What Happened To Colonial Pipelines?

Recently Colonial Pipelines was hit with a malware attack that forced them to shutdown. The event has received a lot of media attention and frankly too much excitement and very little information. Here’s Business Insider:

Largest US Fuel Pipeline Operator Shuts Down Operations After Cyber Attack (businessinsider.com)

https://www.forbes.com/sites/joewalsh/2021/05/08/ransomware-attack-shuts-down-massive-east-coast-gasoline-pipeline/?sh=55f75bbd6625

Colonial Pipeline cyberattack shuts down pipeline that supplies 45% of East Coast’s fuel | ZDNet

Colonial Pipeline didn’t say very much more than they were hit with a ransomware attack and that they shut things down. They have not yet said why, and they have not yet said how the attack was initiated. As of wednesday, 5/12/21, they probably don’t know who pressed the button on the email that they shouldn’t have. Considering how much email a large company receives, they may never know and even it someone is alert to the potential for a problem there really is no way to stop it.

A ransomware attack operates generally from a phishing email that purports to look like some thing else. The reciever of the e-mail clicks a link and the email loads the app, which operates automatically from there. Typically, using one of several encryption algorithms the app will search first of all, for linked computer and copy itself. Then after a time, the app will start to encrypt files with certain filetypes. typically these are files of commonly used software, MSoffice and similar programs and things like graphics files in the common formats. ignored, will be files with extensions that app doesn’t know.

None of the articles say why Colonial shutdown. Since I know nothing about how Colonial operates their pipelines, I can only guess what was happening. First of all, I doubt that the ransomware actually had any impact on the operations of the pipelines themselves. I doubt that the ransomware even saw any of the files related to the control an operations of the pipeline and if it did, the file was a .txt file that something was using as a temp file and the file was probably wiped and a new state file created. There may have been some log files encrypted, but a ransomware app is not stuxnet, written by the boffins in the CIA and mossad. What I think that the ransomware did do was to encrypt the delivery files that Colonial used to know where they were sending the fluids in the pipeline. If that information was stored on an Excel spreadsheet file, and it very well could have been, then Colonial may suddenly not have known were they were supposed to deliver what kind of fuel. So Colonial shut down until they could work things out.

That was exactly the right thing to do, even if the supply of gas and other fuels was disrupted for a few days. Sending the wrong product to the wrong location could have serious consequences and would affect millions and cause things like ruined vehicles and machinery that tried to run on the wrong fuel. Think diesel in your gasoline car. So shutting down was the right thing to do. The problem was that the media overplayed things more than a bit and from what I have seen, didn’t take the time to explain what was really going on, so a lot of people panicked, thinking that Colonial’s pipelines were damaged when what was really happening was making sure the paperwork was straight and the deliveries went where they were supposed to, by hand, if necessary.

Having been a victim of ransomware, I looked into how things worked. I was rather upset that I had seemingly lost all my pictures and documents. So I did some looking and learned more than a little. A ransomware attack is not the end of the world and even at worst, the attack by itself should not kill your business. So, if you are the IT manager of a company that has been struck here is some advice.

First of all, don’t panic. Panic is your enemy and I know, believe me, I know how scary the blue screen is. But there are good things that that screen isn’t telling you. First of all the people who sent their little visitor were not targeting you, specifically. They send their emails out on a broadcast and hope that someone presses the button. The methods and psychology that maleware creators use is intended to make you panic and make you think that they are more powerful than they really are. So think of them as yet a new kind of extortionist that isn’t really all that intelligent.

The flip side is to inform yourself. There is a lot of information about ransomare on sites such as bleeping computers BleepingComputer.com – Technology news and support and expert such as Kaspersky Free Ransomware Protection | Kaspersky Anti-Ransomware Toolthat have expertise in ransomware. Find out as much as you can. Ransomware comes in flavors and there is a chance that your attack has already had a decryption app created for it. If it hasn’t there is a good chance that one will be. The typical life of any flavor of ransomware is rather short, with apps and decryption keys being discovered and distributed frequently.

Second, the malware can only attack files that it knows about. Those will be the common files that most people use, with most proprietary and uncommonly used files ignored.

Third, The files are encrypted, not erased. They are still there and given time can be recovered. A ransomware attack is not the end of the world. The big question is how good were your backups, if any, and how quickly do you need the information. When considering backups, don’t just consider back ups from IT. There will probably be paper and verbal trails to follow and salvation can come from an unlikely source. Consider that no ransomware will be as bad as what happened to Pixar and Toy Story 2.

The question, I suspect, is should you pay? For each individual business, that is a hard question, one that I can’t answer. My thinking is that companies should not pay, but I am not responsible for a good portion of the fuel deliveries on the east coast with millions of dollars of penalties for late or wrong deliveries, for example. Nor am I the manager of a hospital with patients under my care.

On the other hand, the people who send the malware out are criminal and untrustworthy. They also are not perfect and even if they do send a key, there is no guarantee that it will retrieve your files and there is a good chance that the files will be corrupted and unusable in any case. Once you have paid, the sender of the malware has what they want, and using Tor and bitcoin, tracing them if things go bad is rather difficult.

So paying is always a gamble. Ultimately the business will have to make that choice. The best solution is to stop an attack before it starts. That is where a good IT department will pay for itself. It is also important to educate staff on the potential consequences of doing something stupid. The problem is that the ransomware people can be very sneaky and can hide their hooks in phish that seem perfectly ordinary. In the end, if your company is struck, there is a reason that the boss earns the big check.

Kudos to Colonial and CEO Tim Felt for making the hard decision not to pay the ransom. Fortitude at the top these days is becoming rather rare.

Colonial Pipeline not likely to pay millions in ransom demanded by hackers – CNNPolitics

Media Statement: Colonial Pipeline System Disruption (colpipe.com)

For all sorts of information and links, click the cybercrime tag below.

Update: Darkside says that it is sorry and didn’t mean to disrupt the entire east coast of the US:
https://www.bleepingcomputer.com/news/security/darkside-ransomware-will-now-vet-targets-after-pipeline-cyberattack/

Unfortunately the nature of the beast is that there is no way to change things and if I were the folks at Darkside, I would be looking to see the Feds real soon now.

2 comments

  1. Differ · May 13

    The lame “we weren’t trying to inconvenience people,just trying t make money” press release from the purported ransommer org, DarkSide, suggests you are correct in that they weren’t specifically targeting Colonial Pipeline.
    I would be surprised after this if we don’t have a significant effort by FBI or CIA to track down the perps.

    Like

  2. An Author In Charge · June 12

    As a friend of mine in IT once pointed out, “If the last time you checked your backup restoration process was when the last disaster happened, you haven’t checked recently enough.”

    I’m also thinking that this happened due to a failure of air-gaping office and critical hardware systems. They shouldn’t be on the same network at any point, no matter how much it inconveniences people. If you’re particularity paranoid enough, they shouldn’t be on the same power grid.

    And, any critical industry that exists entirely on the Cloud is almost asking to be attacked. Same IT friend has stood his ground that they do hard-data backup in the form of BluRay-R disks (25 GB a disk, doesn’t trust double layer). He wanted to do it weekly, Corporate wanted to go for a pure off-site cloud option, they compromised on every two weeks. He has a test setup of old computers and routers that he does a regular small-scale restore-everything test, which is nice.

    Hopefully, we’ll be seeing more work on defenses against this kind of attack-and maybe a few bagmen in the company’s law firm encouraged to bring the hacker’s heads back to the office. Silver platter optional.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s