Ransomware, the Colonial Pipeline, and U.S. Infrastructure
By Rachel Feinstein
On May 8, 2021, Colonial Pipeline, which supplies approximately 45% of the refined fuel for the Eastern Seaboard of the United States, announced that it had been the victim of a ransomware attack. The attack, which took place the previous day, forced Colonial to temporarily halt all of its pipeline operations. In the days and weeks since then, several States that rely on the pipeline for its supply of refined oil products, enacted states of emergency and experienced fuel shortages. This attack was the largest known cyberattack on U.S. energy infrastructure in our history. But what is ransomware and why should we care about this one, fairly short lived (on May 13th, six days after the attack, Colonial announced that it had re-started all of its pipeline operations), incident?
Ransomware, at its core, is a form of malicious software (malware) that allows criminal hackers to encrypt an organization’s data and lock them out of their own networks and servers. Once a victim’s data is locked down, the hackers generally demand a ransom, leading to the name ransomware, to release the data. The victim can choose to pay the ransom in exchange for the decryption key, restore their systems from backups (if they exist), or lose all their data and start over.
Over the years, there have been a number of high profile ransomware attacks globally, although the most significant one occurred in 2017, known as the WannaCry attacks. The WannaCry attacks impacted computer systems in 150 countries and caused an estimated $4 billion in damages globally; however, the most significant target of this attack was the National Health Services (NHS) in the United Kingdom (UK) impacting hospital systems and healthcare services across the UK. The United States went relatively unscathed during these attacks; however, two years later, in 2019, the City of Baltimore’s government was attacked using the same tool that the hackers used in the WannaCry attacks. Over the years, cybercriminals have attacked other American cities and towns, impacting government functions in a myriad of ways. As an example, the District of Columbia Police Department is currently dealing with an ongoing attack where hackers have already released the personnel files of a number of officers, and are threatening to release information on ongoing criminal investigations, police informants, and other highly sensitive law enforcement information, if DCPD does not pay the ransom requested.
While most ransomware attacks in the United States, up to this point, have been fairly localized or low impact to the average citizen, we need to care about the Colonial Pipeline attack for two main reasons. First, this attack, combined with the one against the UK’s NHS, has shown us that these criminal organizations are willing and able to make moves against organizations, both public and private, that impact the lives of every-day citizens, across large swaths of the country. Interestingly enough, the criminal organization that attacked Colonial, DarkSide, only targeted the business side of their systems, rather than the operational side, implying that their motivations were purely financial, rather than designed to bring the pipeline down. However, what this attack shows is that, while the criminal organizations may not intend to harm the public, their actions may ultimately result in that outcome either way. The second reason that we should care about the Colonial attack is that, according to experts, these incidents are becoming more frequent and sophisticated in their methods, mostly led by Russian state-sponsored hacking groups. This calendar year alone, twenty-six government agencies have been hit by ransomware attacks, sixteen of which have resulted in the cybercriminals leaking the data online when the victim refused to pay (see the ongoing DCPD attack). Further, a large number of these attacks have been aimed at police departments, partially because they are especially vulnerable due to their use of “ancient” systems and software.
Attacks on law enforcement and other government agencies by state-sponsored and independent criminal organizations are an enormous risk to our national security; the safety of our citizens at home and abroad; and, as these attacks increase in frequency, to the stability of aspects of our domestic infrastructure that rely on digital systems to function. Ultimately, both of these points, individually and together, highlight the fact that there are significant gaps in our cybersecurity systems. To paraphrase Transportation Secretary Pete Buttigieg, the Colonial Pipeline attack should be a “wake-up call” for our nation to begin seriously questioning the state of our cyber defense systems, laws and policies.