The Colonial Pipeline Attack: A New Phase in Cyber Defense
Since the initial accusations of election interference in 2016, the steady stream of hacking incidents attributed to the Russian government has plagued US cybersecurity practitioners like chronic pain. But, the ransomware attack levied on Colonial Pipeline is not just a flare-up of the same old pain. Instead, the actors, techniques, and responses are all worthy of our attention because they may forbode changes in the cybersecurity landscape.
The “who” in our “who dun it?” are probably not organs of the Russian state. Likely no fancy bears here. The DarkSide hacking group, to whom the Colonial Pipeline attack is attributed[i], claims to be the “Robin Hood” of hackers; but what makes them interesting is that they operate as a franchise[ii]. Like a chain restaurant or ISIS, DarkSide lets freelance hackers use its tools and name. Cyberattacks are this franchise’s product – and if the Colonial attack is any indication, the franchise is not well-run. If, as the “Robin Hood” comparison indicates, DarkSide franchisees are to attack the rich to give to the poor, then creating shortages of fuel on the US Atlantic seaboard for which the organization publicly apologizes is a serious misfire..as is losing half of your stolen loot. But, more on that shortly. Analyses of this hack, so far, concluded that the hack was not state-sponsored because it was “franchised” through Darkside; but, what if the state sponsorship was not so straightforward?
For those situations in which direct attribution isn’t beneficial or where the goals of the attack aren’t time-critical, sponsoring proxies may be fitting. Like Iranian backing of militia groups in Iraq, Russian “little green men” in Ukraine, or U.S. support for Afghan rebel groups during the Soviet occupation, supplying sophisticated, easy-to-use tools for cyber attack – even to those who are not very good at using them – may help state actors advance their perceived national interests. Knowing that some mediocre hackers could bring down a key critical infrastructure provider in the United States like Colonial Pipeline certainly seems like it would be valuable to Russia or China. Unlike directly attempting this attack, the proxy method would give a state actor information it seeks without the effort, expense, or exposure risk of a direct attack. The Colonial Pipeline attack may result from a band of “Robin Hood”-styled cyber kiddies. Still, it serves defenders of critical networks to think about these attacks in terms of other potential attackers and motivations to prepare for future attacks fully.
Despite the many negative impacts of the Colonial attack on the pipeline and on other critical U.S. infrastructure, the recovery of half of the ransom paid by the Colonial Pipeline by the U.S. Department of Justice (DoJ) is a bright spot. Though court action in California and other techniques not yet made public, DoJ recovered 63.7 bitcoin or $2.3 million of the $5 million that Colonial paid in ransom[iii]. Recovery of ransom paid in response to a ransomware attack is certainly rare, if not unique. The lack of transparency of the methods used on behalf of DoJ to recover a portion of the ransom payment makes recovery even more intriguing. DarkSide’s claim that shutting down operations under pressure from the United States adds to the intrigue[iv][v]. Absent a full explanation of events, several theories have emerged about how DoJ could recover ransom and, apparently, shut down the DarkSide group. One theory is that the FBI had been surveilling DarkSide and that the attackers leaked the keys through their communications. Another is that the U.S. Army’s 780th Military Intelligence Brigade, which describes itself as “…the Army’s only offensive cyber operations brigade…” was used to disable DarkSide’s payment servers and recover Colonial Pipeline’s ransom payment. Details of recovery operations like this are likely to remain secret for as long as they can be kept to preserve the effectiveness of ongoing or future operations and keep malicious actors guessing about their ability to escape accountability for their actions. Nonetheless, recovery of ransom is a new and exciting development in cyber defense.
The Colonial Pipeline ransomware attack marks a new phase in cyber operations in the United States. Though it is difficult to have confidence that the DarkSide hackers are who they claim to be, their actions caused an unprecedented disruption in critical pipeline infrastructure in the United States, provided information about cybersecurity defenses in the industry, and could serve as a template for other malicious actors, state-sponsored or otherwise. In addition, apparently, for the first time, the United States government found and recovered ransom paid in response to a cyber attack. Whether this action marks a change in capability within the United States government, a change approach toward those who perpetrate these types of attacks, or a matter of good luck is not yet clear. Nevertheless, the possibility that the attack on Colonial Pipeline may mark a significant shift in how the United States government acts against malicious cyber actors is worth the attention of all cybersecurity professionals.
[i] Office of Public Affairs, United States Department of Justice, “Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside”, Downloaded 6/9/2021 from: https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside
[ii] Emily DeCiccio, “Hacker group DarkSide operates in a similar way to a franchise, New York Times reporter says”, CNBC, Downloaded 6/9/2021 from: https://www.cnbc.com/2021/06/02/hacker-group-darksides-operates-in-a-similar-way-to-a-franchise-new-york-times-reporter-says.html
[iii] Office of Public Affairs, United States Department of Justice, “Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside”, Downloaded 6/9/2021 from: https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside
[iv] Robert McMillan and Dustin Volz, “Colonial Pipeline Hacker DarkSide Says It Will Shut Operations”, The Wall Street Journal, Downloaded 6/9/2021 from: https://www.wsj.com/articles/web-site-of-darkside-hacking-group-linked-to-colonial-pipeline-attack-is-down-11621001688
[v] Yahoo News, “Servers of Colonial Pipeline hacker Darkside forced down: security firm”, Downloaded 6/9/2021 from: https://news.yahoo.com/servers-colonial-pipeline-hacker-darkside-135655617.html
About the author
Lead Information Security Analyst
(219) 746-3757, firstname.lastname@example.org