Dive Brief:

• The Biden administration, led by the Department of Energy, is working with Colonial Pipeline officials to shore up fuel supplies to critical East Coast markets that are dealing with spiking gasoline prices and fuel shortages following last week's ransomware attack.  

• The FBI and Cybersecurity and Infrastructure Security Agency issued an alert Tuesday with additional background on techniques used by DarkSide as well as steps to help critical infrastructure providers protect their systems from ransomware attacks.
• Colonial Pipeline said it disconnected its OT systems as a way to protect against the DarkSide ransomware that was deployed on its IT infrastructure. There is no indication the hackers were able to move laterally within the system, the FBI and CISA said. 

Dive Insight:

Security researchers warned the DarkSide attack against Colonial may only be a precursor to criminal and nation-state campaigns targeting sensitive installations in the U.S.

The Colonial Pipeline attack is a teaser of future attacks against critical infrastructure targets, Grant Geyer, chief product officer of Claroty said in a statement. 

"As cyber criminals and foreign adversaries seek opportunities for financial gain and power projection, our national critical infrastructure is an easy target," Geyer said. "Industrial environments are operating with infrastructure that commonly maintains obsolete technology that can't be patched, and staff that frequently are not as cyber savvy as they need to be to keep attackers at bay."

Pipelines are in highly distributed environments making them particularly vulnerable because the tools used to allow remote connectivity are designed for easy access and not for strong security, Geyer said. 

The FBI provided indicators of compromise and mitigation information to critical infrastructure companies since the attack, according to the White House. The FBI confirmed that it issued a TLP Green flash alert, which is designed for security officials and private sector partners, however that level of detail was not offered publicly, a spokesperson said. 

DarkSide gained access into these companies through phishing and exploiting remotely accessible systems as well as virtual desktop infrastructure, according to the alert. The attackers were observed using remote desktop protocol (RDP) to maintain persistence inside of systems, according to the joint FBI/CISA alert issued late Tuesday. 

Darkside uses The Onion Router (TOR) and Cobalt Strike for command and control, according to the alert. 

The Colonial attack illustrates a rising level of anxiety among corporate security officials about the potential impact of ransomware among critical infrastructure providers, said Bryson Bort, founder and CEO of Scythe.

"This is hitting everybody," he said. "And it's hurting. I've already, for the last four months been getting just tons of questions and interest from security managers [who] are all like, 'What do I do about ransomware?' How do I even test for it.'"

Colonial Pipeline expects to resume normal operations by the end of the week, and ramped up efforts to deliver fuel to select markets that are experiencing supply shortages and markets that are not served by other delivery systems, according to an update from the firm. 

The governors of Florida, Georgia, Virginia and North Carolina declared states of emergency as gas stations began to run out of fuel and some long-haul commercial airline flights made interim refueling stops. 

Since it had to go offline, Colonial has delivered 967,000 barrels to various delivery points in its markets including Atlanta; Baltimore; Woodbury and Linden, N.J.; Belton and Spartanburg, S.C. and Charlotte and Greensboro, N.C.