- Colonial Pipeline began the relaunch of its massive fuel pipeline Wednesday following a ransomware attack that forced the 5,500-mile delivery system offline since last Friday, the company announced. The outage led to panic buying and gasoline shortages across multiple states in the southeast and mid-Atlantic region.
- There are conflicting reports on whether Colonial decided to pay the ransom. Though Bloomberg Thursday reported the company paid a $5 million ransom within hours of the attack last week, sources told the news service. The company has been working with cybersecurity consultants including Mandiant on the investigation. Consultants were reportedly able to trace some of its stolen data to a New York-based hosting firm, which shut down the server, according to The Washington Post.
- Colonial Pipeline said it made substantial progress in restarting the pipeline, and by mid-Thursday afternoon expects to have product in all of the markets it serves.
The White House will remain in close contact with Colonial Pipeline and continue to support the recovery process through a whole of government approach, according to a statement posted online from Press Secretary Jen Psaki. The Department of Energy, Department of Transportation, Department of Homeland Security and other agencies have been assisting the company with supply chain issues and to mitigate the cyber intrusion.
"This could end up being a post-breach success story," Edgard Capdevielle, CEO of Nozomi Networks, said via email. "It will be interesting to learn about the things that went right. When it comes down to these types of cyberattacks it's not a matter of if, but when a cyberattacker gets in."
Despite that optimism, there remain significant questions about what actually happened that led to the intrusion. In addition, there are unresolved issues with existing threats to critical infrastructure across the country and whether the U.S. is prepared for future cybersecurity attacks or ransomware demands.
While the exact method of attack has not been disclosed, FireEye released a blogpost outlining the recent history and methods used by the DarkSide organization. The group runs a ransomware as a service operation that partners with various affiliate groups.
Mandiant identified one threat actor UNC2628 as operating since February 2021, which deploys ransomware within two to three days of intrusion. Suspicious activity centered around using corporate VPNs using legitimate credentials. In some cases a tool called Mimikatz was used to steal credentials and escalate privileges.
Mandiant also saw UNC2659, observed since January, as using an exploit of Sonicwall SMA100 SSL VPN, however a patch has since been issued.