Ransomware Infection on Colonial Pipeline Shows Potential for Worse Gas Disruption

Colonial Pipeline says ransomware only infected its business network, not the operations network that controls gas flow. But experts say it had potential to spread to control network and suppliers

A ransomware campaign that struck the corporate network of a major gasoline distributor on the East Coast and caused the company to shut down its distribution pipelines as a cautionary measure, could have been worse if the perpetrators got onto the company’s operational or process control network, experts say.

On Friday, Colonial Pipeline released a statment to shippers that it was experiencing “network issues impacting the operation of the Colonial Pipeline system” but didn’t specify the problem. It subsequently told the New York Times that it had been infected with ransomware.

In a statement published Saturday, it said the ransomware infected only its corporate IT network. Although the operational network that controls its pipelines and distributes fuel is separate from the corporate network and wasn’t infected, Colonial said it temporarily shut down the pipelines as a precaution to prevent the infection from spreading.

The temporary shutdown stranded barrels of gasoline, diesel and jet fuel on the Gulf Coast, according to SP Global, and caused a dip in gasoline and diesel prices there.

While the infection was disruptive, it could have been more problematic if the infection had spread to the operational network and locked systems there or prevented operators from monitoring fuel flow or controlling it. Last year the Department of Homeland Security issued an alert about a ransomware hacker who infected the corporate network of a natural gas compression facility, then pivoted to its operational network and installed ransomware on both networks.

Colonial Pipeline is a major distributor of fuel from US Gulf Coast refineries to the Atlantic Coast and into the New York Harbor. The company has 5,500 miles of pipeline and transports 45 percent of the fuel that is distributed on the East Coast, according to the company.

Colonial’s operational network uses automation systems to control and monitor the flow of fuel from refineries and tank farms into Colonial’s pipeline, and from Colonial’s pipeline into the tanks and transportation facilities belonging to suppliers and distributors.

Colonial’s corporate IT network and the process control network are connected and exchange information about how much fuel each supplier or distributor receives in order to bill them for it, says a source who works for a large midstream oil company that feeds fuel into Colonial’s pipeline.

A “flow computer” on the process control network records data about how much fuel is distributed and sends it through a data gateway and firewall to the corporate network. A ticketing system on the corporate network uses that information to then invoice the distributors.

While the connection between Colonial’s corporate business network and the process control network is “mostly in one direction” the source says, “there’s nothing that stops it from going bi-directional” — meaning that depending on how secure the firewall that divides them is, a hacker can pass from the corporate network through the firewall and into the process network to impact systems there. Colonial is believed to use Cisco ASA firewalls, which have had serious vulnerabilities in the past. Once on the process control network, a hacker can install malware or manipulate data.

“If they were able to get in — let’s say it’s not run-of-the-mill ransomware but a smokescreen [for further malicious activity] — they could change [data about the] flow rates, they could modify the data,” the source said.

This could prevent Colonial Pipeline from knowing how much fuel is being received from refineries and transmitted to distributors. An attacker likely wouldn’t be able to alter the flow on his own, two sources told Zero Day. But he could trick an operator into taking steps that alter the flow, by feeding the operator false data. In any case, the downtime from such an infection and the cost of recovering from it would be costly.

Colonial Pipeline didn’t respond to a request for comment.

Although infecting Colonial Pipeline’s process control network would be disruptive, it isn’t the only concern. Colonial’s control system also connects to the control systems at tank farms that feed fuel into Colonial’s pipeline, said the source who works for the midstream oil company. An attacker can potentially pass through Colonial’s control systems into the control systems of these farms.

“There is a direct connection … between our [tank farms] and their control system,” the source said.

Each farm is isolated from each other digitally, so an attacker wouldn’t be able to jump directly from the control system of one to the others.

“[E]verything is independent, so they don’t see each other. Data doesn’t pass between sites,” the source explained.

But the tank farms do connect to his company’s main control center through satellite connections. He says it would be difficult for an attacker to jump to the corporate network from the tank farms, though.

“It’s not impossible, but it would be very difficult. You would have to be an extremely sophisticated attacker with knowledge of how that system works… and figure out obscure system protocols we use. So it’s not a likely scenario,” he said.

The Washington Post reports that investigators believe the ransomware came from an East European cybercriminal gang known as DarkSide. Ransomware locks up systems and data, preventing owners from accessing them unless they pay a ransom to the hackers or have their data stored on a backup system not affected by the ransomware.

Ransomware infections can spread from computer to computer or network to network. In some cases, ransomware infections can mask other malicious activity on the network — leading victims to believe their data is simply locked when in fact the hackers may be siphoning or altering data or traveling further into the network to install other tools that give them long-term access to critical systems even after the ransomware has been cleaned from the network.

DarkSide ransomware has been targeting victims since August 2020. The hackers behind the ransomware published a press release describing their “principles”: They claim they won’t infect hospitals and other medical facilities, schools or universities, non-profits or government agencies. Instead they target victims that they know can pay the ransom. “We do not want to kill your business,” they wrote.

“Before an attack, we carefully analyze your accountancy and determine how much you can pay based on your net income. You can ask all your questions in the chat before paying and our support will answer them.”

And if you like this article, please consider sharing it.

Share