U.S. oil pipeline shut down by ransomware

[SeriousStudent]

Our current policy on retaliation for weapons of mass destruction is "A gas is a germ is an atom". Meaning we treat them all the same, and the opponent gets a thermonuclear dose of canned sunshine in response. We do not discriminate between chemical, biological or radiological/nuclear weapons.

How long before our resources are so crucial, that a policy becomes "A gas is a germ is an atom is an electron"? And not necessarily policy. There were very serious discussions amongst our Congresscritters about how do we respond to the Solarwinds/Solarigate/Nobelium/Hafnium attacks. So if we decide to respond to those (if we have not already) and Comrade Zi or Putin decide to mash a different button?

That is the thing that really scares me. The Ukraine was relieved of it's nuclear weapons and we assisted with this. Would Russia be making them their bitch if they still had nukes? Likely not.

I'm really, really going to watch out for the analysis of the attack on Colonial. If this was yet another ransomware attack that was similar to the attacks on healthcare and utilities for the last 18 months or so, I'm less worried. But if it was deliberately designed to go after the air-gapped SCADA systems as Tabsaco mentioned. A buddy wrote his master's thesis on STUXNET when he was at CMU when it was initially discovered. I still have a copy of his paper.

I got to talk to Andy Greenberg a while back, after he released his book called Sandworm. I'd definitely encourage my fellow nerds to read it.

[Borderland]

You gotta get up pretty early in the morning to beat this guy...

That dude is in the market at 2 am. He doesn't sleep at night.

[blues]

That dude is in the market at 2 am. He doesn't sleep at night.

And yet 2 a.m. is pretty early in the morning.

[whomever]

I've been retired a few years now, so no current info, but FWIW:

We all just assume that water will come out of the tap. electricity will come out of the socket, and out email will get delivered. That doesn't just happen by default. For decades I was the guy who got the 2AM phone call that one of the IMAP servers had shit the bed, and I drove in and spent 0300 to 0600 improvising so your mail was all in your inbox at 0600. I know people today at the power company who are working the wee hours to keep the power on. I'm sure that the water plant and sewer plant have people getting up and sticking their fingers in the dike.

So, for example, when everyone was freaking out over Y2K, my prediction was 'this will be a nonevent ... lotsa people like me will just deal with whatever comes along'. That turned out to be an accurate prediction.

It's not like I don't worry - a Carrington Event could wreak real havoc. Stuxnet did real damage. But, generally speaking, I expect that the people filling my shoes will again improvise in the face of adversity, and largely keep things running. If that means yanking stuff off networks and reverting to SneakerNet for updates, I expect they will do that.

Don't get me wrong - I surely encourage everyone to ask themselves what they would do it water didn't come out of the tap or electricity didn't come out of the plug for a few months, and do whatever they can to ride that out. But, generally speaking, I think that my replacements are smart people, and will do what they always do - improvise in the face of adversity, and kinda sorta keep things working.

[Chance]

From The New York Times:

Bringing down the pipeline operations to protect against a broader, more damaging intrusion is fairly standard practice. But in this case, it left open the question of whether the attackers themselves now had the ability to directly turn the pipelines on or off or bring about operations that could cause an accident.

The ransomware attack is the second known such incident aimed at a pipeline operator. Last year, the Cybersecurity and Infrastructure Security Agency reported a ransomware attack on a natural gas compression facility belonging to a pipeline operator. That caused a shutdown of the facility for two days, though the agency never revealed the company’s name.

[Hot Sauce]

Our current policy on retaliation for weapons of mass destruction is "A gas is a germ is an atom". Meaning we treat them all the same, and the opponent gets a thermonuclear dose of canned sunshine in response. We do not discriminate between chemical, biological or radiological/nuclear weapons.

How long before our resources are so crucial, that a policy becomes "A gas is a germ is an atom is an electron"? And not necessarily policy. There were very serious discussions amongst our Congresscritters about how do we respond to the Solarwinds/Solarigate/Nobelium/Hafnium attacks. So if we decide to respond to those (if we have not already) and Comrade Zi or Putin decide to mash a different button?

That is the thing that really scares me. The Ukraine was relieved of it's nuclear weapons and we assisted with this. Would Russia be making them their bitch if they still had nukes? Likely not.

I'm really, really going to watch out for the analysis of the attack on Colonial. If this was yet another ransomware attack that was similar to the attacks on healthcare and utilities for the last 18 months or so, I'm less worried. But if it was deliberately designed to go after the air-gapped SCADA systems as Tabsaco mentioned. A buddy wrote his master's thesis on STUXNET when he was at CMU when it was initially discovered. I still have a copy of his paper.

I got to talk to Andy Greenberg a while back, after he released his book called Sandworm. I'd definitely encourage my fellow nerds to read it.

The big problem here that you did not mention (and I'm sure you are aware of) is attribution.

Imagine the hypothetical of Russian hackers using commonly known techniques that are used by North Koreans--TTPs are commonly used for attribution. Imagine there's a purposefully left artifact that may imply Korean as the language of the malware coder. This is a famous attack that had such indicators.

Keylogger used in the attacks appears to be written by a Korean-speaking developer, and the data discovered on the command and control servers used in the attacks have Korean language in the data strings. "You've got a number of individuals involved here who are Korean-speaking and the attacks are happening in the APAC region." And when they infect a Korean-speaking target, the attackers delete the malware -- an indication that they are avoiding friendly fire.

A relatively less sophisticated example was the United Cyber Caliphate, which purported to be ISIS hackers was in actuality Russian nation-state actors.

