One of the largest pipelines in the U.S. – Colonial Pipeline, which transports refined gasoline and jet fuel from Texas up the East Coast to New York, was forced to shut down after being hit by a Ransomware attack.
On May 8, The New York Times published a bulletin related to a cyber-attack on the IT/OT infrastructure of a large U.S. fuel transportation company.
Although there is no indication that the entity’s OT network was directly affected. The company decided to shut down all 5,500 miles for a fifth day as a precautionary measure, proactively shutting down certain OT systems to prevent the spread of malware and ensure systems security.
The attackers gained initial access to the company’s network to deploy the DarkSide Ransomware on the company’s IT network. Analysis of this cyberattack is still in progress by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.
ETEK has identified the following tactics, techniques and procedures performed by hackers:
- Spear phishing to gain initial access to the organization’s IT network before moving to the OT network and deploying Ransomware to encrypt data and impact both networks.
- Using commonly used ports and standard application layer protocols to communicate with controllers and download modified control logic. Also connecting to Internet-accessible Programmable Logic Controllers (PLCs) that do not require authentication for initial access.
- Modifying control logic and parameters in PLCs.
Among the immediate actions, ETEK strongly recommends that:
- If you use any OT security platforms, follow the vendors guidelines.
- Review and implement the actions recommended by the Cybersecurity and Infrastructure Security Agency (CISA).
- Also, identify abnormal or suspicious traffic inbound or outbound to hazardous IP addresses. Malicious traffic is covered by different techniques and tactics used by attackers to access the organization’s systems.
- Isolate affected systems by disabling login on affected devices to prevent further spreading, update systems and perform remediation actions, including reinstallation and disaster recovery.
- Keep an eye on potential zero-day attacks. Threats continue to increase and evolve, enterprise IT systems and data are no longer the central focus of bad guys, as Ransomware campaigns are now evolving to specifically target Industrial Control Systems (ICS). For example, research from the security firm Dragos has found a new Ransomware that does not just encrypt data and potentially disrupt the critical infrastructure.
If you already benefit from ETEK Managed Security Services, you are already protected. If not, you can contact us at securityadvisory@etek.com.
By. Juan David Marin
Cybersecurity Advisor