Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Colonial Pipeline. Show all posts

Securing India’s Infrastructure: Key Takeaways from the Colonial Pipeline Hack

Securing India’s Infrastructure: Key Takeaways from the Colonial Pipeline Hack

In 2021, a major supplier of oil and gas to the American east coast, Colonial Pipeline, was taken offline, after a reported ransomware attack. The 5,500-mile pipeline attack triggered a call for increased regulations to protect and strengthen critical infrastructure against cyberattacks.

Since the incident, there’s been more awareness and willingness to invest in securing critical infrastructure in India, with the much-awaited Cybersecurity Bill 2024 being tabled in the Parliament in March this year. 

The Indian government has continuously increased its cybersecurity investment with successive incremental budgetary allotments towards this cause. Three years on, the attack still begs the question: How exposed to attacks is India’s critical infrastructure?

Changing landscape of operational technology (OT)

Traditionally, operational technology (OT) systems were isolated and “air-gapped” from the internet. However, the convergence of IT and OT has led to increased connectivity. The Colonial Pipeline attack exploited this connectivity, highlighting the need for robust security protocols. India’s critical infrastructure sectors (energy, transportation, and water supply) must assess their OT networks and implement necessary safeguards.

Compliance vs. security

While regulatory compliance provides a baseline, it alone is insufficient. Organizations should move beyond compliance and adopt a risk-based approach. Regular security assessments, vulnerability scans, and penetration testing are crucial. India’s proposed Cybersecurity Bill 2024 emphasizes the importance of proactive security measures.

Investment in cybersecurity

India must allocate adequate resources to strengthen its critical infrastructure cybersecurity. Budgetary provisions should cover training, threat intelligence, incident response, and technology upgrades. Collaborating with international partners and adopting best practices can enhance India’s cyber resilience.

Recommendations for India

The Colonial Pipeline incident demonstrated that critical infrastructure is becoming a significant issue in cybersecurity and that businesses must constantly be ready. This incident, one of the most disruptive attacks in history, forever altered the cybersecurity environment, paving the way for increased discussions about OT security among the general public, government officials, and the cybersecurity sector. It sparked a trend, pressing the public sector to be more proactive and invest more in operational technology security.

As a result, legislators and politicians are looking for measures to improve regulations to strengthen cyber defenses. More importantly, the attack emphasizes the importance of a comprehensive risk management approach and understanding the trajectory of where we want to be in terms of cyber security in ten years. With OT at the center of the discourse, strengthening our cyber defenses is more important than ever.

European Oil Port Hubs Hit by a Cyberattack

 

Hamburg, a major port part of northern Germany, was targeted by the cyberattack, as were at least six oil ports in Belgium and the Netherlands. Prosecutors in Belgium have opened an inquiry into the theft of oil supplies in the country's marine entryways, particlarly Antwerp which also happens to be Europe's second-largest port after Rotterdam.

Prosecutors in Germany are said to be looking into a cyberattack on oil facilities which are described as a probable ransomware attack, wherein hackers demand money in exchange for reopening captured networks. 

Last month, oil prices reached a seven-year high amid geopolitical tensions with Russia, and rising energy costs are fueling an increase in costs which has alarmed European authorities. 

"A cyberattack was launched against several terminals, causing significant disruption. The software has been taken over, which is unable to process barges. The operating system is basically down "Jelle Vreeman, a senior trader at Riverlake in Rotterdam, echoed this sentiment.

Europol, the EU's police agency, confirmed the information of the events in Germany had given assistance to authorities. "At this time, the investigation is underway and in a critical stage," said Claire Georges, a spokesman for Europol. 

Last week, the first signs of what looks to be a complex cyberattack were revealed in Germany; on January 29, Oiltranking Group and Mabanaft were found to be the victims of a cyber-attack. 

Belgian authorities were also looking into the incident, which impacted terminals in Ghent and Antwerp-Zeebrugge. In Amsterdam, Ghent, Antwerp, SEA-Tank, Oiltanking, and Evos are all reporting faults with the operating systems. 

Oiltanking Deutschland GmbH & Co. KG, a company that stores and delivers oil, motor fuels, and other petroleum products, announced its website was being hacked. According to the company, it was compelled to function at "restricted efficiency" and was conducting an investigation. The intrusion on Oiltanking was caused by ransomware, which encrypts data and renders computer systems is useless until a ransom is paid.

Following a ransomware attack on US oil distributor Colonial Pipeline in May of last year, supplies were tightened across the US, prompting various states to declare an emergency. However, cyber-security experts warn against assuming many events are part of a coordinated campaign to destabilize the European energy industry. 

"Some varieties of malware harvest emails and contact information and use it to actively spam dangerous attachments or links," said Brett Callow, Threat Researcher at cyber-security firm Emsisoft. While investigating the degree of the infiltration, the organizations report taking steps to rectify the situation and strengthen the network.

Extortion Emails by Bogus DarkSide Gang Targets Energy and Food Industry

 

In bogus extortion emails sent to firms in the energy and food industries, threat actors impersonate the now-defunct DarkSide Ransomware campaign. The Darkside ransomware attack first hit business networks in August 2020, asking millions of dollars in exchange for a decryptor and a pledge not to reveal stolen data. 

