Colonial Pipeline Wasn’t the First, the Last, or the Worst of Critical Infrastructure Cyberattacks

The energy, utilities, and industrials vertical has long been a significant target for criminals and state-sponsored threat actors. The May 2021 ransomware attack on the US Colonial pipeline operation became one of the most high-profile examples of these long-standing threats, due to the gasoline supply shortages it caused. That incident was not the first time that ransomware operators have targeted an energy pipeline operation, nor was it the first time that DarkSide ransomware affiliates have targeted this vertical. Operators of other ransomware families and affiliate programs have also targeted energy, utility, and industrial organizations, often disclosing their compromised data.

The Colonial Pipeline incident was not the first ransomware attack on an energy pipeline operation, nor was it the most severe from a purely technical perspective – only in terms of its market impact.

The Colonial attack reportedly did not affect the pipeline's OT itself but only the operator's IT, including its billing system, which some believe led it to suspend supply operations simply because it could not bill customers. However, CEO Joseph Blount said in his June 9 US Senate testimony the decision to shut down the pipeline was preemptive under the assumption that the OT may have been compromised. In either event, this incident illustrates that an IT compromise of an organization that also has OT can have a disruptive impact on its industrial operations, even if the attackers fail to move laterally into the more sensitive OT. The organization may be compelled to shut down its OT environment, as in this case, either as a precaution or because it is unable to continue normal business processes.

In contrast, the Cybersecurity and Infrastructure Security Agency (CISA) reported in February 2020 that a ransomware attack on a US natural gas compressor station succeeded in moving laterally from its IT network into its OT environment. The attackers initially infected the IT network via a malicious email link and were able to move laterally into the OT network due to insufficiently strong segmentation between the IT and OT networks. The attackers used ransomware to encrypt files on both the IT and OT networks. The operators of the facility lost access to human machine interfaces (HMIs), data historians, and polling servers, and they also lost some of their ability to monitor operational data. The use of Windows-specific ransomware prevented the attack from affecting programmable logic controllers (PLCs), which would have deprived staff of the ability to control operations. The attack itself directly affected only one compressor station, but the attack indirectly affected the whole pipeline operation when operators shut down that one compressor station for two days in response to the attack.

The Colonial incident was also not the first time members of the DarkSide Ransomware-as-a-Service (RaaS) affiliate program targeted critical energy infrastructure. IntSights coverage of underground criminal communities revealed that, in early February 2021, DarkSide RaaS affiliates disclosed more than 1TB of data they claimed to have obtained from a breach of Companhia Paranaense de Energia (Copel), an electric utility in the Brazilian state of Parana. The data included user credentials from CyberArk storage, network reconnaissance details, backup schedules, phone numbers, and email addresses for customers and employees — including senior management — legal and financial documents, and engineering schematics and utility network switches.

Additionally, in December 2020, DarkSide affiliates disclosed data that they claimed to have obtained from a breach of US-based Forbes Energy Services, an independent oilfield services contractor for oil and gas companies in Texas and Pennsylvania. The compromised data included tax and accounts payable information, human resources records, health care information, and board presentations.

IntSights coverage of underground criminal communities has yielded numerous other examples of disclosures of data that ransomware operators claimed to have obtained from breaches of energy, utility, and other industrial organizations. In fact, we found 20 examples of such data disclosures, going back only one year from the time of the Colonial incident.

Not Just Ransomware

The origin of many ransomware attacks is the sale of access to a compromised network on underground criminal forums. IntSights threat intelligence coverage of these forums has yielded several examples of criminals selling access to the compromised networks of energy, utility, and other industrial organizations. Ransomware attacks are a popular way to monetize such compromises, but they are certainly not the only way. Energy, utility, and other industrial organizations possess data that criminals can monetize via identity theft, bank fraud, or additional attacks. Of note, IntSights coverage of these offerings yielded two claims of compromises at nuclear energy organizations.

Learn more about the energy, utilities, and industrials cyber threat landscape in our new research report, “Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report.”

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.