(The opinions expressed here are those of the author, a columnist for Reuters.)
By Peter Apps
LONDON, May 14 (Reuters) - Even if U.S. firm Colonial Pipeline restores supplies by the end of this week, the ransomware attack that hit the pipeline supplying 45% of East Coast U.S. fuel has already been amongst the most disruptive cyber attacks in recent history.
Details on the incident remain relatively limited – Colonial Pipeline is a privately owned firm created by major U.S. oil companies and has kept tight-lipped. But Federal investigators say the firm had sensitive corporate data stolen and encrypted by cyber-crime organisation DarkSide, prompting the Colonial to shut down fuel shipments as a safety precaution in case the hackers have access to other parts of the network that might allow them to do damage.
The effect has been to spark panic buying at fuel stations and limit supplies at airports – something experts have been predicting for years in the event of a major cyber attack. What this attack shows, however, is just how limited an effect those warnings and preparations appear to have had – particularly compared to the much better protected U.S. power grid.
Ransomware attacks have been on the rise for several years, with the British and U.S. governments taking the unusual step of directly blaming North Korea for the 2017 WannaCry attack that briefly locked out hundreds of thousands of computers around the world. At the UK National Cyber Security Centre annual conference on Wednesday, British Foreign Secretary Dominic Raab also pointed the finger at Russia, where many gangs are based.
Russia "can't just wave their hands and say nothing to do with them", he said. "Even if it is not directly linked to the state they have a responsibility to prosecute those gangs and individuals."
The FBI said on Monday it believed the attackers were a criminal group known as Darkside, often described as offering “Ransomware-As-A-Service” – meaning they work for third-party clients to lock out essential computer systems at their target, refusing to release them until victims pay a large sum, usually in bitcoin or another cryptocurrency.
Sometimes said to be Russian in origin but invariably acknowledged as particularly sophisticated, DarkSide’s site on the dark web lists a number of previous targets that it says did not pay up, more than 80 companies across the United States and Europe. It appears to largely spare Russian, Ukrainian and Kazakh companies, another potential clue to its origin.
Such attacks are becoming a growing problem – UK Foreign Secretary Raab said ransomware attacks delayed a post-COVID return to the classroom for 80 British schools and universities in March. How to tackle them is likely to be an increasingly thorny issue.
Basic corporate and individual computer security is, of course, inevitably the starting point. Had Colonial Pipeline succeeded in keeping its data and access credentials safe, the attack is unlikely to have happened. Raising the cost of those breaches by fines or other sanctions against firms that lose data is one policy solution – but the truth is that if a hacker is determined and skilled, or an insider compromised, then that may not be enough.
Much, of course, depends on where the attack might come from. For most of the last decade, the U.S. government and others have been clear that they might respond to any cyber attack originating from a nation state as it would to a conventional attack – in other words, that if a cyber attack cost lives, so might a more direct military response.
That approach, however, achieves little with the Colonial Pipeline incident. Firstly, while it has proved damaging and disruptive, it would still fall well below the threshold of anything that could be responded to in a conventional military manner. And secondly, for all the indications that the attacker is from Russia, very little is publicly proven.
Colonial Pipeline does not currently appear on the list of DarkSide’s targets – and the company has declined to say whether or not it paid a ransom to restore access to its systems.
Such payments are often effectively untraceable – one reason experts suggest better regulating cryptocurrency might reduce such attacks. For now, however, that seems relatively unlikely. As with legislating higher financial penalties for companies that are the victims of cyber attacks, pushing such laws through the U.S. Congress or other national legislatures would be no easy task.
Even if such legislation were possible, however, the proliferation of such attacks appears to be only on the increase, escalating much faster than the ability or willingness of often cash-strapped firms to resist. Governments, meanwhile, have no truly effective way of safeguarding huge swathes of critical national infrastructure.
Ransomware attacks are not the only problem. Last year’s SolarWinds hack – revealed in December – saw suspected nation-state hijackers access huge volumes of accounts and data through a software platform called Orion. As Orion’s clients contained multiple government entities – including U.S. federal agencies, local government and law enforcement – the scale of the potential data loss was immense.
Through providing sign-in details to new systems, such breaches can facilitate future ransomware attacks. Colonial Pipeline might be disruptive, but it could also be a warning of much worse to come. *** Peter Apps is a writer on international affairs, globalisation, conflict and other issues. He is the founder and executive director of the Project for Study of the 21st Century; PS21, a non-national, non-partisan, non-ideological think tank. Paralysed by a war-zone car crash in 2006, he also blogs about his disability and other topics. He was previously a reporter for Reuters and continues to be paid by Thomson Reuters. Since 2016, he has been a member of the British Army Reserve and the UK Labour Party. (Editing by Giles Elgood)