Following the ransomware gang's attack on the Colonial Pipeline, the country's largest petroleum pipeline, the ransomware gang was thrown into the spotlight, with the US government and law enforcement focusing their attention on the group. Because of the heightened scrutiny from law officials, DarkSide abruptly shut down its operations in May for fear of being arrested. 

Trend Micro researchers reveal in a new analysis that a new extortion campaign began in June, with threat actors imitating the DarkSide ransomware group. "Several companies in the energy and food industry have recently received threatening emails supposedly from DarkSide," explains Trend Micro researcher Cedric Pernet. "In this email, the threat actor claims that they have successfully hacked the target's network and gained access to sensitive information, which will be disclosed publicly if a ransom of 100 bitcoins (BTC) is not paid." 

The email campaign began on June 4 and has been targeting a few targets every day since then. Threatening emails were sent to the generic email accounts of a few firms. For each target, the Bitcoin wallet at the bottom of the email is the same. None of the aforementioned wallets have received or sent any Bitcoin payments. There has been no actual attack linked to the emails, and no new targets have been discovered. 

The researchers discovered that the same attacker had filled contact forms on many companies' websites in addition to sending targeted emails to them. The content of the web forms was identical to the text of the emails. They were able to obtain the sender's IP address, 205[.]185[.]127[.]35, which is a Tor network exit node. 

The threat actor appears to be exclusively interested in the energy (oil, gas, and/or petroleum) and food businesses, based on the telemetry data; in fact, all of their targets are in these industries. The campaign had the most impact on Japan, followed by Australia, the United States, Argentina, Canada, and India. China, Colombia, Mexico, the Netherlands, Thailand, and the United Kingdom are among the other countries affected.

Pipeline Shutdown Shows Need for Tougher Cybersecurity Laws

 

The six-day shutdown of a key 5,550-mile fuel pipeline earlier this month as a result of a malware attack proved a case study of everything that can go wrong when the private sector, which regulates critical sections of American infrastructure, fails to prioritize cybersecurity and the government lacks the resources to properly deter cyberattacks and manage the fallout. 

Colonial Pipeline's response to a recent hacker attack was fast and comprehensive. The private company turned off the supply of nearly half of the East Coast's oil, diesel, and jet fuel, which had never been done before. Long lines formed at gas stations from Washington, D.C., to Florida as a result of a combination of fuel shortages and panic buying. Stopovers were added to US air travel routes to enable planes to refuel in central and northern states. 

Colonial Pipeline was the victim of a ransomware attack by a group of Eastern European cyber bandits known as DarkSide, which extorted $4.4 million from the company as it rushed to reclaim control of its information management infrastructure and ensure the hackers had not breached the pipeline's operating system. The pipeline was eventually brought back online, and DarkSide discontinued operations However, the most serious harm had already been done: The incident demonstrated how simple it was to put a large portion of American infrastructure to a halt with a cyberattack that was as sophisticated as a pickpocketing. 

President Biden responded by signing an executive order that would provide incentives for IT service providers to share data share about cybersecurity vulnerabilities and breaches with the government. The order also establishes a cybersecurity safety review board with jurisdiction similar to the National Transportation Safety Board, which investigates airline and railroad safety accidents and makes security recommendations. 

However, Congress should impose mandatory reporting regulations requiring private sector companies in charge of sections of the nation's vital infrastructure to report possible and actual violations so that the government and industry can respond more quickly to minimize the consequences. A bill like this has been discussed in Congress for more than a decade, but it has yet to become law. 

Senator Angus King, who is co-chair of the Cyberspace Solarium Commission, established by Congress to bolster US cybersecurity protections, stated in an interview, “We need to build a structure that facilitates and supports open communication and trust, between this critically important infrastructure and the government in order for the government to be able to help.” 

Because of the vast number of phishing or other low-level security breach attempts they face, private sector companies are sometimes unable to disclose sensitive details regarding cybersecurity vulnerabilities or risks for fear of civil liability. The carrots to the mandatory reporting requirement's stick, according to King, will be liability protections and carefully restricting and identifying what counts as reportable accidents. 

A lot needs to be done to ensure the cybersecurity of our country's vital infrastructure which includes enforcing more structured federal oversight in place of the current multi-agency approach, which can be cumbersome, redundant, and slow; holding Russia responsible not just for its own cyber espionage but also for sheltering other cyber attackers within its borders; and tightening the federal government's own cybersecurity, which was discovered to be vulnerable last year by the SolarWinds hack.

FBI – CISA Published a Joint Advisory as Colonial Pipeline Suffers a Catastrophic Ransomware Attack

 

Following a catastrophic ransomware assault on a Colonial Pipeline, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory. The notice, issued on Tuesday 11th May, contains information on DarkSide, malware operators running a Ransomware-as-a-Service (RaaS) network. 

DarkSide is in charge of the latest Colonial Pipeline cyber assault. Past Friday - 7th May, the fuel giant has said that a Cyberattack had obliged the company, which was found to be an intrusion of DarkSide affiliates, to stop pipeline activities and to pull the IT systems offline. 