So while part of the power grid is down or whatever the scenario is, you also have to make sure you're shooting back at the right people, or you risk shooting at uninvolved countries and creating a "multi-theater" cyber conflict. One could think of a Sum of All Fears (the movie) situation where a third party tries to provoke a cyber war between two other nation-states.

[Tabasco]

I've been retired a few years now, so no current info, but FWIW:

We all just assume that water will come out of the tap. electricity will come out of the socket, and out email will get delivered. That doesn't just happen by default. For decades I was the guy who got the 2AM phone call that one of the IMAP servers had shit the bed, and I drove in and spent 0300 to 0600 improvising so your mail was all in your inbox at 0600. I know people today at the power company who are working the wee hours to keep the power on. I'm sure that the water plant and sewer plant have people getting up and sticking their fingers in the dike.

So, for example, when everyone was freaking out over Y2K, my prediction was 'this will be a nonevent ... lotsa people like me will just deal with whatever comes along'. That turned out to be an accurate prediction.

I had that exact experience, one of the reasons I'm "retired" (at least from IT, sort of, or at least running email servers anyway).

The thing about Y2K was that it was a known issue. I worked at a large European investment bank, and there was a huge effort to be Y2K compliant. To get us IT folks interested, they sent us a book by a former COBOL programmer Ed Yourdon, called "Timebomb 2000". It made me aware of 'just in time' inventory, issues with the power grid, etc. Really got me thinking. In the end, most companies achieved compliance, and it was no big deal (I read the NRO lost track of it's satellites for awhile). My guess is that Y2K would have been a real issue had we not dealt with it, but we saw it coming and acted accordingly. Back then, our reliance on internet connected stuff was much less. I shudder to think of the result of disruptions today.

[whomever]

... My guess is that Y2K would have been a real issue had we not dealt with it, but we saw it coming and acted accordingly. ....

For some values of 'real issue', sure. But I think some of it was overplayed. I remember hearing things like 'the pumps at the water treatment plant are computer controlled, so come Y2K the water won't flow!'. And that seems unlikely to me - if the clock ticked over and the computer controlling the pumps failed, for example, I'd guess you could generally get the water flowing again by setting that computer's date to 1990, and then dealing with the implications of that as they came.

Every fall we set the clocks back an hour. If worse came to worse, we could have, society wide, set the clock back by a year. That would have been a fustercluck of epic proportions as, say, banking systems tried to deal with deposits that had occurred in the future, but I don't think it would have been 'the grid is down for months' bad.

That's not to say it wouldn't have been bad ... bad things could happen if it took too long to fix the reactor cooling systems or whatever. But not, IMHO, as bad as some of the hype predicted.

Among other reasons, when you want to do an upfront fix so Y2K doesn't break the payroll system, the way risk averse bureaucracies work is 'form a committee to asses the various mitigation strategies, first meeting will be in 8 weeks followed by monthly meetings ...'. When the system is broken because it is saying 'age = YY - birthYY' and when YY=02 (2002) and birthYY=80 (1980), and the person isn't negative 78 years old, someone will suggest following that with 'if age<0: age = YY + 100 - birthYY', and implement it that afternoon. In other words, IMHO, fixing Y2K would have taken a lot less time that averting it (that's not saying we shouldn't have done the work to avert it, just that 'we spent 50 man years replacing the XYZ system so it was Y2K proof' doesn't imply 'if we had been surprised by Y2K, getting XYZ running again would have taken 50 man years').

As the old saying goes, 'nothing focuses the mind like the prospect of being hung at dawn'. Similarly, when payday is tomorrow, it's amazing how quickly the payroll system gets fixed.

The worst case scenarios for a Carrington Event are really, really bad. I just didn't see Y2K reaching that state of things. I might be all wet, and I'm glad we didn't have to run the experiment :-).

[farscott]

Some of the statements on the attack are contradictory. One version of the story states that the pipeline controls were not impacted; the impact was to the admin systems that process orders, supply direction, and handle billing. That is less concerning to me even though the net result is the same -- not knowing how much of what to send to whom. But that is better that not being able to move fuel.

Other versions state the actual pipeline controls were impacted. That would be very bad, like Stuxnet levels of bad.

I also do not believe that the Russian government is unaware of the target. The Colonial pipeline is a big deal, and anyone taking it down has to realize the impacts. The real question is, "Why did the Russian government authorize/allow this?" For propaganda value, to gauge a response, and/or to make a point with another nation-state?

[Tabasco]

Some of the statements on the attack are contradictory. One version of the story states that the pipeline controls were not impacted; the impact was to the admin systems that process orders, supply direction, and handle billing. That is less concerning to me even though the net result is the same -- not knowing how much of what to send to whom. But that is better that not being able to move fuel.

Other versions state the actual pipeline controls were impacted. That would be very bad, like Stuxnet levels of bad.

I also do not believe that the Russian government is unaware of the target. The Colonial pipeline is a big deal, and anyone taking it down has to realize the impacts. The real question is, "Why did the Russian government authorize/allow this?" For propaganda value, to gauge a response, and/or to make a point with another nation-state?

I wonder if it was an automated attack via botnet, rather than directed by some human entity. The Windows PC's that run the SCADA system are infected, drives encrypted and whoever runs (or rents) the botnet sees a whole network of ransomwared PC's, and later figures out that those ransomed PC are in the Colonial network and they have effectively shut it down. They (the "hackers") admit it was unintentional, but they don't seem to be coughing up the encryption keys for free so who knows. In this scenario, the SCADA equipment wouldn't be affected, just the PC's that control and maintain/manage the pipeline.

Scientific Wild Ass Guess

Edit to add:

Forgot about Brian Krebs, checked out his site and found this:

https://krebsonsecurity.com/2021/05/...nsomware-gang/