Attempting to Understand how Colonial Pipeline Attack was perpetrated

Posted by Sourav Ravish
Sourav Ravish

We, cybersecurity professionals, need to understand what happened in the Colonial Pipeline ransomware attack. Though internal details are not public, based upon what little we know from the media, let’s try to put ourselves in the shoes of the cybersecurity professionals who had to respond to this attack.

colonial-pipeline-system-map

Why Colonial Pipeline

Founded in 1962 and headquartered in Alpharetta, Georgia, privately-held Colonial Pipeline is one of the largest pipeline operators in the United States and provides roughly 45% of the East Coast's fuel, including gasoline, diesel, home heating oil, jet fuel, and military supplies. The company says that it transports over 100 million gallons of fuel daily across an area spanning Texas to New York. Being such an integral part of critical infrastructure, we can imagine why criminals looking for ransom, would want to target it.

 

What happened: Timeline

Throughout the week of May 10, 2021, headlines thrived on the havoc a ransomware attack against Colonial Pipelines wrought across the United States. As people rushed to gas stations, some filling plastic bags with gasoline, the federal government declared a state of emergency in 17 states and DC. 

  • Thursday, May 6: The hackers gained access to the Colonial Pipeline’s networks and started installing the malware across all the systems.
  • Friday, May 7: Colonial pipeline found out about the attack and immediately notified government authorities. To prevent additional systems from getting infected, Colonial took certain systems offline.
    • Later that day, Colonial hired the cybersecurity company FireEye to help mitigate the attack.
  • Saturday. May 8: Colonial reported that in addition to ransomware, the criminal group also stole approximately 100 GB of data from company servers, and that all 4 major pipelines will remain offline until further notice.
  • Sunday, May 9: President Joe Biden declared a state of emergency in the affected states.
  • Monday, May 10: FBI confirmed that it was in fact a criminal act by a notorious apolitical hacker group “Darkside” using their own inhouse brand of ransomware.

    Colonial Pipeline Attack

  • Tuesday, May 11: The fuel shortage is now so bad in such a short span of time that oil traders had begun the arrangements to have fuel shipped over from Europe on Tankers.
  • Wednesday, May 12: Colonial pipelines revealed that they had delivered 967,000 barrels of fuel equal to approximately 41,000,000 gallons to various major delivery points along their pipeline routes since the 4 major pipelines have been offline.

    At this point, the pipelines have been halted for 5 days now with the US East coast losing over 1.2 million barrels of gasoline supply per day.
  • On May 13, Bloomberg reported that the company paid a ransom demand of close to $5 million in return for a decryption key. 



Who/What is DarkSide

“DarkSide actors” or the “DarkSide group” refers to the cybercriminals deploying the ransomware and targeting organizations through phishing attacks or exploiting remotely accessible accounts, systems, and Virtual Desktop Infrastructures.

DarkSide is a type of Ransomware-as-a-Service (RaaS), not a group of attackers. According to the joint Cybersecurity and Infrastructure Security Agency (CISA) and FBI release, the RaaS developers receive a share of proceeds whenever a cybercriminal group deploys it. 

Interestingly, the DarkSide actors engage in these exploits purely for commercial purposes. Unlike nation-state actors, they have no geopolitical agenda. Additionally, nation-state actors, aware of the threat of retaliation and the vulnerability of critical infrastructure, typically do not execute attacks against energy resources of other nations. Darkside, as a purely commercial enterprise, does not have that standard – though they do publicly state that they have a code of conduct prohibiting attacks on hospitals and schools. In fact, they have attempted to donate money to charities on several occasions.

 

How the DarkSide Ransomware Works

 

From a high level, DarkSide actors leverage an initial compromise stage where they gain access to a device, masquerading as a legitimate user so that they can install the malicious code on the compromised endpoint. Then, they escalate privileges to gain access to sensitive information. Finally, they encrypt business-critical processes, request a ransom, show “proof of life” over the exfiltrated data, and decrypt everything only after the target pays them.

It is not yet publicly known how this attack specifically was perpetrated (technically speaking), however, researchers have, time to time, tried to form a modus operandi of all the known attacks by Darkside.

Here is the modus operandi of a ransomware attack by Darkside.


Initial attack

The first step in any DarkSide attack is gaining access to the organization’s systems and networks. Research (https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware) indicates that cybercriminals did this in three ways:

Recent emails used to deliver the DarkSide ransomware included:

  • Malicious Google Drive links containing an LNK downloader
  • Dropbox links with ZIP archives that downloaded the backdoor

 

Gaining Access

DarkSide could have bought account login details for remote desktop software such as TeamViewer and Microsoft Remote Desktop. According to researchers, it is possible for anyone to look up the login portals for computers connected to the internet on search engines like Shodan, and then "have-a-go" hackers just keep trying usernames and passwords until they get some to work.

To date, researchers have found three unique sets of tactics, techniques, and procedures (TTPs). The attackers establish persistence in systems and networks by:

  • Using a command and control (CS) infrastructure
  • Downloading and using TeamViewer
  • Using a backdoor that supports keylogging, taking screenshots, and executing .NET commands

Threat actors using the backdoor delivered and executed the code when users clicked on the malicious links in phishing emails. 

Once inside the target’s systems, the attackers check the operating system language. Interestingly, the malware only installs on non-Russian devices. 

 

Installing the DarkSide Ransomware

Now that they have administrative, privileged access, the attackers use PowerShell.exe and CertUtil.exe to download and execute the DarkSide code. They also save a copy of the malware to the compromised device.

 

Escalating Privileges

All three types of threat actors escalate privileges to install the ransomware. They do this using:

  • CVE-2020-1472: a vulnerability using Netlogon Remote Protocol (MS-NRPC) that allows them to run an application on a network device ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472 )
  • Mimikatz: a credential harvesting application
  • Local Security Authority Subsystem Service (LSASS) process memory dumps: memory files containing domain, local usernames, and passwords

 

Encrypting Files and Exfiltrating Data

Having downloaded the malicious code and gained privileged access, the threat actors start collecting sensitive information and files. 

After collecting the information that they want to hold for ransom, the attackers begin encrypting data by using ransomware copy stored in the shared folder on the initial device. This allows them to create a scheduled task for spreading the malicious code throughout the target organization’s systems. 

Additionally, the DarkSide code stops, deletes, or terminates processes that the organization needs to use. 

Examples of services and processes impacted include:

  • Sql
  • Sophos
  • Veeam
  • Backup
  • Exel
  • MS Access
  • One Note
  • Outlook
  • PowerPoint
  • Steam
  • Word
  • Notepad

After encrypting data, the DarkSide ransomware then sends the ransomware note to the impacted directories.

 

Ending Note

The hackers behind Colonial Pipeline attack reportedly received $90 million in bitcoin before shutting down. That is mind boggling. The amount of small and large businesses that are falling victim to this. It's becoming a big problem for the economy globally. Only time will tell if the companies and organizations (even the governments) are able to strengthen their cybersecurity to a level of security which can not be compromised even by the state actors. If not, it would not be surprising to see even the governments fall under the mercy of such organizations. 

Learn about Query.AI:

Sourav Ravish

Written by Sourav Ravish

Sourav is an experienced software engineer with a dire passion for solving real world problems using technology. He post-graduated in Mathematics and Computer Science from one of the premier institutions of India: IIT-BHU, following which he has been working primarily on creating solutions in the cybersecurity space. While not in his engineering shoes, he loves to travel around the world, to meet new people, to explore and experience their different and diverse cultures. He is a people's person by heart and relishes his conversations he could have with them, so feel free to hit him up for one!