1. US pipeline suffers ransomware attack causing fuel shortage in 17 states
Colonial Pipeline, the largest pipeline in the United States supplying fuel to 45% of the East Coast, suffered a ransomware attack that paralyzed its IT and OT systems, halting all pipeline operations. Colonial Pipeline delivers refined gasoline, diesel, jet fuel, home heating oil, as well as fuel for the military.
The attack occurred on May 7, and directly affected fuel supply in 17 states from New Jersey to Texas, as well as D.C. To cope with the shortage, the US Department of Transportation (DOT) issued a Regional Emergency Declaration that made law exemptions on transporting fuel by road.
Colonial Pipeline said in a statement on May 10 that it was working on the recovery process and expected to restore its service “by the end of the week (May 16)”. At the same time, the FBI identified the attackers to be Russian-based hacker group DarkSide, infamous for running a ransomware-as-a-service business. There appeared to be no verified ties to the Kremlin.
An attack on critical infrastructure may cause severe consequences to the economy. Experts have already observed noticeable oil price spikes due to the incident. If the pipeline were to be shut down for longer periods, significant price spikes could spread from the US to Europe.
On May 14, it was confirmed that Colonial Pipeline paid a ransom of $5 million to the attackers and that systems were finally on their way to restoration. Given the surprisingly low ransom settlement for an attack of this scale, it appears that the attackers may have backed down after seeing such a massive response from both the US government and global media.
2. Belgium ISP suffers massive DDoS attack knocking 200 organizations offline
In the morning of May 4, a massive DDoS attack hit Belgium’s government-owned internet service provider Belnet, directly cutting off the internet connection for over 200 organizations across the country. As a publicly funded company, Belnet’s main customers include the Belgium parliament, government agencies, educational institutions, and research centers.
As expected, the internet connection for the Belgium parliament was cut off, while a wide range of government services remained unavailable. National news agency VRT was also taken offline. This tremendous service outage lasted for a whole day, before Belnet announced that internet services were back to normal.
Belnet is working with the Centre for Cyber Security Belgium (CCB) to investigate the incident. It said that the attack was very difficult to mitigate since the attackers kept changing their techniques, switching between different botnets. As of now, the company is staying on high alert for potential follow-up attacks.
To mitigate advanced DDoS attacks that run on hijacked residential IP addresses, a logical web application firewall (WAF) like WAPPLES can effectively identify the changes in attack patterns through AI technology, preventing such attacks from paralyzing the servers.
3. Enterprise password manager Passwordstate exploited for supply chain attack
On April 23, cybersecurity firm CSIS Group disclosed on its blog that it had discovered a cyberattack on Click Studios, an Australian firm behind the popular enterprise password manager Passwordstate.
It said that between April 20 and April 22, hackers gained access to Click Studios’ CDN which hosted servers of Passwordstate. The hackers then corrupted the files of an important software update by injecting a malware dubbed Moserpass. The malware would extract data stored in Passwordstate and send it to a C & C server controlled by the attackers.
Since the intrusion was detected early, only those who downloaded the corrupted update between April 20 and April 22 were at risk. However, the list of firms affected was not disclosed because even though Click Studios claims to serve 370,000 enterprise users at over 29,000 firms worldwide, it has a policy of not revealing its customers. The company did say that they had contacted all affected customers and advised them to reset their passwords stored in Passwordstate.
Corrupting software updates is the very same tactic used against SolarWinds Orion, which led to a massive supply chain attack affecting hundreds of organizations.