Cybercriminal gangs use DarkSide for data encryption and to gain entry to a victim's server. These groups attempt to disclose the information if the victim is not paying the ransom. DarkSide leverage groups have recently targeted organizations, including production, legal, insurance, healthcare, and energy, through various sectors of CI. 

Colonial pipeline is yet to be recovered, and the FBI is engaged with them as a key infrastructure supplier – one of which provides 45% of the fuel of the East Coast and typically provides up to 100 million gallons of fuel per day. 

"Cybercriminal groups use DarkSide to gain access to a victim's network to encrypt and exfiltrate data," the alert says. "These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy." 

The ransomware from DarkSide is available to RaaS clients. This cybercriminal template has become prominent because only a core team needs to create malware that can be transmitted to other people. 

RaaS can also be offered on a subscription basis as a ransomware partner, and/or the developers may earn cuts in income when a ransom is paid. In exchange, developers continue to enhance their 'product' malware. 

Furthermore the FBI - CISA advisory also provides tips and best practices to avoid or mitigate ransomware threats. 

The most important defense act against ransomware is prevention. It is crucial to follow good practices to defend against attacks by ransomware, that can be damaging to a person or an organization. 

"CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations [...] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections," the agencies say. "These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware."

Colonial Hackers Stole Data on Thursday Ahead of Shutdown

 

The hackers who caused Colonial Pipeline to shut down the biggest US petrol pipeline last Friday began their blitz against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, as per the sources.

According to the two reports, the intruders, who are members of the DarkSide cybercrime group, took nearly 100 gigabytes of data from the Alpharetta, Georgia-based company's network in just two hours on Thursday.

The step was part of a double-extortion scheme that has become a trademark of the group. According to the reports, Colonial was told that the stolen data will be released to the Internet, although information encrypted by the hackers on machines within the network will stay locked until it paid a ransom. The company didn't immediately respond to requests to comment on the investigation. It said earlier that it "proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems". 

Colonial's decision on Friday to shut down the main pipeline that supplies the US East Coast with gasoline, diesel, and jet fuel, without specifying when it would reopen, indicates a risky new escalation in the battle against ransomware, which President Joe Biden's administration identified as a priority. 

It's unclear how much the attackers requested or whether Colonial has agreed to pay. In cryptocurrency, ransomware demands can vary from a few hundred dollars to millions of dollars. Many businesses compensate, with the help of their insurers. 

According to the Associated Press, AXA, one of ’s leading insurance firms, announced last week that it will break the trend and stop offering schemes in France that reimburse customers for payments made to ransomware hackers. In recent years, cyberattacks have disrupted the operations of other energy assets in the US. Last year, the Department of Homeland Security announced that an unnamed natural gas compressor facility was shut down for two days due to an attack. 

The theft of Colonial's records, combined with the installation of ransomware on the company's machines, demonstrates the power that hackers frequently hold over their victims in such situations. The investigation is being assisted by FireEye Inc's Mandiant digital forensics division, according to the company. 

Mr. Biden was briefed on the incident on Saturday morning, according to the White House.

Ransomware Attack Shuts Down Top U.S. Fuel Pipeline Network

 

The operator of a major gasoline pipeline in the U.S. shut down operations late Friday following a ransomware attack pipeline system that transports fuel across the East Coast. The attack is unlikely to affect gasoline supply and prices unless it leads to a prolonged shutdown of the pipeline, experts said. 

Colonial Pipeline did not say what was demanded or who made the demand. Ransomware attacks are typically carried out by criminal hackers who seize data and demand a large payment in order to release it.

The company is the main source of gasoline, diesel, and jet fuel for the East Coast with a capacity of about 2.5 million barrels a day on its system from Houston as far as North Carolina, and another 900,000 barrels a day to New York. It presents a new challenge for an administration still dealing with its response to major hacks from months ago, including a massive breach of government agencies and corporations for which the U.S. sanctioned Russia last month.

President Joe Biden was briefed on the incident on Saturday morning, a White House spokesperson said and added that the federal government is working with the company to assess the implications of the attack, restore operations and avoid disruptions to the supply. The government is planning for various scenarios and working with state and local authorities on measures to mitigate any potential supply issues. 

“We’ve seen ransomware start hitting soft targets like hospitals and municipalities, where losing access has real-world consequences and makes victims more likely to pay. We are talking about the risk of injury or death, not just losing your email,” said Ulf Lindqvist, a director at SRI International who specializes in threats to industrial systems.

After the shutdown was first reported on Friday, gasoline and diesel futures edged slightly higher on the New York Mercantile Exchange. Gasoline gained 0.6% while diesel futures rose 1.1%, both outpacing gains in crude oil. Gulf Coast cash prices for gasoline and diesel edged lower on prospects that supplies could accumulate in the region.

Colonial previously shut down its gasoline and distillate lines during Hurricane Harvey, which hit the Gulf Coast in 2017. That contributed to tight supplies and gasoline price rises in the United States after the hurricane forced many Gulf refineries to shut down.