Learn all about the ransomware attack against the Colonial Pipeline and find out how to prevent it

Founded in 1962 and headquartered in Alpharetta, Georgia, Colonial Pipeline is one of the largest private pipeline operators in the United States. Colonial Pipeline is responsible for the supply of gasoline, diesel, and oil for military and civilian use.

The company transports more than 100 million gallons of fuel daily, in an area from Texas to New York, and is responsible for about 45% of the fuel supply on the East Coast.

The incident

On May 7th of this year, a ransomware attack forced Colonial Pipeline to temporarily shut down and freeze IT systems to isolate the infection.

The measure temporarily suspended all operations on the pipeline and a cybersecurity manufacturer was called in to restore functionality.

Table of Contents

Factors that may have caused the attack

  • An old, unpatched vulnerability in the system
  • Outdated systems and software
  • A phishing email that successfully tricked an employee using social engineering tactics
  • The use of access credentials that have been leaked into a cybercriminal’s hands
  • A vulnerable device facilitating entry and dissemination on the company’s network
  • A system that was not properly set up for remote work

Remote work may have become a Vulnerability

One hypothesis is that employees remotely accessed control systems, using remote desktop software, such as TeamViewer and Microsoft Remote Desktop, without adequate protection for remote access points and networks.

The only thing needed for cybercriminals to launch an attack is an employee operating an unauthorized laptop on an unsecured network, such as a home wi-fi system.

Attack impacts

The ransomware attack on Colonial Pipeline is known as a ‘’threat against critical infrastructure’’.

In addition to the financial and operational impact for the company itself, it has also affected millions of people who depend on the delivery of gas and oil.

The hack had an immediate impact on the country’s supply chain, causing an increase in fuel prices due to the abrupt shutdown of the pipeline. This has also caused further scarcity as refineries in the Houston area run out of storage space, causing them to slow production. Fuel supplies may remain below ideal levels for some time, as refineries along the pipeline are slowly brought back to normal operation.

Cybersecurity: Warning Points

  • Many companies treat cybersecurity as an unnecessary expense on the balance sheet, treating it as a low-priority investment
  • Most critical infrastructures have a “set and forget” mindset, failing to consider security as a critical business expense.

Zero Trust: the way to prevent and remedy attacks

In the view of cybersecurity experts, the best way to protect employees of critical infrastructure (energy, transportation, water systems, healthcare providers) is to adapt networks with zero-trust security controls that enable employees to do their job securely.

Using zero trust network access solutions, access will be restricted to only the applications that an employee or contractor needs to do their job.

In addition, the adoption of multi-factor authentication is critical as well as regular security audits to look for vulnerabilities and ensure that data is backed up on a regular basis.

Investigation of the case

The Colonial Pipeline ransomware attack is being investigated by the FBI with assistance from the US Infrastructure and Cybersecurity Security Agency (CISA). Both attributed the onslaught to a type of ransomware called DarkSide, developed by a group of Ransomware as a Service (RaaS) of the same name.

In the DarkSide affiliate model, malware developers receive a share of their profits from their partners through their successful extortion methods.

In addition, ransomware affiliates are accustomed to using double extortion tactics, which include not only encrypting data, but stealing information and then demanding payment from the victims, and threatening to publicly leak stolen data.

Outcome of the case

According to press reports, the payment was made to operators of DarkSide malware in cryptocurrency, to receive the decryption key and restore systems rendered inoperable by the ransomware.

Although the pipelines are back up and running, it will take days for the service to be normalized; and supply-related problems have already caused panic in some cities in the United States.

Protecting the user and their access is the first step to avoid advanced threats.

VaultOne provides state-of-the-art security in privileged access management, protecting credentials in an encrypted password vault, preventing malicious code spying, and keeping your information and your devices safe and secure.

Talk to our experts today and find out how VaultOne can help your business.