In May of this year, a company in the USA paid $4.4 million dollars in bitcoin to release their company from the clutches of a ransomware attack.
At the time, this attack was just one of the 303 million (on average) ransomware attacks that happen a year globally. A drop in the ransomware ocean, it seemed. The ransom paid wasn’t even particularly large – for large enterprises, the average ransomware payment is approx $2 million.
However, this particular ransomware attack was packaged and sent to Colonial Pipeline, an oil and fuel company in Texas, who supply 45% of the eastern seaboard of the USA with 2.5 million barrels of aviation and vehicle fuel daily.
This hack caused Colonial Pipeline to completely shut their gasoline output. The Federal Motor Carrier Safety Administration has to issue an emergency declaration for 17 states to keep emergency fuel supply lines open as Colonial scrambled to first pay the ransom, then discover how it happened. Post-event, it is regarded as the largest cyber attack on oil infrastructure in American history, and it was the first time in Colonial’s 57 year history they had shut down their entire gasoline pipeline.
This one particular ransomware attack shut off critical IT and computing systems at an integral, sami-national in scale, infrastructure company. It sent massive shock waves through the energy market as Colonial Pipeline halted all operations to contain the attack. But where this attack made headlines, and where it was most keenly felt, was far away from the silos and pipeline values in Texas. It was on forecourts and gas stations around the USA, as customers panic bought fuel.
This, then, has ushered in a new era of ransomware – despite other attacks hitting huge databases, such as Facebook and Solarwinds, those attacks dealt damage away from the tangible. Although sensitive data hacks and huge ransomware attacks are both financially damaging and privacy-critical, very few systems compromises have had the sudden and immediate effect on commercial, end-user experiences in such a sudden and merciless way.
The reporting of the sudden closure of the lines caused a run on fuel, with some forecourts running out of gas, exacerbating the problem, causing prices to temporarily skyrocket. Although the attack was foiled, and most of the ransom (which was paid in Bitcoin) has been returned via the FBI, the signs are ominous for the future of ransomware attacks.
How did the hackers gain access to the Colonial Pipeline IT network?
This is probably the most contentious part of the event. Hackers gained access through a single, dormant VPN account. On review, the password used to gain access was part of a leaked batch of passwords on the Darkweb, indicating an employee used the same password on two VPN accounts. Experts cite, however, they cannot be sure exactly how and where the hackers found the account details.
What did they gain access to?
The hackers did not gain access to the vital pipeline flow controls, or any systems software that actually controlled the flow of fuel. The hackers did, however, move around within the IT system, and stole 100GB of data, which was part of the ransom.
What were the takeaways from this hack?
- A significant infrastructure hack and one of the most public affected ransomware attacks of the last few years happened through one compromised VPN. Education on the channels of ransomware approach, employee safety and networking access for all members of your team are critical. Although it seems crass and simplisting to state it, cover all your bases and make full company tech safety as important, valued and as regulated and health and safety and mental health support. Anti-viral software is only one part of a system’s health. Your personnel have to be equally as savvy and understanding of how it works, why it works, and what happens if it goes wrong.
- Other critical considerations are communications and/or PR “disaster planning” – when the end result of this sort of hack was the shutting down of a vital resource, the public have a right to know how this affects them with a measured, full spectrum approach to minimise panic and ensure communication of continuation of service.
- For example, at one point, 71% of petrol stations in Charlotte, North Carolina had run out of gas. Despite President Biden announcing a state of emergency May 9th (2 days after the hack) it took state-side senior government figures a further 5 days to announce to the wider public that the United States was undergoing a “supply crunch”, rather than a gas shortage. This communication was, in retrospect, slower than it should have been, but it did halt any further run on fuel.
In retrospect, the damage, despite being financially burdensome, was minimal. But the lessons learned could be critical in better proofing other industries and public services, such as water, waste, first responders and the police. If this has happened once, you can be assured it will happen again.