The FBI and Cybersecurity and Infrastructure Security Agency said Tuesday evening that critical infrastructure entities need to take precautions immediately in case cyberattackers target them next, following the attack on Colonial Pipeline.
The federal officials urged those operating critical infrastructure to “adopt a heightened state of awareness,” implement “robust segmentation” between information technology and operational technology networks, test manual controls, and ensure that backups are isolated from network connections.
The FBI and CISA also cautioned those hit with ransomware attacks against paying their cyberattackers.
“CISA and the FBI do not encourage paying a ransom to criminal actors,” said the agencies in the joint cybersecurity advisory. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
Colonial Pipeline, which has said it provides nearly half of all fuel consumed on the East Coast, was hit with a ransomware attack, involving malicious software restricting access to data and systems until victims pay the attackers in exchange for the material held hostage.
The federal officials also provided additional details on the DarkSide ransomware that the FBI previously announced was used in the cyberattack against the pipeline. The joint advisory said since August 2020 DarkSide actors have targeted “multiple large, high-revenue organizations” that can afford to pay large ransoms instead of other targets such as hospitals, schools, nonprofits, and governments.
“After gaining initial access to the pipeline company’s network, DarkSide actors deployed DarkSide ransomware against the company’s IT network,” said the joint advisory. “In response to the cyberattack, the company has reported that they proactively disconnected certain [operational technology] systems to ensure the systems’ safety. At this time, there are no indications that the threat actor moved laterally to [operational technology] systems.”
Colonial Pipeline said on Saturday that it proactively took systems offline to contain the threat, which included temporarily halting all pipeline operations.
On Tuesday evening, Colonial Pipeline said it was working with the Department of Energy to prioritize getting fuel to markets experiencing “supply constraints.”
“Since our pipeline system was taken offline, working with our shippers, Colonial has delivered approximately 967,000 barrels (~41 million gallons) to various delivery points along our system,” said Colonial Pipeline in a statement. “This includes delivery into the following markets: Atlanta, Ga., Belton and Spartanburg, S.C., Charlotte and Greensboro, N.C., Baltimore, Md., and Woodbury and Linden, N.J. Additionally, in preparation for our system restart, we have taken delivery of an additional 2 million barrels (~84 million gallons) from refineries for deployment upon restart.”
Before Colonial Pipeline’s systems are fully restored, travelers on the East Coast are expected to notice a change in gas prices. Earlier this week, the American Automobile Association forecasted the pipeline disruption would compound already rising gas prices.
Colonial Pipeline’s corporate website went down earlier on Tuesday as well, but the company said on Twitter that the service disruption was unrelated to the ransomware cyberattack.