The Colonial Pipeline Hack Is a New Extreme for Ransomware - WIRED

On Saturday, the Colonial Pipeline company, which operates a pipeline that carries gasoline, diesel fuel, and natural gas along a 5,500 mile path from Texas to New Jersey, released a statement confirming reports that ransomware hackers had hit its network.

"This is the largest impact on the energy system in the United States we've seen from a cyberattack, full stop," says Rob Lee, CEO of the critical-infrastructure-focused security firm Dragos.

Colonial Pipeline's short public statement says that it has "launched an investigation into the nature and scope of this incident, which is ongoing." Reuters reports that incident responders from security firm FireEye are assisting the company, and that investigators suspect that a ransomware group known as Darkside may be responsible.

The Colonial Pipeline shutdown comes in the midst of an escalating ransomware epidemic: Hackers have digitally crippled and extorted hospitals, hacked law enforcement databases and threatened to publicly out police informants, and paralyzed municipal systems in Baltimore and Atlanta.

But Lee says his firm has seen a significant uptick in ransomware operations targeting industrial control systems and critical infrastructure, as profit-focused hackers seek the most sensitive and high-value targets to hold at risk.

Hydro Norsk, Hexion, and Momentive were all hit with ransomware in 2019, and security researchers last year discovered Ekans, the first ransomware apparently custom-designed to cripple industrial control systems.

Even targeting a gas pipeline operator isn't entirely unprecedented: In late 2019, hackers planted ransomware on the networks of an unnamed US natural gas pipeline company, the Cybersecurity and Infrastructure Security Agency warned in early 2020—though not one of the size of Colonial Pipeline's.

In that earlier pipeline ransomware attack, CISA warned that the hackers had gained access to both the IT systems and the "operational technology" systems of the targeted pipeline firm—the computer network responsible for controlling physical equipment.

In the Colonial Pipeline case, it's not yet clear if the hackers bridged that gap to systems that could have actually allowed them to meddle with the physical state of the pipeline or create potentially dangerous physical conditions.

Merely gaining broad access to the IT network could be cause enough for the company to shut down the pipeline's operation as a safety precaution, says Joe Slowik, a threat intelligence researcher for security firm Gigamon who formerly led the Computer Security and Incident Response Team at the US Department of Energy.

But Lee says Dragos has seen a growing number of ransomware groups working to infect the OT systems that control industrial and manufacturing equipment, with the aim of totally disrupting their victims' operations.