What Happened To Colonial Pipelines?

Recently Colonial Pipelines was hit with a malware attack that forced them to shutdown. The event has received a lot of media attention and frankly too much excitement and very little information. Here’s Business Insider:

Largest US Fuel Pipeline Operator Shuts Down Operations After Cyber Attack (businessinsider.com)


Colonial Pipeline cyberattack shuts down pipeline that supplies 45% of East Coast’s fuel | ZDNet

Colonial Pipeline didn’t say very much more than they were hit with a ransomware attack and that they shut things down. They have not yet said why, and they have not yet said how the attack was initiated. As of wednesday, 5/12/21, they probably don’t know who pressed the button on the email that they shouldn’t have. Considering how much email a large company receives, they may never know and even it someone is alert to the potential for a problem there really is no way to stop it.

A ransomware attack operates generally from a phishing email that purports to look like some thing else. The reciever of the e-mail clicks a link and the email loads the app, which operates automatically from there. Typically, using one of several encryption algorithms the app will search first of all, for linked computer and copy itself. Then after a time, the app will start to encrypt files with certain filetypes. typically these are files of commonly used software, MSoffice and similar programs and things like graphics files in the common formats. ignored, will be files with extensions that app doesn’t know.

None of the articles say why Colonial shutdown. Since I know nothing about how Colonial operates their pipelines, I can only guess what was happening. First of all, I doubt that the ransomware actually had any impact on the operations of the pipelines themselves. I doubt that the ransomware even saw any of the files related to the control an operations of the pipeline and if it did, the file was a .txt file that something was using as a temp file and the file was probably wiped and a new state file created. There may have been some log files encrypted, but a ransomware app is not stuxnet, written by the boffins in the CIA and mossad. What I think that the ransomware did do was to encrypt the delivery files that Colonial used to know where they were sending the fluids in the pipeline. If that information was stored on an Excel spreadsheet file, and it very well could have been, then Colonial may suddenly not have known were they were supposed to deliver what kind of fuel. So Colonial shut down until they could work things out.

Read More

Ransomware’s Achille’s Heel

This is a post series on cybercrime. For more posts click here or the cybercrime tag below.

Apparently the French police have realized the vulnerability of ransomware,  the fact that the extortionists have to communicate with their victims and since the French do not have the vested interest in maintaining the TOR network they went for the actual TOR hardware.

WannaCry communicates with a command and control server hosted on the Dark Web, on a .onion address. Aeris suspects his servers were used as first hops in this connection, hence the reason police seized his property, hosted via French hosting provider Online SAS.

Most Tor servers are configured to log very few details, such as uptime and status metrics, so to safeguard the privacy of its users. Unless Aeris made customizations to default configs, French police have no chance of finding any useful information on the seized servers.

Tens of Tor servers disappeared on the same weekend

In the media storm caused by the wave of WannaCry attacks, this small incident went unreported outside of French media. Aeris also confirmed the seizing of his servers on Twitter.

The investigation is led by France’s cyber-crime investigation unit OCLCTIC (L’Office Central de Lutte contre la Criminalité liée aux Technologies de l’Information et de la Communication).

The activist pointed out that tens of other Tor nodes in France disappeared over the same weekend. In a private conversation with Bleeping Computer, the activist shared a list of 30 servers he is currently investigating regarding these mysterious disappearances.


As the Bleeping Computer article pointed out, seizing the hardware isn’t going to do the French much good once the servers are cut from the TOR network.  On the other hand, with 30 odd nodes gone just in France, and the possibility that the French could go after other nodes in the EU, it could be that the TOR network in the EU will be essentially shut down.


The people at TOR have taken a “we’re not responsible” take on ransomware and attempted to hide behind common carrier laws to prevent the decriminalization and exposure of the people using the network for criminal means.  It may be that the Wannacry attack was the last straw for many law enforcement agencies.

For anybody wanting to know how to catch people on TOR.

Here’s the week in ransomware.



The Fragility Of Systems And The Need For Backups

DSC_2283As system get more complex they get more fragile.  That is definitely the case when it comes to computer and information systems.  I found that out again last Friday.  Now as of now, I don’t know if what happened to my main computer is a hard drive failure or a corrupted update.  At this point it’s hard to tell and it’s going to be some work to figure out what.  My big mistake this time was not making a Windows 10 boot disk.


System failure can also be caused by malware and viruses though this has been less common as the security people have dealt with this sort of thing and if the data and files themselves are not wrecked, using a boot disk can get things running and work around the malware until things are running, anyway, here’s the week in ransomware.