The Colonial Pipeline attack stirred the government to more action over the past year
The Colonial Pipeline ransomware attack, which took place one year ago tomorrow, is a strong contender for the most consequential cyberattack in history.
It marked a seismic shift in which a cyberattack had real-world implications for tens of thousands of average Americans who spent hours in gas lines and fretted about price surges and being unable to fill their tanks.
The attack by the DarkSide cybercriminal gang — and Colonial’s decision to shut down operations for five days while the company recovered — gained an unprecedented amount of public attention.
Previous hacks had sent shock waves through the White House and Pentagon and sent corporate executives scrambling to limit their legal liability and reputational damage. But none had produced so much popular awareness and anxiety.
Justin Fier, director of cyber intelligence and analytics at the cybersecurity firm Darktrace, was in the thick of it:
The government response was also unprecedented.
- The attack — along with other ransomware strikes against the meat processor JBS and the IT provider Kaseya — prompted a diplomatic confrontation between President Biden and Russian President Vladimir Putin during a Geneva Summit. Biden demanded that Putin prevent Russia-based cybercriminals from targeting U.S. critical infrastructure including pipelines, energy and financial firms — a move U.S. officials had not taken six months earlier when the Kremlin hacked into a slew of U.S. government agencies.
- The attack also arguably led directly to congressional passage of the most substantial cyber requirements for critical infrastructure firms in history — obligating them to alert the government within three days if they’re hacked and within one day if they pay a ransom to hackers.
- The top U.S. pipeline regulator proposed a roughly $1 million fine for Colonial’s safety violations yesterday, Reuters reports.
Tony Anscombe, chief security evangelist at the cyber firm ESET:
Without the lines at gas stations politicians may not have been as decisive with some of the legislation now in place or in https://t.co/2eHgoiNyTI moved it from conversation to action. There is much more to do though, and we should not wait for incidents to progress further.
— Tony Anscombe (@TonyAtESET) May 5, 2022
I asked cyber pros on Twitter for other big takeaways on the Colonial Pipeline anniversary. Here’s what they said:
Giving cybercriminals their due: Nation states including Russia, China, Iran and North Korea traditionally dominated U.S. officials’ list of cyberthreats. But Colonial showed that criminal hackers can be just as disruptive.
Brett Callow, threat analyst at the cybersecurity firm Emsisoft:
The fact that low-level criminal extortionists – not actors backed by a hostile state – were able to cause such chaos highlighted not only the fragility of our critical infrastructure, but also the need to do more to directly combat the ransomware problem.
— Brett Callow (@BrettCallow) May 5, 2022
Andrew Thompson, senior manager at the cybersecurity firm Mandiant:
While commentary about disruptive cyber criminals posing a national security threat predates that attack, it certainly drove the point home. Today, it’s slightly less controversial to suggest it’s acceptable to use the military and intelligence apparatus to target criminals.
— Andrew Thompson 🇺🇦 🌻 🇺🇸 (@ImposeCost) May 5, 2022
Security researcher Kevin Beaumont:
The world is very vulnerable as cyber defence isn’t where it needs to be globally, sadly. And criminal groups will continue to drive cybersecurity market, as they are monetising that.
— Kevin Beaumont (@GossiTheDog) May 5, 2022
No more foot dragging: Congress had held plenty of hearings about the ransomware threat and made plenty of statements, but it had done comparatively little at that point to raise potential victims’ cyberdefenses. Now they’re starting to move.
Megan Stifel, chief strategy officer for the Institute for Security and Technology and a former White House cyber official:
Everyone knows someone: Part of the power of the Colonial Pipeline attack was that everyone knew someone who’d been affected by it. Or they knew someone who knew someone.
Charles Henderson, head of IBM’s X-Force threat management team, compared it to the “Six Degrees of Kevin Bacon.”
If Kevin Bacon taught us anything, it’s that we’re more interconnected than we think. Colonial Pipeline showed everyone that six degrees is more like two when it comes to the impact threat actors have on our physical world. Add in JBS Meats and you have a big reality sandwich.
