacks by Darkside.
Here is the modus operandi of a ransomware attack by Darkside.
The first step in any DarkSide attack is gaining access to the organization’s systems and networks. Research (https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware) indicates that cybercriminals did this in three ways:
- Brute force password attack
- Phishing attacks with malicious links
- CVE-2021-20016, a SQL-injection vulnerability against an organization’s Virtual Private Network (VPN) infrastructure ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016 )
Recent emails used to deliver the DarkSide ransomware included:
- Malicious Google Drive links containing an LNK downloader
- Dropbox links with ZIP archives that downloaded the backdoor
DarkSide could have bought account login details for remote desktop software such as TeamViewer and Microsoft Remote Desktop. According to researchers, it is possible for anyone to look up the login portals for computers connected to the internet on search engines like Shodan, and then "have-a-go" hackers just keep trying usernames and passwords until they get some to work.
To date, researchers have found three unique sets of tactics, techniques, and procedures (TTPs). The attackers establish persistence in systems and networks by:
- Using a command and control (CS) infrastructure
- Downloading and using TeamViewer
- Using a backdoor that supports keylogging, taking screenshots, and executing .NET commands
Threat actors using the backdoor delivered and executed the code when users clicked on the malicious links in phishing emails.
Once inside the target’s systems, the attackers check the operating system language. Interestingly, the malware only installs on non-Russian devices.
Installing the DarkSide Ransomware
Now that they have administrative, privileged access, the attackers use PowerShell.exe and CertUtil.exe to download and execute the DarkSide code. They also save a copy of the malware to the compromised device.
All three types of threat actors escalate privileges to install the ransomware. They do this using:
- CVE-2020-1472: a vulnerability using Netlogon Remote Protocol (MS-NRPC) that allows them to run an application on a network device ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472 )
- Mimikatz: a credential harvesting application
- Local Security Authority Subsystem Service (LSASS) process memory dumps: memory files containing domain, local usernames, and passwords
Encrypting Files and Exfiltrating Data
Having downloaded the malicious code and gained privileged access, the threat actors start collecting sensitive information and files.
After collecting the information that they want to hold for ransom, the attackers begin encrypting data by using ransomware copy stored in the shared folder on the initial device. This allows them to create a scheduled task for spreading the malicious code throughout the target organization’s systems.
Additionally, the DarkSide code stops, deletes, or terminates processes that the organization needs to use.
Examples of services and processes impacted include:
- MS Access
- One Note
After encrypting data, the DarkSide ransomware then sends the ransomware note to the impacted directories.
The hackers behind Colonial Pipeline attack reportedly received $90 million in bitcoin before shutting down. That is mind boggling. The amount of small and large businesses that are falling victim to this. It's becoming a big problem for the economy globally. Only time will tell if the companies and organizations (even the governments) are able to strengthen their cybersecurity to a level of security which can not be compromised even by the state actors. If not, it would not be surprising to see even the governments fall under the mercy of such organizations.