We’ve seen this movie before. After warnings go unheeded, a predictable, completely avoidable disaster strikes the US — in the process, revealing a soft, exposed underbelly of risk. And the people who get paid to stop this kind of thing from happening never seem to learn, most of the time, until it’s too late — or nearly.
This time, it was the ransomware attack on the Colonial Pipeline which took the US to the brink of a major national energy crisis, based on a confidential analysis from the US Energy Department as well as the national Homeland Security Department — both of which surmised that a cascade of bad outcomes was about to unfold, if this Colonial Pipeline thing had gone on a little longer. Just a few more days of the pipeline’s operational network being offline, for example, and the lack of diesel would have forced buses and various mass transit options to shut down, for one thing. And the domino effect would have also included factories and refiners likewise being put on ice — because a continued shutdown of Colonial’s network would have left them with nowhere to distribute their product.
And all because a Russian criminal extortion ring threw a ransomware attack at the IT network – not even the operational side! — of a US fuel pipeline.
Oh, and a quick update on that gang: If you believe the official headlines, the developers behind the DarkSide ransomware are said to have been taken offline, perhaps a result of the Biden administration exerting pressure quietly behind the scenes. Or as a result of our cyberspooks unleashing God-knows-what. At any rate, cybersecurity journalist Kim Zetter’s Zero Day Substack notes that the latest chatter about the ransomware gang points to its website, which previously was only accessible via Tor, now being unavailable. And that’s not all.
Someone from a rival ransomware gang reportedly left a message on a dark web forum in recent days that said the DarkSide founders had lost access to the site which they used to host and publish stolen data from their victims. Other infrastructure, such as their payment server, was also supposedly taken away from the DarkSide ring.
At the same time, not everyone is buying this turn of events — specifically, they’re not buying the notion that just one week after pulling off the Colonial attack, the DarkSide extortionists have been forced, no pun intended, to go dark.
“I sincerely hope the Infosec community and media don’t lose their minds over thinking DarkSide is actually shutting down when it’s almost certainly a rebranding attempt to avoid the heat,” Robert M. Lee, CEO of the security firm Dragos, tweeted on Friday.
Likewise, from Kimberly Goody, manager of the financial crime analysis team at FireEye: “Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared with DarkSide RAAS affiliates by the operators of the service. This announcement stated that they lost access to their infrastructure, including their blog, payment, and CDN servers and would be closing their service … The post cited law enforcement pressure and pressure from the United States for this decision.”
Here’s the key point from Goody, however: “We have not independently validated these claims and there is some speculation by other actors that this could be an exit scam.”
All of which is to say, all signs point to the fact that we got very, very lucky this time. Even so, what happened to Colonial Pipeline almost guarantees that critical infrastructure in the US will be hit again, and the outcome will probably be even worse next time.
Why? Well, for one thing, the victims in this case actually paid the ransom (nearly $5 million). That sends a message to the next extortion ring that wants to try this, as does what happened next — the DarkSide attackers gave Colonial a decryption tool that sounds like it was pretty terrible and slow to work, so Colonial resorted to doing the mitigation they could have done without paying up in the first place. Another signal sent to the next DarkSide. Worst of all, the Russians who broke into Colonial’s network provided something of a roadmap for the next time, showing that it doesn’t take much effort at all to produce chaos in a portion of the US, given how vulnerable so many interconnected systems are. In this case, the hackers hit a pipeline’s IT network, and Colonial itself took the pipeline down themselves — a dream come true for the bad guys.
Darkside is Ransomware-as-a-Service. For the most part, affilates carry out intrusions and deploy the Darkside ransomware which comes with substantial support. Profits are split between the parties. For more context and tactical detail see our report. https://t.co/pmpixfvI07
— John Hultquist (@JohnHultquist) May 11, 2021
The sort of good news here is that federal officials maybe, just maybe, got scared straight. Private enterprises control some 80% of critical infrastructure in the US, and there are reports that the Biden administration was already starting to view the Colonial Pipeline situation through a political lens — according to The New York Times, President Biden told aides in recent days that the lines at gas stations over the past week were a political disaster in the making, causing many in the administration to flash back to the oil crisis during the Carter presidency.
