On May 11, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) published an article describing the DarkSide ransomware attack on the Colonial Pipeline. This pipeline delivers 45% of the fuel supply used by the eastern coast of the United States.

When Colonial learned of the cyber attack, “they proactively disconnected certain OT (operational technology) systems to ensure the systems’ safety” (CISA report). In other words, while only the company’s IT network was hacked, the OT systems were unaffected but still taken offline deliberately by Colonial as a precaution.

What is DarkSide and how did they hack the pipeline?

DarkSide is a hacking group with ties to Russia. They liken themselves to Robin Hood, claiming to steal money from large companies and redistribute it to smaller organizations through charitable donations. “This Robin Hood mentality is more of a PR stunt” according to Jon DiMaggio, chief security strategist for threat intelligence firm Analyst1, interviewed in an article by TechRepublic. "When they made the donations (two donations at $10,000 each), it was reported across cyber news organizations all over the world," DiMaggio said. "It was essentially a $20K marketing cost that got their name out there. All of these guys seem to have big egos, which is why they have press releases and will talk to the media and researchers. So this donation was likely an attempt to increase their visibility."

So how was the attack carried out? “According to open-source reporting, DarkSide actors have previously been observed gaining access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI)” (CISA report). A phishing attack is when an attacker pretends to be someone trustworthy and convinces the victim to share login credentials or other vital system information. A VDI is defined as “the hosting of desktop environments on a central server. It is a form of desktop virtualization, as the specific desktop images run within virtual machines (VMs) and are delivered to end clients over a network” (Citrix).

While the exact details of this attack are still under investigation, it is likely that social engineering and unauthorized VDI access were involved at some level.

How to mitigate ransomware attacks

The CISA report lists many steps to take to help prevent ransomware attacks at your organization. Here is an abbreviated version of some of the steps they describe (see the full article for more details):

• Require multi-factor authentication

• Enable strong spam filters

• Implement a user training program

• Filter network traffic to prohibit malicious IP addresses

• Update software in a timely manner.

• Limit access to resources over networks.

• Set antivirus/antimalware programs to conduct regular scans

• Implement unauthorized execution prevention by:

  • Disabling macro scripts from Microsoft Office files

  • Implementing application allowlisting

  • Monitor and/or block inbound connections from Tor

  • Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers

• Implement and ensure robust network segmentation

• Organize OT assets into logical zones

• Identify OT and IT network inter-dependencies and develop workarounds or manual controls

• Regularly test manual controls

• Implement regular data backup procedures

  • Ensure that backups are regularly tested

  • Store your backups separately

  • Maintain regularly updated “gold images” of critical systems

  • Retain backup hardware

  • Store source code or executables

• Ensure user and process account access rights are given based on the principles of least privilege and separation of duties.

For more information on how to defend against ransomware attacks, check out this webcast by John Strand, Owner and Security Analyst at Black Hills Information Security. He explains that there are many simple and free/inexpensive measures that companies can take to protect themselves. The content with John starts at the 29:15 mark and is definitely worth investigating.

Thanks for reading!