— Charles Henderson (@angus_tx) May 5, 2022
The Swift on Security cyber parody account put it more succinctly:
The internet is real life
— SwiftOnSecurity (@SwiftOnSecurity) May 5, 2022
Show me which hacks a nation freaks out about and I’ll show you its values: Ransomware had been hitting schools and hospitals for years, disrupting American lives on a more micro scale. Some found it galling that it took a hack affecting gas supplies to rock the American consciousness.
Selena Larson, senior threat intelligence analyst at the cybersecurity firm Proofpoint:
I remain disappointed that after YEARS of targeting schools, hospitals, and state/local governments, it was really an oil and gas company getting hit that made people realize ransomware was a national security risk. https://t.co/ftd77L0pze
— Selena (@selenalarson) May 5, 2022
Opening the door to regulations: The government has imposed basic cyber standards on pipelines and a handful of other industries where it has regulatory authority during the past year — a move that would have seemed highly unlikely before Colonial.
“Post-Colonial, we saw dramatic calls for regulation,” Brian Harrell, former assistant director for infrastructure security at the Cybersecurity and Infrastructure Security Agency, told me by direct message. “While mandatory standards are helpful, they are only one tool in the toolbox. Compliance checklists, with minimum baseline standards, will not stop a sophisticated cyberattack by a determined nation state adversary.”
The power of extortion: DarkSide is among a number of ransomware groups that didn’t just lock up a company’s data and demand payment to unlock it, but also threatened to leak the victim’s sensitive data to compel them to pay up. That has proved a useful strategy in the year since Colonial.
Adam Meyers, senior vice president of intelligence at the cybersecurity firm CrowdStrike:
The threat landscape has changed – in the last year there have been a series of disruptions that have impacted individual groups, but the broader shift has been towards data extortion.
— adam_cyber (@Adam_Cyber) May 5, 2022
Many companies have matured their ransomware playbook and are increasingly saying no to paying to decrypt data. When data is extorted under threat of leak this calculus changes. Regulatory/legal impact of data leaks is expensive and the extortion demand surely pales in comparison
— adam_cyber (@Adam_Cyber) May 5, 2022
Law enforcement punching back: One big post-Colonial development came from the Justice Department, which cracked into the criminals’ bitcoin wallet and recovered $2.3 million – that was the bitcoin equivalent of the $4.3 million ransom that Colonial Pipeline paid because the value of bitcoin dropped substantially during the interim.
Allan Liska, principal threat adviser at Recorded Future:
This is a really good thread. I’ll add two comments:
1. We learned that, despite what they may think, ransomware groups headquartered in Russia are not “untouchable.”
2. Sometimes the panic from an attack is significantly worse than the attack itself. https://t.co/3193rOQITz
— Allan “Ransomware Sommelier🍷” Liska (@uuallan) May 6, 2022
Fewer walls in security: The Colonial Pipeline hackers never actually reached the operational technology systems that send oil through the pipelines. But they caused so much panic by locking up the information technology systems that run the company’s computer systems that operators shut down the pipeline anyway. One big lesson is that the cyber folks and the operational folks need to be in better contact to understand the risks of such an attack.
Harvard University professor and Obama administration Department of Homeland Security official Juliette Kayyem:
The distinction between cybersecurity and physical security is a myth; the bifurcation of CSO and CISO is harmful; colonial had no response plan but an on/off switch which is not sophisticated. Thnx for reminder. From THE DEVIL NEVER SLEEPS @public_affairs. pic.twitter.com/XJzteFmQ3I
— Juliette Kayyem (@juliettekayyem) May 5, 2022
Not much: One common response was that the nation actually learned comparatively little from Colonial and that developments in the past year haven’t remote equaled the scale of the threat.
Ronnie Tokazowski, principal threat adviser at Cofense:
I really wish I could say “we learned our lessons and made things better” but if I’m being honest for 30 seconds that would be a total lie. The unfortunate truth is that breaches still happen based on simple problems from decades ago.
