Colonial Pipeline is still trying to narrow in on how its network was breached following a ransomware attack that resulted in the closing down of a critical pipeline that led to a massive gas run on the East Coast and sparked worries about supply shortages and the nation’s cyber vulnerability.
The incident prompted a massive federal response to chase the perpetrators and prevent future breaches. In the wake of the attack, critical infrastructure companies have flocked to the Cybersecurity and Infrastructure Security Agency for information.
Webpage hits for the agency’s ransomware resources have already doubled this month compared to last month. CISA also held a call last week with more than 8,500 participants from 16 critical sectors, which include industries like energy, chemical and nuclear, as well as state and local representatives.
On Wednesday evening, CISA publicly released a set of technical data from the Colonial incident to help other companies and critical infrastructure utilities defend themselves against a similar attack.
The data provides IT and cybersecurity professionals with information to identify compromises in their networks, but the investigation into how the adversary accessed the network in this instance is still ongoing, according to a CISA spokesperson.
It essentially shows “what an adversary did, not how they did it,” a CISA official said.
Companies can use the information to assist in blocking malicious IP addresses and to scan networks for bad files that may have been implanted.
“To actually pinpoint the exact ingress point can sometimes be a challenge,” former Department of Homeland Security acting undersecretary Chris Cummiskey told CNN. “They are trying to get as much threat intel out there, so companies can take remediation steps, so whatever attack they come under won’t be as devastating as the Colonial Pipeline incident,” he said.
What we do know
CISA and the FBI previously pinned the cyberattack on DarkSide, a so-called “ransomware-as-a-service” group that develops ransomware used by other cybercriminals and receives a share of the proceeds. But CISA is not currently engaged with Colonial on the investigation, according to an agency official. Colonial hired an outside cybersecurity firm, FireEye Mandiant, immediately after it learned of the ransomware attack.
Mandiant declined to comment on the ongoing investigation.
Information about how a particular intrusion occurred is useful. But it’s not always critical, the official said, adding that ransomware groups often look for known vulnerabilities that they can compromise fairly easily.
“Just because they used ‘method A’ or ‘vulnerability A’ to compromise Colonial Pipeline, that doesn’t necessarily mean that they will try to use that same method when they compromise other victims,” the official said.
Last week, CISA acting Director Brandon Wales emphasized the need to get as much information as possible about the tools and the tactics that the adversary used, in order to prevent other attacks.
“The number one question that people have is — what were the tactics that the adversary used? How did they get inside the network? Was it a phishing email? And if so, how is it constructed? How is it designed? Did they exploit a vulnerability in a piece of software? All of that information allows other critical infrastructures to better protect themselves,” he said.
The US Chamber of Commerce on Friday urged the Biden administration to take aggressive action to fight against ransomware, saying that “businesses are outnumbered and law enforcement doesn’t have the resources to keep up.”
The average downtime due to an attack is 21 days and on average it takes a business 287 days to fully recover from an attack, according to the Chamber of Commerce.
What we don’t know
Which specific vulnerability the ransomware attackers exploited remains unclear, but on the day the incident was reported, Colonial’s “door was wide open,” according to a source familiar with the company’s cyber defenses at the time.
Passwords were a particular vulnerability, the source said. Colonial Pipeline did not respond to specific questions about its password security protocol at the time of the ransomware attack, but said that the password reset process and complexity standards are automated.
Colonial has suggested it has taken some steps to harden its cyber security since the attack but provided few specifics about what actions it has taken.
A Colonial spokesperson told CNN that its investigation into the root cause of the incident “is ongoing and will take time,” adding that any speculation is premature.
Meanwhile, pressure is beginning to mount on the company to explain its security practices. There have already been several closed-door meetings on Capitol Hill in the wake of the cyberattack, with both the pipeline company and federal investigators. The House Homeland Security Committee announced Thursday it will hold a full committee hearing with Colonial Pipeline CEO Joseph Blount on June 9.
Earlier this week, a federal lawsuit was filed against Colonial Pipeline, alleging that Colonial’s failure to adequately protect their systems from the ransomware attack resulted in gas shortages and increased prices.
“As a result of Colonial Pipeline Company’s inadequate cybersecurity measures, the Colonial Pipeline was hacked by Darkside,” the lawsuit reads.