Colonial Pipeline attack: Hacking the physical world
The attack is a reminder of growing cyberthreats to critical infrastructure while also showing why providers of essential services are ripe targets for cybercriminals
While detractors have argued that threats against physical infrastructure are overstated and largely theoretical, the growing list of organizations that have been successfully attacked suggests otherwise. And now the media is full of reports of the flow-on effects of the ransomware attack leveled against Colonial Pipeline by the DarkSide cybercriminal gang. In fact, a lot has happened since – US President Joe Biden has signed an executive order aimed at improving the nation’s cyber-defenses and the company has restarted normal operations, while DarkSide claims to have shut up shop and there are also reports that Colonial Pipeline paid the gang $5 million in ransom.
Regardless, while the investigation into the attack is ongoing, detection of Win32/Filecoder.DarkSide has been in play since October 2020, so attackers wouldn’t seem to be using some super-sneaky, state-sponsored zero-day exploit to compromise their targets.
For years we’ve noted would-be attackers quietly probing around critical infrastructure targets, even launching attacks against specific, high-value targets such as in the examples listed above. This shows no sign of slowing. When those attacks occurred, we were asked whether we’d see similar efforts in the North American market. We said yes. We were right.
It’s interesting that in the case of NotPetya (aka Diskcoder.C), the specific pieces of the attack by themselves were also not super-crazy zero days. In the current environment, the reality is that attackers don’t need to burn zero days; they can get in without them.
By spending significant time understanding a target’s network and infrastructure, specially crafted attack sequences are surprisingly effective with a high degree of off-the-shelf threats we’ve known about for years.
While there has been significant security effort by critical infrastructure operators in recent years, they are starting with decades-old equipment, networking gear, and communications protocols to begin with. This means they have little more than serial protocols (with no security), Modbus, which isn’t much better, or one of a handful of others that are similarly insecure. They forklifted in security gateways and have made strides, but it’s still relatively easy to find chinks in the security armor. They’re ramping up secure communication technologies, but the effort still feels nascent.
Add to this the impact of shutting down some chunk of physical infrastructure we mostly take for granted, and attackers have low-hanging fruit ripe for the picking.
Meanwhile, critical infrastructure operators attempt to lure security specialists away from Silicon Valley to work on some remote mountaintop securing a critical facility with its ageing technology. This can be unalluring and, therefore, a hard sell if the other option is a hot startup in large city.
But when the lights, water, fuel, or communication networks suddenly stop, expect renewed focus on critical infrastructure security.
And while there are serious groups of technology pundits ramping up specific initiatives to thwart ransomware, it’s unnerving knowing that attackers can still be effective using years-old threats we thought we were all protected against and had solved.