There was a Ransomware Attack on the US-based Colonial Pipeline between 6-10 May, due to which the country had to stop their Gas pipeline supply for 5 days and they were forced to pay US$4.4M (approx). This had shaken the world and it’s considered as one of the biggest impactful breaches in recent time. Enough media coverage has been done and available on Internet now.
Owing to the ongoing investigation and in terms of extra precautions, till to date (8th June 2021) Colonial Pipeline’s corporate website is not available for the general public and their address reference has been removed from the common search engine.
Team of Armantec Systems was able to do the Reverse Engineering of this deadly attack by 14 May (within 2 days) and which has now been vetted by the victim company as well as the investigating company.
Following is the recreated scenario :
For general users easy understanding, Typical Oil & Gas Network looks like this
Here attacker used the business network of the Colonial Pipeline.
A probable schematic representation of this attack for better understanding
Our investigation led to the following observation:
The above flow of sequence has been vetted by Mandiant, a company engaged for this investigation by Colonial Pipeline & Colonial Pipeline Representatives.
Till 15th of May 2021 (i.e more than 10 days !!) there were more than 37 live samples available in Surface Net/Darkweb, which were not detected by over 50 AntiVirus/Ransomware Engines.
This means the companies which were using those Antivirus/Anti ransomware tools, wouldn’t have been able to protect the organization if similar attacks were targeted to them as well.
Question remains – How prudent is the claim by OEMs that their solution “detects Zero Day Vulnerability”??
Our Critical Information Infrastructure (CII) companies should take this incident as a use case &work on implementing mitigation plans for the avoidance of such incidents. As this is the only way is to understand how Attackers work.
An active & regular RED team exercise, wherein CIIs can check the actual Defensible status of their existing Processes, Security Infrastructure Equipment. The Gaps identified during this exercise can be used as the reference point for the remediation techniques on an individual basis.
Additionally, its highly recommended that CII use more of the “Custom Tools” as per their organization’s need, instead of going for “One Solution Fits for All” while selecting the readily available Tools/Infrastructure.
Case Study by: RED Team of Armantec, led by Shamsher Bahadur – Cyber Security Practise Head.
This Article has been Submitted by Armantec Systems Pvt Ltd (www.armantecsystems.com), a Noida Based Threat Intelligence & RED Teaming Consulting Firm, with the prime focus on custom Ransomware Attacks Solution for Critical Information Infrastructures (CIIs).