Afew days ago, we blogged about the White House’s announcement to develop a plan to protect electric grids. The Biden administration highlighted that more investment and incentives were needed for companies to protect their critical infrastructures from growing threats from hacker groups.

This latest attack proves that these fears are well founded. On May 7, the Colonial pipeline, which transports oil from Texas to the southeast of the US over a distance of 5,500 km, was hit by the biggest cyber-attack on an oil infraestructure ever to take place in the country. The hackers infiltrated the company’s systems with ransomware, reportedly stealing and locking 100GB of data.

As a result of the incident, the company was forced to shut down the pipeline supply temporarily. This caused fuel shortages in some dependent areas that affected the operation of several transport companies, such as the Charlotte-Douglas International Airport in North Carolina, where several flights were delayed. At this point, President Biden had to declare a State of Emergency in the area to prevent further damage. 

Darkside behind the ransomware_

Days later, the FBI confirmed that Darkside was behind the cyberattack. Cybersecurity analysts highlighted that despite being a relatively new group, it has considerable experience in ransomware activities.

Biden indicated that the attack came from Russia and, although he didn’t think that the Russian government was directly involved, he asked it to “take action”. The US now wants to push for international regulation.  As explained above, nations often face diplomatic and legal difficulties in responding adequately to these groups because of their hybrid nature. In this respect, the President commented:

“We are working to try to get to the place where we have sort of an international standard that governments knowing that criminal activities are happening from their territory, that we all — we all move on those — those criminal enterprises.  And I — I expect that’s one of the topics I’ll be talking about with — with President Putin.”

Essential proactivity and advanced solutions_

As this was a ransomware cyberattack, the hackers’ direct target wasn’t to take control of OT systems (unlike the incident at the Oldsmar water plant in Florida), but in practice, operability was affected to the same extent, as the company took the decision to shut down operations.

This decision is being debated in the cybersecurity community, as reported in an article in Security Boulevard: some analysts praise it as proof that Colonial is aware of the risks of operating with ransomware on its systems, while others believe that the company was negligent as it didn’t have sufficient cybersecurity measures in place to protect its critical infrastructure.

However, most agree greater awareness is needed from both public and private organizations, as these threats to public infrastructures are becoming more frequent and dangerous. They also point to the need for investment in advanced cybersecurity professionals and solutions.

Cytomic Covalent meets these needs for SOCs in organizations with critical infrastructures: it combines all the Endpoint prevention capabilities of Cytomic EDPR with the Threat Hunting capabilities of Cytomic Orion to accelerate the search for potential threats and proactive incident response. As a result, companies like Colonial and the states that depend on them will be less likely to experience incidents like this.