How a Ransomware Crippled the USA’s Fuel Supply
By Nick Anderson 7 minutes
Malware’s ability to disrupt a service or business is profound. If adequate security and protocols are not set in place, it can cause downtime and incur significant financial damage. Moreover, it can make important data inaccessible or even make the confidential information public in the event of a breach. It’s exactly what happened in the Colonial Pipeline ransomware hack.
When a ransomware targeted the Colonial Pipeline in May last month, it successfully penetrated its cybersecurity and crippled the operations of a major fuel pipeline. Colonial Pipeline supplies 45 percent of fuel to the USA’s East Coast, so halting operations meant a significant setback in the fuel supply that could have resulted in price hikes.
But, Colonial Pipeline was not the only victim. It was revealed that LineStar Integrity Services was affected by a data breach that resulted in a huge leak of private data. Confidential data from the breach is still floating around on the dark corners of the web.
As more victims of malware, especially ransomware, continue to build up, there is a much-needed briefing on how malware works and why it’s one of the most destructive forms of malware out there.
What is Ransomware?
Ransomware is a type of malware that locks you out of your data by encrypting it. Encryption is the process of converting plain text into an unreadable format called ciphertext using complex algorithms. Once encrypted, a document containing data like your personal information or something related to work will appear as complete gibberish.
The only way to revert it to the original state (plain text) is to use the decryption key. The key is what you will then have to retrieve from the attacker by paying the ransom. It is one of the most destructive forms of malware because not even an anti-virus can remove the encryption, whereas other types of malware like a virus can be purged from the system. In a ransomware attack, the only way to get your data back is to pay a ransom, which can be in millions if you are a multi-national organization.
The Colonial Pipeline Ransomware Hack
It was May 7 when Colonial Pipeline company announced that it had become a victim of a cyberattack. The type of attack was identified as ransomware that encrypted Colonial Pipeline’s data and demanded ransomware. The attackers were able to breach and steal private data that they threatened to release online if the ransom was not paid.
The complete nature of the attack was not known at the time; hence the company decided to take some of its operations offline to contain the threat. The company wanted to ensure that the attackers did not have access to its systems and cannot influence the automated processes that industries like it rely on. Colonial Pipeline issued the help of a cybersecurity firm called Mandiant. After carefully examining the nature of the attack, the operations slowly came online, and the entire operations were online within a week.
It has been revealed that the proverbial hole in the boat was a compromised VPN password that allowed the attackers to gain access. A Virtual Private Network (VPN) allows remote workers to log in to a local network and access resources inaccessible to outside networks. The compromised VPN password was discovered to be a part of leaked passwords available on the dark web.
It didn’t help that the associated account did not have multi-factor authentication. We have stressed how important Two-Factor Authentication (2FA) is to the security of your account. Even if someone knew the password to your account, they would not be able to get in without a second verification, like a One-Time Passcode (OTP) sent to your phone.
Possible Implications of Such an Attack
Although Colonial Pipeline is a privately-held company, it serves a major commodity: fuel. As part of the 2.5 million barrels it delivers every day, much of it also goes to airports in the USA. Thus, such attacks have major implications like the involvement of foreign intelligence agencies to cripple a nation’s industry.
The Federal Bureau of Investigation (FBI) and other federal forces like the Cybersecurity and Infrastructure Security Agency were deeply engaged with the company on the matter. The FBI confirmed that it was the work of a cybercriminal group known as Darkside.
The hacker group released a statement that the Colonial Pipeline ransomware hack was motivated by money, not foreign influence.
How the FBI Responded to the Colonial Pipeline Ransomware Hack
In an astonishing feat, the FBI was able to recover the ransom paid to the hackers by Colonial Pipeline to retrieve the stolen data and decryption key.
Cybercriminals usually ask for ransom in cryptocurrency because it is harder to trace. The absence of a central authority controlling transactions and the encrypted nature of wallets makes it near-impossible to trace funds. But, the FBI seems to have figured it out.
The FBI monitored the Bitcoin ledger and traced the transfer of 64 bitcoins to an address. Then, the FBI used the key belonging to the Bitcoin wallet and retrieved those bitcoins. It is a remarkable achievement because a crypto wallet holds the private key required to authorize transactions. If anyone gets a hold of your private key, you can lose the precious Bitcoins in the wallet.
The FBI did not reveal how it managed to do it.
“I don’t want to give up our tradecraft in case we want to use this again for future endeavors,” – Elvis Chan, FBI
Furthermore, the FBI took down servers and websites operated by Darkside. The hacker group announced its plan to shut down its Ransomware-as-a-Service (RaaS), essentially winding up its operation for good.
Cryptocurrency is often used by criminals to move money or seek a ransom. It was considered untraceable until now. The scathing response sends a message to cybercriminals that they can’t expect to get away from digital theft as they once could.
LineStar Integrity Services Hack – Another Data Breach Followed Up
As events around the attack unfolded, another U.S-based company became a victim of a data breach. The report revealed that LineStar Integrity Services had a massive breach that resulted in the leak of 70GBs worth of data. The breach, which is the result of a hacker group called Xing Team, did not make many headlines because the company chose to stay quiet on the matter.
LineStar Integrity Services sells compliance, maintenance, and technology solutions to customers. The data obtained from the breach has been dumped on the dark web. As reported, it contains emails, business documents, proprietary code, and even details on employees like their driver’s licenses and social security cards.
The fact that such data exists publicly now opens up the doors for a number of sinister possibilities. Cybercriminals can use this information to launch Phishing and Spear Phishing campaigns against those named in the leak. LineStar provides integration and technology, so the data could allow hackers to find vulnerabilities in them and follow up with another Colonial Pipeline-type attack.
Conclusion – How to Protect Yourself from Malware
Malware is an umbrella term to describe software that contains ‘bad code’; it can alter the functionality of your device or cause significant damage to it.
Cybercriminals are always working to find vulnerabilities like zero-day exploits. Certain practices can improve your chances of becoming a victim of malware. Keep your device updated with the latest operating system version, keep your applications up to date, never download attachments from suspicious emails, or install programs from third-party websites.
Above all, invest in anti-virus that is robust to handle all types of malware. Keep the anti-virus updated for the latest malware signatures. When you are out in the streets or a cafe using public Wi-Fi, use a VPN to encrypt your communication.
As a business, you need to deploy Threat Management and have clear protocols in place. It includes limiting access to information to the only people who need it as part of the job and implementing a zero-trust rule.