Nothing here, however, has changed the fact that I remain unshakably worried about the US in general, and in our ability to not even start to do the right thing until some disaster has already exacted a terrible price. The Colonial situation, for me, is a kind of near do-over of the onset of the coronavirus pandemic, for example, when warning signs were ignored and when the broader population no doubt assumed that the deployment of technology, of multiple redundancies, and of experts and agencies paid to stop this or that threat, would hopefully mean that the worst wouldn’t strike us here.
Making these two situations embarrassingly worse is the abundance of warnings that were, and will be, ignored. With the coronavirus pandemic, for example, we saw what was happening in the rest of the world — in places that dealt with it first, like China. Rather than shore up our defenses, though, political leadership at the time told everyone it can’t happen here. Likewise, we’ve seen what hackers can do in a situation like Colonial’s, yet we will be attacked again because someone, somewhere, will not be ready.
I'm an old lady who is having a difficult time understanding why a company is forced to pay $5,000,000 to regain its operating system. When I worked in IT we prepared for such situations before they happened pic.twitter.com/LaIzG9qGWx
— Vera – Biden&Harris Will Make America Great Again (@prayerfeathers) May 14, 2021
It is a weakness and a pretty scary shortcoming of the US, but our belief in the infallibility of our technological power, in our multiple protective redundancies, and in experts and federal agencies has proven to be misplaced time and time again. Here’s another, unrelated example: I was utterly floored by an incident described by journalist Carol Leonnig in her new book, Zero Fail: The Rise and Fall of the Secret Service.
“Just before 11:30 p.m. on a rainy Friday night in March 2017, a young man clambered over a five-foot-high fence and landed on the far northeast corner of the White House complex. His slender frame passing over the spiked black fence-line triggered a sensor that alerted Secret Service officers to a possible breach.”
She goes on to write how, since it was at night, the officers on duty struggled to get a visual of where this guy actually was on the complex, as they frantically roamed themselves. Which helped the 26-year-old intruder, in the confusion, to hop over two more barriers and also slip past not one, not two, but three staffed security posts — and walk all the way up to the east entrance to the White House. This guy even put his face up to the window and jiggled a door handle to see if it was locked.
“Over the course of 17 minutes,” Leonnig writes, the intruder “enjoyed a relaxed ramble around the grounds, eluded a team of 15 trained security professionals who were alerted to a likely burglar and crossed 200 yards of White House property without being stopped.” He even had time to sit down and tie his shoe.
That’s because of a slew of failures in the Secret Service’s supposedly high-tech defenses which combined to leave one of the most protected houses in the world vulnerable to a random intruder. They included a sensor on the White House fence malfunctioning, which meant that once the guy jumped over, an alarm that was supposed to sound inside didn’t. According to Leonnig, there are also motion-activated lights on the White House grounds that the intruder should have triggered, but same story — they weren’t working. An officer who caught up to the intruder tried to radio for help, but couldn’t. His radio was busted. And a camera covering the portion of the grounds where the intruder was roaming was, you guessed it, broken.
That unforgivably idiotic series of failures reminded me of all the broken defenses, the busted tripwires and the missed warnings that led to the coronavirus pandemic being as awful as it’s been in the US — more than 585,000 official deaths from the virus and counting, as of the time of this writing, based on Johns Hopkins University data.
Same with Colonial Pipeline. Everyone who knows anything about cybersecurity has been waiting for this line to be crossed, for attackers to start wreaking havoc on the US power grid, and other key pieces of infrastructure. It’s only a matter of time.
“Every fragility was exposed,” Dmitri Alperovitch, former chief technology officer of the cybersecurity firm CrowdStrike, told The New York Times about the Colonial Pipeline attack. “We learned a lot about what could go wrong. Unfortunately, so did our adversaries.”