Red flags were ignored before disruptive Colonial Pipeline cyberattack
Experts have been predicting panic buying at fuel stations and limited supplies at airports for years
London — Even if US firm Colonial Pipeline restores supplies by the end of this week, the ransomware attack that hit the pipeline supplying 45% of East Coast US fuel has already been among the most disruptive cyberattacks in recent history.
Details on the incident remain relatively limited — Colonial Pipeline is a privately owned firm created by big US oil companies and has kept tight-lipped. But Federal investigators say the firm had sensitive corporate data stolen and encrypted by cybercrime organisation DarkSide, prompting the Colonial to shut down fuel shipments as a safety precaution in case the hackers have access to other parts of the network that might allow them to do damage.
The effect has been to spark panic buying at fuel stations and limit supplies at airports — something experts have been predicting for years in the event of a big cyberattack. What this attack shows, is just how limited an effect those warnings and preparations appear to have had — particularly compared with the much better protected US power grid.
Ransomware attacks have been rising for several years, with the British and US governments taking the unusual step of directly blaming North Korea for the 2017 WannaCry attack that briefly locked out hundreds of thousands of computers worldwide. At the UK National Cyber Security Centre annual conference on Wednesday, British foreign secretary Dominic Raab also pointed the finger at Russia, where many gangs are based.
Russia “can’t just wave their hands and say [it has] nothing to do with them”, he said. “Even if it is not directly linked to the state they have a responsibility to prosecute those gangs and individuals.”
The FBI said on Monday it believes the attackers are a criminal group known as Darkside, often described as offering “Ransomware-As-A-Service” — meaning they work for third-party clients to lock out essential computer systems at their target, refusing to release them until victims pay a large sum, usually in bitcoin or another cryptocurrency.
Sometimes said to be Russian in origin but invariably acknowledged as particularly sophisticated, DarkSide’s site on the dark web lists a number of previous targets that it says did not pay up, more than 80 companies across the US and Europe. It appears to largely spare Russian, Ukrainian and Kazakh companies, another potential clue to its origin.
Such attacks are becoming a growing problem — Raab said ransomware attacks delayed a post-Covid return to the classroom for 80 British schools and universities in March. How to tackle them is likely to be an increasingly thorny issue.
Basic corporate and individual computer security is, of course, inevitably the starting point. Had Colonial Pipeline succeeded in keeping its data and access credentials safe, the attack is unlikely to have happened. Raising the cost of those breaches by fines or other sanctions against firms that lose data is one policy solution — but the truth is that if a hacker is determined and skilled, or an insider compromised, that may not be enough.
Much depends on where the attack might come from. For most of the last decade, the US government and others have been clear that they might respond to any cyberattack originating from a nation state as it would to a conventional attack — if a cyberattack cost lives, so might a more direct military response.
That approach achieves little with the Colonial Pipeline incident. Though it has proved damaging and disruptive, it would still fall well below the threshold of anything that could be responded to in a conventional military manner. And for all the indications that the attacker is from Russia, very little is publicly proven.
Colonial Pipeline does not appear on the list of DarkSide’s targets — and the company has declined to say whether it paid a ransom to restore access to its systems.
Such payments are often effectively untraceable — one reason experts suggest better regulating cryptocurrency might reduce such attacks. For now that seems relatively unlikely. As with legislating higher financial penalties for companies that are the victims of cyberattacks, pushing such laws through the US Congress or other national legislatures would be no easy task.
Even if such legislation were possible, the proliferation of such attacks appears to be only on the increase, escalating much faster than the ability or willingness of often cash-strapped firms to resist. Governments, meanwhile, have no effective way of safeguarding huge swathes of critical national infrastructure.
Ransomware attacks are not the only problem. In last year’s SolarWinds hack — revealed in December — suspected nation-state hijackers gained access to huge volumes of accounts and data through a software platform, Orion. As Orion’s clients contained multiple government entities — including US federal agencies, local government and law enforcement — the scale of the potential data loss was immense.
Through providing sign-in details to new systems, such breaches can facilitate future ransomware attacks. Colonial Pipeline might be disruptive, but it could also be a warning of much worse to come.
Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.
Please read our Comment Policy before commenting.