By CYFIRMA Research
Large-scale cyberattacks targeting critical infrastructure and operations is back rearing its ugly head, forcing the major oil and gas pipeline operator, Colonial Pipeline Co., of the United States, to shut down its operations covering almost the entire east coast. The 5,500-mile (approximately 8,850 km) pipeline carrying gasoline, diesel, natural gas, and jet fuels transports 2.5 million barrels per day from the gulf coast to the eastern and southern part of the US. In contrast, the next biggest operator, Products Pipeline Corporation (PPL), owned by Kinder Morgan Inc. can deliver only 720,000 barrels per day.
The now confirmed ransomware attack, which brought the corporation down on its knees, represents one of the most devastating and widespread disruption of American energy infrastructure known in recent history. The ongoing investigation, as of 10th May, by cybersecurity firms and statements by executives from top security agencies including CISA, DHS and the Department of Energy has, so far not established if the cybercriminals have critical control of the systems that run the pipeline infrastructure. As per the latest update on 14th May, Colonial might have conceded access to only a few businesses and IT systems not connected to the pipeline infrastructure. But, as a precautionary measure, the firm went ahead and shut down systems connected to critical pipeline operations as well, crippling the entire supply network. The US government deployed the services of federal organizations dealing with cyber incidents along with leading cybersecurity firms with expertise in handling investigations of this magnitude. Late on 10 May 2021, the Federal Bureau of Investigation (FBI) attributed this attack to an Eastern European gang, specifically Russia, called ‘Darkside’. As of 14th May, possibly in an operation by the US federal agencies, eight websites of Darkside were pulled down, followed by Darkside gang releasing a statement that they are shutting down their operations claiming that they lost access to a public part of their infrastructure.
It is too early to speculate a nation state-sponsored operation behind this crippling cyberattack, but at the same time it cannot be entirely ruled out due to Darkside gang’s western nations victimology, sophisticated tactics aimed at double extortion for maximum impact, and attack infrastructure with a capability to identify Russian language machines but not infect them. The research team believes that FIN11, a Russian Threat Actor, either independently or in a possible collaboration with DarkSide may have carried out the ransomware attack on Colonial Pipeline Co.
This report covers the following:
1. Executive Summary
2. FIN11 Threat Profile
3. Colonial Pipeline Co. attack and DarkSide Attribution
4. FIN11 Attribution to Ransomware Attack
5. Other Significant Updates of Colonial Attacks
6. Why the Energy Industry?
7. Recommendations
8. Indicators of Compromise (IOC’s)
9. Fact file of DarkSide Ransomware Gang
To download the full report, pls write to [email protected]