The hackers who hacked Colonial Pipeline promised to “choose their targets more carefully” in the future.
The cybercriminal group DarkSide published an apology for attacking one of the largest U.S. pipelines Colonial Pipeline. According to the hackers, they did not want to cause chaos, but only planned to make money. Meanwhile, IS experts who analyzed the pipeline hack noted that the attack was only a matter of time, as there are many gaps in critical infrastructure cybersecurity.
The group behind the ransomware hack that shut down the U.S. Colonial Pipeline last week apologized for the “social consequences” of its hack. According to the attackers, who belong to the DarkSide group, they did not seek to cause havoc, but only to make money.
“We are apolitical and have nothing to do with geopolitics, so don’t link us to a specific government or look for other ulterior motives. Our goal is to make money, not to make trouble for people. Starting today, we will have moderators who will check every company whose systems we want to encrypt in order to avoid similar consequences in the future,” DarkSide said in a message posted on a darknet forum.
The group is not associated with a specific state, but it is not known to attack organizations whose systems include Russian or a number of Eastern European languages. Bloomberg claims that DarkSide members speak Russian.
Earlier this week, Russian authorities blamed the attack on Colonial Pipeline. The White House later refused to confirm rumors of Russian involvement in the cyber hack.
Meanwhile, security experts around the world agree that it was only a matter of time before the attack that shut down one of the largest pipelines in the eastern United States occurred. The lack of reliable protection of critical infrastructure, as well as the “pandemic of ransomware viruses” are to blame.
“To be honest, for anyone who actively monitors ransomware, this attack came as no surprise. It’s just another example of this type of virus pandemic that needs to be dealt with at the highest level,” said Philippe Reiner, CEO of the Institute for Security and Technology.
“As everything becomes more computerized, the means of managing our critical infrastructure are also becoming digital, and steps need to be taken to ensure they are protected from cyberattacks,” said Leslie Gordon, acting director of national security and justice at the U.S. Chamber of Accounts. What happened to Colonial Pipeline is “an example of a failure to protect critical infrastructure,” she said.
Private companies are often extremely negligent about cybersecurity and fail to provide even basic protection for their computer systems, making it easy for hackers to break in, Reiner said.
“Cyber hygiene, or rather the lack of it, is really one of the main causes of cybercrime. It’s not that these hacker guys are professionals. It’s just that people can’t take care of the most basic things,” he said.
Today’s industrial enterprises are paying more and more attention to cybersecurity of their assets, both in the technology loop and on the office network, said Evgeny Goncharov, head of Kaspersky ICS CERT.
“However, a large number of diverse information systems, complexity of infrastructure and internal processes of large organizations in today’s threat landscape do not allow to guarantee 100% protection: unresolved vulnerabilities in software and settings of information systems and human factor, unfortunately, often open the door to intruders,” said the specialist.
The group, found to be involved in the Colonial Pipeline attack, is implementing the “Ransomware as a Service” business model – that is, not only developing attack tools, but also supporting the infrastructure of their implementation, and helping their “partners” in their implementation, for example, in negotiating with the victim and receiving ransom, Goncharov continued.
“Like a true ‘vendor,’ they build and develop their ‘partner network’ by offering special partner programs to other attackers, pre-selected on a competitive basis according to a set of formal requirements and by interview.
According to their own statement, they deploy the infrastructure for their operations in “unrecognized republics” and in countries under strong foreign policy pressure, thus using the geopolitical factor to reduce the risk of detection and prosecution,” the expert added.
There are two most important factors that make objects of CII in the current situation are vulnerable, said technical director of ESET in Russia and the CIS Vitaly Zemskikh.
The first is that after mass introduction of remote work, the world has become more dependent on technology than ever before.
Not all industries have had time to establish processes of remote or hybrid employee interaction. As a result, cybercriminals have new tools to attack strategic targets.
The second factor is the widespread requirement to install certified information security tools for CII facilities. It takes about a year to go through all the bureaucratic and technical procedures, as well as to certify a product. Therefore, by the time all permits are obtained, the product version is outdated, and it is not difficult for qualified attackers to penetrate the infrastructure of a strategic enterprise.
“Since qualified groups of hackers from other countries are often behind the attacks on national CII objects, I would recommend using international products and technologies with a global database of current threats for information security,” Zemskikh concluded.