Disruptionware attacks have become increasingly more common over the last few months. Just last month, I wrote about a dangerous disruptionware attack against a Florida Water Treatment Center that could have been a mass casualty event. For more information on these types of attacks, please refer to our posts on different types of disruptionware attacks and how disruptionware attacks work.
On May 7, 2021 a major U.S. gasoline pipeline was shut down by a strategically delivered disruptionware attack. Colonial Pipeline, which transports over 100 million gallons of gasoline and other fuel throughout the East Coast daily, was forced to pause operations and stop the pipeline’s transfer of fuel to many different cities and major airports. The scope and implications of this attack prompted remarks from President Biden, and both the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have been brought in to assist with the investigation.
Described as one of the “most disruptive digital ransom schemes ever reported,” this incident highlights the classic signs of a disruptionware attack. The initial attack was a ransomware attack, which is the most common type of disruptionware attack. These disruptionware cyber-attacks are highly effective at attacking – and shutting down – both the Informational Technology (IT) and Operational Technology (OT) networks used by victims to conduct their activities. In this case, it appears that the hackers were able to infiltrate and shut down both IT and OT networks through the malware introduced into the pipeline’s control systems.
This attack, believed to have been perpetrated by the Russian cyber-criminal group “Darkside,” has caused Colonial Pipeline to take many of its operations offline. This has led to potential fuel shortages throughout the East Coast, affecting international airports, many cities, and states that rely on the pipeline for a flow of gasoline and other fuels. The affected pipeline provides over 45% of all fuel consumed on the East Coast, affecting over 50 million people. As of May 12, there are still four major veins of the Colonial Pipeline offline with no date noted for when full operations will return. According to news wires, the hackers stole more than 100 gigabytes of Colonial Pipeline’s data and are demanding a ransom in return for not releasing the stolen data to the public.
It is clear that the government is slowly coming around to the truth that much of the American energy industry, as well as major aspects of the U.S. infrastructure, has insufficient cyber security controls and defenses in place. Former CISA Director Christopher Krebs called these assaults on our major critical regional pipelines a sign that the cyber-attacks against our energy industry are “out of control.” According to Reuters, Senator Bill Cassidy from Louisiana, who sits on the Senate Energy Committee, commented that “the implications for this, for our national security, cannot be overstated.”
It appears clear, based on multiple media reports, that the alleged cyber threat actors were foreign state nationals. One question still unanswered is whether the attack was strictly financially motivated, or whether it was at the behest of a foreign nation state government designed to weaken our national infrastructure. According to Databreachtoday.com, “these pipelines have been designated critical infrastructure. Intentionally disrupting or damaging these systems can be considered an act of terrorism. As more is learned about the event, and as the motivation of the actor or actors becomes clear, we’ll find out if this event has taken us from a cold to a much warmer cyber conflict.”
After recent nationally highlighted cyber-attacks, including the Florida Water Treatment plant, Solar Winds and the Microsoft Exchange Server vulnerability attack, the Biden Administration has emphasized the need for greater cyber defenses around our nation’s power grid and other infrastructure targets. It is clear that it is now time to prioritize the cyber safety and security of our nation’s infrastructure from these nefarious and destructive cyber-attacks.