It is prudent to review several sources for the real evidence and details and most often non-government companies are the ‘go-to’ places for that. Government spins stuff but private cyber experts offer up great context and such is the case below.
As a primer, CISA is a government agency launched by the Trump administration for all the right reasons.
But read on.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Alert that offers a set of best practices to protect against ransomware-induced business disruptions. The Alert was prompted by the attack against Colonial Pipeline, and it includes in its introductory section the preliminary conclusion that DarkSide ransomware affected Colonial’s IT systems only, and had no direct effect on the company’s OT networks. The best practices CISA advocates are familiar. The Alert closes with a statement strongly discouraging any victim from paying the ransom their attackers demand: “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
FireEye yesterday published a report on DarkSide that emphasizes the group’s ransomware-as-a-service model. It’s a selective operation (criminal applicants for affiliate status are, for example, interviewed before being given access to DarkSide’s control panel) but it’s also not a monolithic one. FireEye’s Mandiant unit currently tracks five “clusters” of DarkSide threat activity. The affiliate model DarkSide uses shares criminal profits: “Affiliates retain a percentage of the ransom fee from each victim. Based on forum advertisements, this percentage starts at 25 percent for ransom fees less than $500,000 USD and decreases to 10 percent for ransom fees greater than $5M USD.”
Colonial Pipeline’s website came back online late yesterday, newly armored with a reCAPTCHA landing page. The company published an update in which it reported progress toward resumption of refined petroleum deliveries, with some 967,000 barrels delivered to Atlanta, Belton and Spartanburg in South Carolina, Charlotte and Greensboro in North Carolina, Baltimore, and Woodbury and Linden (close to the Port of New York and New Jersey). Some lines have been operated under manual control since Monday, at least, and have been moving existing inventory. As the company prepares to restart deliveries, they’ve taken delivery of an additional two million barrels, which they’ll ship once service is restored.
The company appears also to be addressing some concerns about its pipelines’ physical security, having “increased aerial patrols of our pipeline right of way and deployed more than 50 personnel to walk and drive ~ 5,000 miles of pipeline each day.” (hat tip to CyberWire)
Colonial Pipeline using vulnerable, outdated version of Microsoft Exchange: report
Interesting forensic finding on Colonial Pipeline: They were STILL using a vulnerable version of Microsoft Exchange (the same systems exploited by Chinese hackers that was revealed in March), among other notable lapses. Per Coalition. pic.twitter.com/TvsEN8S3Ew
— Nicole Perlroth (@nicoleperlroth) May 11, 2021