— Ronnie Tokazowski – Be Awesome to Each Other! (@iHeartMalware) May 6, 2022
Spanish intelligence chief acknowledges Spain targeted 18 supporters of Catalan independence with spyware
The spy agency got court orders to spy on politician Pere Aragonès, now president of Spain’s autonomous Catalonia region, and 17 other supporters of Catalan independence, El País’s Miguel Gonzalez, Xose Hermida and Javier Casqueiro report.
- The 17 other targets all had alleged links to a protest group that called for shutting down Barcelona’s airport in 2019 to support Catalonian self-determination, Spanish spy chief Paz Esteban told Spanish lawmakers in a closed-door hearing.
- Esteban showed the lawmakers the court orders that her agency got to use Pegasus on the victims, Hermida and Casqueiro report.
- Aragonès is demanding that the orders be immediately declassified.
Spanish politicians were also hacked. Spanish officials have found traces of Pegasus on a device belonging to Interior Minister Fernando Grande-Marlaska, El País reported. If analysts find that Grande-Marlaska was hacked with Pegasus, he would be the third confirmed Spanish Cabinet-level official to be hacked.
It’s not clear who was behind the string of hacks on Spanish officials, but they came amid a diplomatic spat between Spain and Morocco, which has been accused of using Pegasus. Morocco has denied acquiring the spyware.
NATO cyberdefense hub adds three new members amid Russia threat
South Korea’s spy agency says participating in the transatlantic alliance’s cyberdefense center will help it level up its ability to respond to cyberattacks, the Yonhap News Agency reports. It’s the latest enlargement for the Cooperative Cyber Defence Centre of Excellence (CCDCOE), which also welcomed Canada and Luxembourg as new members.
Ukraine also recently joined. In March, the country became a “contributing participant.” Its participation “could bring valuable firsthand knowledge of several adversaries within the cyber domain to be used for research, exercises and training,” CCDCOE’s director, Col. Jaak Tarien, said at the time.
CCDCOE is staffed and funded by its members. While it’s not an “operational unit belonging to the NATO Command Structure,” it’s part of a network of NATO-accredited centers of excellence, CCDCOE says.
Russian use of online anonymization tools has skyrocketed
Russians have been turning in droves to virtual private networks, which let them get around Russian government censors and surveillance, Anthony Faiola reports.
“Since the war began in February, VPNs have been downloaded in Russia by the hundreds of thousands a day — a massive surge in demand that represents a direct challenge to President Vladimir Putin’s attempt to seal Russians off from the wider world,” Anthony writes. “By protecting the locations and identities of users, VPNs are now granting millions of Russians access to blocked material.”
CISA’s got two factors to paradise
The agency is “beginning a month-long mission to rock the message that multifactor authentication keeps you more secure,” CISA Director Jen Easterly announced in a rock music reference-rich blog post. “It’s like More Than a Feeling, but instead it’s More Than a Password!” the agency says of the system for using a texted code, fingerprint or other identifying feature along with a password to access websites and data.
Federal agencies likely to get new cybersecurity guidance ‘in coming weeks’ (NextGov)
Location data firm provides heat maps of where abortion clinic visitors live (Motherboard)
More details emerge on China’s widespread Ukraine-related hacking efforts (CyberScoop)
NSA, Cyber Command tap new election security leaders (The Record)
- Matt Hayden has joined General Dynamics Information Technology as vice president of cyber client engagement. Hayden previously worked at Exiger, the Department of Homeland Security and CISA.
- Director of National Intelligence Avril Haines and Scott Berrier, who leads the Defense Intelligence Agency, testify on worldwide threats at a Senate Armed Services Committee hearing on Tuesday at 9:30 a.m.
- A House Science Committee panel holds a hearing on open-source software cybersecurity Wednesday at 10 a.m.
Thanks for reading. See you Monday.