Perils of Power III
Figure 6. Map of Colonial Pipeline.
IV. Colonial Pipeline: Darkside, A Ransomware Group’s Rise & Fall; & A Cautionary Tale in Cyberspace
The most notable publicly known cyber incident in the U.S. impacting energy infrastructure was the Colonial Pipeline (Colonial) breach. In May of 2021, a notorious non-state actor with murky origins tied to Russia and eastern Europe named DarkSide singlehandledly engineered a series of events that lead to a pipeline that supplies approximately 45% of the U.S.’s natural gas to shut down.
DarkSide is an allegedly-now-defunct ransomware group that specialized in a service known as “Ransomware-As-A-Service” (RaaS) hailing from Russia. This signifies that, in the obscure corners of the dark web, DarkSide sought to make a profit from selling their ransomware payloads to the highest bidder. CrowdStrike reports that RaaS services are sold to third parties – who then become DarkSide ``affiliates” – and, in a sardonic manner similar to how SaaS platforms operate – arrive bundled with “24/7 support, user reviews, forums” and other helpdesk features. Moreover, the cost-benefit is salient: RaaS “kits” with devastating consequences can be easily purchased for around $40.00-$2,000.00. This is a “trivial amount” when the average ransom demand in 2021 amounted to $6 million.
In light of this forecasting, DarkSide and other ransomware groups target businesses they know can afford the ransom. It sounds like a simple prerequisite, but DarkSide holds this dear: as identified by Krebs on Security, DarkSide’s “Robin Hood” mentality is in accordance with a set of criteria first detected on dark web forums in August of 2020:
Figure 7. DarkSide’s Guiding Principles.
Energy infrastructure is nowhere to be found under the category of targets that “will not be attacked”. This casts energy infrastructure in a morally ambiguous position. One that is ripe for honing in on. This bolsters why, in DarkSide’s eyes, Colonial and its fellow American corporate titans should be attacked: capitalist behemoths like Colonial, which reported $3.1 billion in assets, income of $420 million, and a net worth of $100 billion in the year prior to the disruption that it experienced, can comfortably pay the ransom. According to the DarkSide Leaks blog, the group admonishes that it is not in deference to any nation or authority, “...we do not participate in geopolitics…defined government…our goal is to make money”. And so it did.
On the morning of May 5, 2020, DarkSide propagators were able to tap into Colonial’s corporate virtual private network and launch its eponymous RaaS payload via a dormant account that didn’t even belong to an actual staff member. In doing so, it encrypted all 5,180 computers at the energy giant’s network with a very simple goal that is usually lost amidst the headlines hereafter. Infamously, Colonial’s in-house software was completely devoid of any multi-factor authentication, a simple verification security control that in retrospect could’ve prevented the ransomware delivery altogether.
Prior to the ransomware weaponization and delivery, DarkSide stole 100 GB worth of employee, payroll and network data within two hours. This data, while relegated to a factoid in reports about the breach, is crucial as this is what DarkSide was digitally holding ransom. As far as DarkSide was concerned, that was all they were after.
Even that, however, is not the most significant aspect of the Colonial disruption. The fragile link in any sequence of cybersecurity events is almost always traceable to one issue outside conventional vulnerabilities: panic and distress.
Thus, it is to little surprise that a Colonial employee, having been met with a message not dissimilar from the following in Figure 8 provided by Michael Krebs, sounded the alarm that catalyzed frenzy at an organization-wide scale.
Figure 8. A Ransomware encryption message from DarkSide similar to the one delivered to Colonial Pipeline devices.
An estimated 55 minutes later, the top brass at Colonial made the executive decision to cease pipeline operations. While no veracious reports have emerged from the room where it happened, Colonial retrospectively justified this decision by saying that “contain and isolate the attack to help ensure the malware did not spread to the Operational Technology network”. In doing so, pandemonium ensued around the nation as global news networks picked up on what they misconstrued as being a “cyber attack”. President Joseph R. Biden announced a state of emergency and consolidated an alphabet soup who’s-who of three-letter departments to advise on the delicate situation that incontrovertibly would repeat itself. Parochial and national news stations alike flashed compilations of cars herding by gas stations as a pipeline that is the lifeblood of American transportation was cut off in a matter of hours.
For Colonial, the larger, more headline-grabbing issue to reckon with was actually paying the sum of $5 million, which the encryption message contained instructions on. Colonial CEO Joseph Blount, allegedly spurred by the counsel of the Federal Bureau of Investigation “hours” after the disruption, ultimately decided that the best course of action was to oblige the cybercriminal group and pay the $5 million fee. DarkSide adhered to their word and upon payment de-encrypted the files as promised. But the collateral damage was impossible to ignore and Colonial pejoratively enshrined itself as a metonym for cyber disruptions forever.
