Critical infrastructure in any country relies on energy sources and transmission for proper and safe national operations. A direct cyber shot was delivered to the US oil and gas industry by a Russian criminal group known as DarkSide. DarkSide was identified in the ransomware attack that shut down the US-Georgia-based Colonial Pipeline, which immediately created fuel shortages to cars, trucks, and the airline industry. The ransom of $5 million USD was eventually paid to get the pipeline back in operation.
This pipeline attack now has other energy sector officials on edge and scrambling to make sure their critical systems are secure. "It should serve as a warning shot for all the vital infrastructure," said a longtime executive at Exxon who now is a professor at the Kenan-Flagler School of Business at the University of North Carolina at Chapel Hill. The good professor was not surprised the pipeline was targeted. "This thing [cyber-attack] has been coming," he said. "Hackers have been honing their techniques for quite some time now." In the Colonial Pipeline attack, the ramson was paid, but the question remains – what will be the ramifications against those who committed, what many are stating is a terrorist attack, against the hacking group and those countries who harbor and sanction these activities.
While this week's gas crunch in several eastern US states is an inconvenience, a similar attack that hits an electric power grid could replicate a crisis similar to what Texas experienced this past February. One electric company, Duke Energy, is aware of the potential threat and is taking steps to minimize it, said a spokesman. "As a critical infrastructure provider, we are a target, and it is something we deal with on a regular basis," Duke said.
The US-North Carolina-based utility reports it is constantly working hard to build physical and technological layers, from a diverse fuel supply to systems that can isolate outage areas and reroute power, to shoring up cybersecurity strategies. "It's a constant battle," Duke said. "It's a constant attempt to stay ahead of those challenges, that we're putting in protections every time that attack gets more sophisticated." In the past, many large companies fended off hackers looking for trade secrets, but the NC university professor is calling ransomware "a new form of threat."
Other critical infrastructure industries are also at risk. Cyberattacks targeted a water treatment plant in Florida and the Onslow Water and Sewer Authority in North Carolina in 2018. In March of this year, Red Sky Alliance conducted a podcast explaining this event with Straife Risk Management.
According to the World Economic Forum (WEF), cyberattacks on critical infrastructure posed the fifth-highest economic risk in 2020, and the WEF called the potential for such attacks, "the new normal across sectors such as energy, healthcare, and transportation." Another report noted that such attacks can have major spillover effects. Lloyd's of London and the University of Cambridge's Centre for Risk Studies (UK) calculated the prospective economic and insurance costs of a severe cyberattack against America's electricity system could amount to more than $240 billion and possibly more than $1 trillion. In addition to the financial loss, the loss of life would be severely impacted too.
On 13 May 2021, Red Sky Alliance conducted a collection and analysis of Colonial Pipeline in our proprietary data. Our data showed 401 ‘hits’ with a breakdown below:
Breach Data: In just the recent COMB breach alone, there were 227 hits for Colonial pipeline employee user credentials.
Pastebin: We have 1 Pastebin hit for an employee at Colonial Pipeline from 2019. The Pastebin post consists of a username and password data. This user is also listed as part of the COMB breach data. It only takes one breach to conduct an attack.
Botnet_Tracker: We have one hit from November 2019 indicating an IP address on Colonial Pipeline’s network communicating with the Anubis Sinkhole. This typically indicates the device is infected with malware.
Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. In fact, the RedPane tool now scraps over 40 dark web forums, collecting pro-active data that can be used to defend a network before an attack is initiated.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data backup and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company-wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cybersecurity software, services, and devices to be used by all at-home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings