The Colonial Pipeline incident has dominated cybersecurity, economic, and political headlines for a large portion of this week's news cycle. It may even be a watershed moment in the ransomware timeline, a step too far if you will. Impacting one company for a period may be frustrating to consumers and bad for that company. Impacting a fuel pipeline, forcing the company to shut it down, which impacts every industry and consumer reliant on refined petroleum is another matter entirely. Every person that had to queue for fuel or couldn’t even get fuel will likely view themselves as impacted by the incident or even classify themselves as victims of the attack.
In the wake of the incident governments around the world have taken note of the damage that ransomware can inflict on the general populace. The US and the UK have issued statements that highlight what their governments will be doing in the future, and currently, to protect and prevent the population that voted them into power. On May 12, 2021, US President Joe Biden signed an executive order designed to drastically beef up the use of preventative measures such as multi-factor authentication endpoint detection and response, and log keeping, as well as a Cybersecurity Safety Review Board.
Described as the adoption of a zero-trust as-a-service approach the intention of the order was made clear in the following paragraph,
“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life. The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).”
The order mandates that government agencies have 180 days to implement multi-factor authentication and encrypt data both at rest and in transit "to the maximum extent" available under federal records and other laws.
Agencies that cannot meet the deadline will need to provide a written explanation why not. Along with the executive order, the White House also issued a fact sheet to better explain some of the ramifications and intent of the order. The fact sheet further notes that,
“This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur. It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses. However, the Colonial Pipeline incident is a reminder that federal action alone is not enough. Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. We encourage private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
By making a direct reference to the Colonial Pipeline incident the government acknowledges the role the private sector must play in bolstering its cybersecurity policies and protocols. It is also hoped that the executive order will provide a framework for greater cooperation between government agencies and the private sector. Further, a standardized playbook for incident response will also be created, as will a “government-wide endpoint detection and response system” and mandate to maintain logs to help in incident detection, investigation, and remediation.
If all these measures are met in the future, it will likely make the lives of hackers that much harder. It would be naïve to think that these measures will stamp of the problem of ransomware, as many factors come into play including geopolitical realities, but it can be seen as a step in the right direction.
The statement made by Dominic Raab, the UK's Foreign Secretary, was more focused on the geopolitical realities shaping the threat landscape. In a speech at the National Cyber Security Centre's (NCSC) CYBERUK 21 conference the Foreign Secretary called on Russia to do more to tackle cybercriminals that are operating from within in its territory. It is a well-known fact of life that if Russian financially motivated hackers do not target Russian interests there is little threat from Russian law enforcement or the government to stop their activities. The cynical may go even further and say that allowing Russian hackers to target Russia’s competition on the global stage furthers Russian interests.
Such a view is supported by the fact that the code of specific malware strains is hardcoded not to install on machines using languages associated with the old Soviet Union. This failsafe not to install on Russian-speaking organizations or private individuals are also supplemented by code that will prevent installation if an IP address is detected from one of the old Soviet-block countries. Raab, commenting on this, stated,
“When states like Russia have criminals or gangs operating from their territory, they can't just wave their hands and say nothing to do with them – even when it's not directly linked to the state, they have a responsibility to prosecute those gangs and those individuals, not to shelter them,”
Shining a Light on DarkSide
Given the incident and the wasp's nest it kicked up, it is little wonder researchers at security firms have been attempting to shine a light on DarkSide’s operations. On May 11, 2021, FireEye published an article on their blog detailing five suspected clusters of DarkSide activity. Given that the operation is set up as a ransomware-as-a-service separate cluster of activity are to be expected given that affiliates will carry out the finding and infecting of targets, then split the profit with the malware’s core development group. Typically, this split is 20 to 30% to the core group with the affiliates sharing the rest.
Forum posts suggest DarkSide also scales its payment share depending on the ransom amount paid, for anything under 500,000 USD the split will be 25% decreasing to 10% if over 5 million USD.
FireEye provided information on three of the five clusters, these are tracked by the security firm as UNC2628, UNC2659, and UNC2465. Each group or cluster has unique tactics which make them more easily identifiable, and the article makes for interesting reading. Summarising each cluster briefly FireEye provided the following descriptions:
- UNC2628 has been active since at least February 2021. Their intrusions progress relatively quickly with the threat actor typically deploying ransomware in two to three days. We have some evidence that suggests UNC2628 has partnered with other RaaS including SODINOKIBI (REvil) and NETWALKER.
- UNC2659 has been active since at least January 2021. We have observed the threat actor move through the whole attack lifecycle in under 10 days. UNC2659 is notable given their use of an exploit in the SonicWall SMA100 SSL VPN product, which has since been patched by SonicWall. The threat actor appeared to download several tools used for various phases of the attack lifecycle directly from those tools’ legitimate public websites. (The same SonicWall vulnerability has been seen exploited by the FIveHands ransomware gang.)
- UNC2465 activity dates back to at least April 2019 and is characterized by their use of similar TTPs to distribute the PowerShell-based .NET backdoor SMOKEDHAM in victim environments. In one case where DARKSIDE was deployed, there were months-long gaps, with only intermittent activity between the time of initial compromise to ransomware deployment. In some cases, this could indicate that initial access was provided by a separate actor.
It is unclear as of yet if any of the above-mentioned clusters were involved in the Colonial Pipeline incident. However, according to Bloomberg two sources close to the matter said that the company paid a ransom of 5 million USD. It was noted that the company was provided with a decryption tool, but it was so slow the company also had to restore data from backups. The efforts of the company were not sufficient to prevent the disruption experienced by the East Coast. By Wednesday, the company had brought back systems online, but the shortage will take several days to remedy itself.