Colonial Pipeline Incident

Introduction

In yet another high-impact and high-profile ransomware incident, the ‘big game hunter’ ransomware group ‘DarkSide’ accepted responsibility for an attack against the US-based Colonial Pipeline Company, an organization providing fuel pipeline services across multiple states (Figure 1) that transport a reported 100 million US gallons of fuel daily including direct service to airports.

Figure 1 – Colonial Pipeline ‘system map’ (Source: https://www.colpipe.com/about-us/our-company/system-map)

Colonial first became aware of the compromise on Friday May 7, 2021, with pipeline operations being halted and many systems being taken offline to contain the threat whilst it was investigated and remediated.

In an attempt to mitigate the disruption to fuel supply across the country, it is understood that pipelines have been operated manually in addition to deliveries being made by road. As such, a statement released on Tuesday May 11 reports that approximately 41 million US gallons of fuel were delivered since the incident commenced, albeit a fraction of their capacity for this period and potentially leading to increased fuel prices as demand outstrips supply.

As the pipeline network and delivery of fuel are considered critical national infrastructure (CNI), both law enforcement agencies and the US Department of Energy (DOE) are understandably involved in investigations and initial reports feared that this attack may have been nation-state sponsored.

In response, DarkSide posted a statement (Figure 2) on May 11, the most recent their Tor-hosted ‘leak site’, confirming that their motivations are financial, not geopolitical, and that they did not intend to cause ‘problems for society’ although, as with any threat actor, this can only be taken at face value.

Figure 2 – DarkSide statement

Given all the attention and law enforcement ‘heat’ that this incident has drawn, including reports that US President Biden is regularly briefed on the situation, it remains to be seen if DarkSide will continue to conduct ransomware operations or ‘cut their losses’ and ‘lay low’ in the hope of not being caught.

Whilst many big game hunter ransomware groups appear to operate with some level of impunity, maintaining high levels of operational security (OPSEC) to protect their identities and typically operating from countries less inclined to cooperate with US law enforcement, an attack such as this could almost be considered an ‘act of war’ and it is therefore likely that the US will dedicate considerable resources to bringing those responsible to justice.

Incident

Whilst Colonial Pipeline have not shared technical details of the incident, big game hunter ransomware groups such as DarkSide typically attempt to exploit vulnerabilities in internet-facing infrastructure to gain initial access to a victim network and often operate over weekends to minimize the chances of detection whilst they conduct data theft and/or encryption operations.

This tactic ‘steal, encrypt and leak’ tactic, commonly known as ‘double extortion’, allows the group to threaten a victim with the release of confidential data to encourage ransom payment and is evident across leak site posts related to previous victims.

Colonial became aware of falling victim to the attack on Friday May 7, 2021, although it is likely that the group gained access to their network prior to this date. That being said, it is not yet known if the group exfiltrated any data and, if they did, it would likely be foolhardy to do anything but destroy it given the law enforcement interest.

Although the full extent of this intrusion is yet to be revealed, initial reports suggest that it likely impacted the organization’s Information Technology (IT) infrastructure, rather than the Operational Technology (OT) infrastructure associated with the pipeline itself.

This would be consistent with DarkSide’s previous capabilities, with an apparent focus on targeting and encrypting Windows-based hosts, although the resulting impact of this recent incident saw systems across both Colonial’s IT and OT infrastructure being impacted as they contained the threat.

DarkSide

Active since August 2020, DarkSide claim to be experienced in working with other ‘well-known cryptolockers’ prior to creating their own threat, a plausible statement given that many organized ransomware groups offer affiliate and profit sharing schemes to recruit members that can infiltrate victim networks before stealing data and deploying the ransomware payload.

Moving away from working with others, the group formed “because [they] didn’t find the perfect product”, although the cynic may suggest that there would be increased profits for those retaining control over the entire attack process.

Since formation, DarkSide have targeted organizations across multiple industries throughout Europe and North America with, as evident from leak site posts, terabytes of confidential data being stolen and, in many cases, leaked when victims have not complied with demands.

Similar to other ransomware groups seeking to avoid negative press, some organizations (Figure 3) are reportedly exempt from attack based on their ‘principles’, albeit this list has yet to be updated in the wake of this incident.

Figure 3 – Excluded targets

Consistent with many malicious campaigns commencing with a reconnaissance phase, DarkSide claim to ‘analyze’ a victim’s ability to pay based on their income, presumably to save any wasted efforts prior to identifying and exploiting any potential vulnerabilities or weaknesses.

It should also be noted, although not explicitly mentioned by DarkSide, that many ransomware groups have been observed as determining the financial situation and cyber insurance policy status of victims by reviewing any stolen data prior to issuing their ransom demands. This allows the threat actor to be realistic in their attempts to extort victims and, in the case of those with cyber insurance, take full advantage of the insured amount.

Finally, in an attempt to appear altruistic, the group have reportedly (Figure 4) shared some of their profits with charitable organizations.

Figure 4 – Claimed charitable donations

Whilst some may consider this ‘Robin Hood’ type approach to be romantic, the impact of ransomware attacks is often far greater than the victim organization’s bottom line. In addition to the fallout of an attack impacting employees, customers and suppliers, many of which may suffer additional financial losses themselves, any charity receiving illegitimate funds would likely be compelled to surrender them which in itself may incur costs.

Indicators of Compromise

Whilst indicators of compromise (IOC) for this incident have not been disclosed, previous DarkSide incidents have exhibited the following.

Tools

Execution of common scripts and tools including:

• Advanced IP Scanner: advanced_ip_scanner.exe
• Cobalt Strike Beacon & Stagers
• PowerSploit Mimikatz: Invoke-mimikatz.ps1
• Sysinternals PsExec: psexec.exe

Shadow Copy Deletion

To thwart system recovery, DarkSide has been observed as using an obfuscated PowerShell command to delete system shadow copies from compromised hosts:

powershell -ep bypass -c (0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s

De-obfuscating this hexadecimal string reveals the command’s intent:

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

Ransom Note

Customized for each victim, a ransom note (Figure 5) named README.<STRING>.txt, where <STRING> is a 8-character hexadecimal value generated by the ransomware, will be found alongside encrypted data.

Figure 5 – Example ransom note

Recommendations

Organizations should consider the following recommendations to limit the impact of similar ransomware attacks:

• Maintain a robust patch management process to ensure that security updates and patches are applied in a timely fashion, securing the low-hanging fruit and preventing known vulnerabilities from being exploited.
• Continuously monitor endpoint security events as an early warning of suspicious behaviour, for example, host-to-host communications indicating lateral movement or high-volume disk operations indicating mass file encryption or exfiltration.
• Consider monitoring for, and alerting on, the anomalous execution of legitimate Windows command line tools such as the use of net.exe, taskkill.exe and vssadmin.exe.
• Limit user permissions according to the principal of least privilege (POLP).
• Secure sensitive data, adhering to any legal or regulatory requirements, to prevent unauthorized access, be that internal or external in origin.
• Utilize application permit and deny lists to prevent the execution of unauthorized or unknown executables, such as those delivered as part of a broader attack.
• Ensure that disaster recovery plans and backup policies take into account regular backups, verification of data integrity and offline storage to facilitate restoration in the event of a catastrophic incident.
• Make use of network segregation to limit communications between nodes, especially end-points, to provide damage limitation and limit the propagation of threats.
• Disable administrative tools and script interpreters to prevent misuse by malicious payloads or threat actors.