Mysteriously, DarkSide – at least in the incarnation that propagated the attack – seemingly surrendered around a week after , citing “government pressure”. While the covert nature of the operation has not been confirmed, it is implied that the U.S. investigative apparatus ramped up its aggression in mercilessly vanquishing DarkSide: cybersecurity company Intel741 reported that “The group’s name-and-shame blog, ransom collection website, and breach data content delivery network (CDN) were all allegedly seized, while funds from their cryptocurrency wallets allegedly were exfiltrated”.
To add to the U.S.’s revanchist mentality, the FBI managed to recover the entire ransom amount delivered, though the volatile nature of Bitcoin was such that the amount exchanged was only worth $2.3 million. But Colonial was more concerned about the congressional audience it had to endure; Mr. Blount’s testimony was blasphemed after he revealed the simplicity of a multibillion dollar pipeline’s security controls, or lack thereof.
To this day, web searches for Colonial Pipeline harken back to the breach that redefined cybersecurity in the modern psyche. However, it is unfair to permanently brandish Colonial with the castigation of shame when their troubles are likely emblematic of mistakes that other critical energy infrastructure operators may make.
Notably, Colonial failed to understand the fundamental difference between informational technology and operational technology, two terms touched upon earlier. DarkSide didn’t. As narrated, DarkSide’s ransomware disruption wreaked mayhem upon the informational technology network of Colonial’s – all of their interconnected points of data that serve the mission of storing and exchanging information to each other. Had there been sufficient in-organization education and adequate private-sector consultants on hand, the gesture of ceasing pipeline operations would be precluded.
This is because the pipeline’s functionality is predicated on operational, not informational, technology. Operational technology (OT) refers to the industrial control systems in place; the pneumatic, hydraulic, electrical and mechanical physical processes that are commanded by a central control panel. While there is potentially minor overlap, the actual pipeline’s systems weren’t being affected by the ransomware. Alas, the following conclusion is painstaking reading for Colonial employees: they didn’t have to turn off the pipeline.
Moreover, Colonial Pipeline is culpable for not responding to the incident or preventing it altogether. First, security controls were sorely lacking - the VPN account DarkSide gained access to did not possess basic controls or multi-factor authentication. As mentioned, no one was using the account, which means it was a liability -- perhaps if the account belonged to an employee, the response would have been more coherent and different.
The third cardinal sin committed by Colonial in the fog of not fully comprehending the operational environment is paying the ransom. The FBI does not recommend that any victim of a ransomware onslaught pay the fee requested: “Paying a ransom doesn’t guarantee you or your organization will get any data back”, reads the official FBI guidelines on how to deal with ransomware-diffusing adversaries.Aamir Lakhani of Fortinet also sagely notes that, yes, you may in the short-term be breathing a sigh of relief as your contents are decrypted, but in following through with the ransom payment the sender is still essentially funding a malicious actor. The millions of dollars that these RaaS groups accumulate can be funneled into enhancing their malware to become even more formidable. The official non-profit coalition Ransomware.org reports that 80% of ransomware victims who met the decryption demands were hit by another ransomware attack.
The final critical point about DarkSide meditates on the questions of attribution and sovereignty. In his “Taxonomy of Attribution” framework, author Jason Healey nominates a “spectrum of state responsibility”germane to cyber threat actors, ranging from state-prohibited – signifying that a hypothetical Russia in DarkSide’s instance would actually assist the U.S. in apprehending the cyber criminal group – to state-integrated; a status quo wherein the execution o malware upon opponent networks can directly be traced to an instrument within government or one that has governmental support. Given Russia’s bellicose trigger-happiness, zenith in current diametric opposition to the West, and unwavering pride in projecting the image of a nation that can brazenly challenge the unipolarity held dear by the U.S., it is fair to conjecturally establish that the DarkSide ransomware disruption was “state-encouraged; “third parties control and conduct the disruption and or attack, and the national government encourages them as a matter of policy”. Another notable work in conjunction with this discussion is Stanford Professor Herbert Lin’s discussion of how a cyber-affront can be attributed to a “man, state or machine”. Was DarkSide acting on behalf of the Russian government? The answer is inchoate, but one matter is certain: even in a world that predates Russia’s invasion of Ukraine, it can be ascertained that Russia didn’t do anything substantial to apprehend DarkSide, nor did they issue any punitive statements decrying the group. If any equivocation remains, Michael Krebs and co. can lay it to rest: DarkSide’s ransomware does not function in computer systems where Russian or Cyrilic alphabets are present. Ergo, any Russian networks would be immune to DarkSide malware. The geopolitical calculus of this is implicit.