Colonial Pipeline Ransomware Attack: Lessons For SOC Operators


Earlier this month, Colonial Pipeline — the largest pipeline system for refined oil production in the U.S. — suffered a ransomware attack that resulted in the closure of one of the largest U.S. pipelines.

As a result of the attack, the pipeline operator was forced to temporarily halt all pipeline operations resulting in massive disruptions to fuel supply throughout the U.S. Given that the organization transports more than 100 million gallons of fuel per day, the scale of the disruption caused was significant.

Although the Colonial Pipeline Company team was quick to draft in a cybersecurity forensics team to investigate the exact causes of the breach, concrete details about the precise cause of the attack haven’t yet been determined.

Nevertheless, the hacking has raised some interesting concerns for those operating security operations centers (SOC). Most pertinently, it has raised questions about the duty of many cybersecurity professionals to open-source information about attackers and payloads — and how to do so in a way that might not enable the “bad actors” to exploit vulnerabilities.

What Was The Colonial Pipeline Ransomware Attack?

At this point in time, the initial cyberattack vector hasn’t been established.  

What is known is that the ransomware primarily targeted the operator’s business systems — although in reality its operational technologies were affected indirectly because it decided to take down all systems as a protective measure against the attack.   

The temporary shutdown of distribution systems caused a rapid series of cascading events. Most directly, the supply of fuel to affected parts of the United States plummeted. Secondly, the disruption caused panic buying in commodities markets which resulted in a temporary surge in the price of fuel. 

On May 20th, Colonial Pipeline confirmed that it paid out more than $4 million dollars in ransom in order to decrypt its locked systems, but just weeks later the U.S. Justice Department announced that they recovered $2.3 million in Bitcoin cryptocurrency that had been paid in ransom to the hackers. The new federal ransomware task force was able to recoup a large part of the payment due to Colonial’s willingness to quickly loop in the F.B.I. The seizure is a move by the U.S. to warn cybercriminals that it’s taking an active role in going after ransomware attacks and others.  

Who Is DarkSide?

DarkSide is a shadowy Russian hacking conglomerate. Any possible connections to the Russian government haven’t been proved yet and remain in the realm of speculation. What is known is that the group has embraced ransomware as a service (RaaS) as an operational model. The company is believed to recruit developers on the dark web.

According to an analysis by Palo Alto Networks’ Unit 42, the group is regarded as being a relatively high-end ransomware developer. They tend to choose their potential victims carefully, and engineer ransomware on the basis of substantial intelligence gathering that is designed to cause the most disruption and hence result in the most lucrative ransoms. Post-attacks forensic analysis has revealed DarkSide’s footprints in a number of high-value targets. The group claimed credit for the attack on Colonial Pipeline and, as a target, it fits rather well with their typical victim profile.

DarkSide is known to be aggressive in piling on the pressure to get their victims to pay up the ransom. Within days of an attack, the group has been known to begin sending threatening emails to employees and calling executives on their personal cell phones.

During the intelligence-gathering and network-mapping preparatory phase of the attack the group has been known to engage in:

  • Using reconnaissance tools to attempt to gain information about target organizations’ active directory (AD). This can also be used to map out potential organizational silos to target.

During the attack the group has been known to:

  • Hack popular consumer password management utilities to gain additional credentials
  • Use PowerShell to schedule tasks related to payload execution on the compromised networks

After payload execution the group has been known to use:

  • Simple file transfer utilities such as rclone to exfiltrate data to popular consumer cloud services.

What Is Ransomware As A Service (RaaS)?

Ransomware as a Service (RaaS) is the business model that Colonial Pipeline has been using to allow it to tap into a network of outsourced talent that it recruits from the internet in order to execute attacks on its victims.

Under RaaS, affiliates are given access to ransomware tools made available by the targeting entity. Then, they receive a share of the proceeds from the ransom in the event that it is paid.

This business model allows:

  • Small hacking conglomerates to carefully select their victims and conduct intensive surveillance while being able to outsource the ‘dirty work’ of execution to outsourced hackers
  • Hacking conglomerates such as DarkSide to tap into a virtually unlimited talent pool that extends far beyond their local market. In this manner, even small criminal collectives can achieve outsized results and inflict significant damage on large organizations

Payment of the ransom is sent through conventional means — namely by extorting the victim to pay a sum in cryptocurrency.

How Can Organizations Mitigate These Threats?

First, any organization that may fit the profile of the kind of organization that DarkSide has traditionally targeted needs to remember that it may be a target for hacking. Proactive posture hardening is therefore advisable in order to prepare a robust cybersecurity incident response. Even basic proactive fixes can go a long way.

One of the ways an organization can do this is by establishing a security operations center (SOC) to enable the real-time aggregation of logging and system state information from mission-critical infrastructure. Given the often time-sensitive nature of ransomware attacks, providing the monitoring infrastructure that can enable rapid incident response can be a key step towards mitigating potential damage and narrowing the attack surface.

Once aggregated, signal can be separated from the noise and it becomes easier to identify proactive warnings that might indicate hostile network mapping and intelligence-gathering efforts being undertaken by nefarious actors.

CYREBRO built a managed SOC in the cloud which integrates all an organization’s security events and backs them by proactive threat intelligence and rapid incident response. Proprietary detection algorithmics strategically monitor, analyze, and interpret consequences of events across all security solutions.

Other practical mitigation strategies can include:

  • Enforcing strong password policies and insisting on the use of two-factor authentication (2FA) throughout the organization
  • Using robust anti-spam filters to reduce the likelihood that phishing emails will reach users

Be Prudent About Sharing Victories

One other interesting aspect of this case worthy of discussion is the possibility—highlighted in Technology Review—that BitDefender’s announcement that it had contained an exploit used by DarkSide to inject ransomware may have tipped off the hackers to change tack.

Those working in the cybersecurity industry commonly share threat intelligence within the community in order to help other organizations defend against attacks. But this case highlights that audiences need to be carefully selected in order to avoid providing information to the wrong side.

Executive Summary

  • Colonial Pipeline is a major U.S. pipeline operator that suffered a ransomware injection from a shadowy Russian hacking collective known as DarkSide that uses RaaS to outsource development of attacks on high-value targets
  • The case highlights (again) how, in today’s distributed labor market, even small hacking collectives can achieve significant disruption including causing indirect events like fluctuations in commodity markets
  • Proactive threat monitoring and posture hardening is a foundational element of this approach. Deploying cloud-based SOCs is one-way organizations can achieve this


Sign Up for Updates