According to a Canadian security expert, the ransomware attack on a major U.S. gasoline pipeline should put complacent Canadian citizens and political leaders on high alert to the threat of online attacks against critical infrastructure.
“My sense is we are seriously vulnerable, and this [attack] is a major canary in the coal mine,” Christian Leuprecht, a Queen’s University professor and senior fellow in security and defence at the Macdonald Laurier Institute, said in an interview days after the ransomware attack on Colonial Pipeline Co.
When the company learned of the attack on May 7, it shut down all pipeline operations and some IT systems to contain the threat. Reporting suggests it’s slowly opening the lines and hopes to be fully operational by the end of this week. However, the website hosting Colonial’s media statements was offline Tuesday morning after being available late Monday.
It isn’t known if the attack hit only the IT side of the company or the operational (OT) pipeline side as well.
According to some reports, Colonial transports 45 per cent of all fuel consumed on the U.S. East Coast.
The attack is “a big game-changer because we always felt that we can keep our critical infrastructure reasonably safe and the bad guys can go after other countries,” said Leuprecht. “But [this attack] shows the deterrents aren’t working.”
Canadians shouldn’t feel smug the attack didn’t happen here, he added. Chances are any vulnerability in Colonial’s system also exists in Canadian pipeline firms.
The New York Times quotes unnamed U.S. federal and private sector officials saying a preliminary investigation showed poor security practices at Colonial Pipeline. The sources also said the attack was aimed at the IT side of the company.
Bloomberg News reports that attackers copied 100 GB of data from Colonial in two hours the day before the ransomware attack was launched. Citing unnamed sources, the story says the attackers threatened the data would be released unless Colonial paid for data decryption keys.
Cybersecurity is not a priority in Ottawa, Leuprecht complained. He pointed to the recently proposed federal budget, which has few new resources for improving the cybersecurity of the country’s critical infrastructure.
“We need a Public Safety Minister who makes this an operational priority for the agencies,” he said. “We need political leadership, we need to make sure that all government departments and the private sector know they have a trusted partner in the federal government that is on the ball, where we just don’t do little announcements here and there, but make it a Job 1 day-in and day-out priority.
“One of the areas where we are profoundly vulnerable in a federal system is co-ordinating not just with the private sector but with provincial governments, municipal governments. All of them own pieces of the critical infrastructure. So a much greater awareness [is needed] at the political level of the challenge and the risks that the cyber domain poses to our security, prosperity, democracy. This isn’t just a sideshow among other policy areas. This [cyber attacks] is an existential threat to our country.”
Leuprecht also said ransomware “arguably is the most prolific cybersecurity threat out there today.”
Twelve days ago, IT World Canada asked the Prime Minister’s Office (PMO) for comment on an RCMP-supported U.S. Ransomware Task Force which made a number of recommendations to governments for fighting ransomware. One is that governments declare ransomware a national security threat.
In response, the PMO referred the query to Public Safety Minister Bob Blair. After having no reply in over a week Blair’s office was asked for an update yesterday. Press secretary Mary-Liz power said the question should go to the Communications Security Establishment (CSE), the government electronic cybersecurity agency within the Defence Department.
Asked for comment on the Colonial attack, a CSE spokesperson said the Canadian Centre for Cyber Security (which is part of CSE) generally does not comment on cybersecurity incidents.
But, the spokesperson did say they’re “focused every day on providing cybersecurity advice and guidance to Canadians and Canadian organizations, including critical infrastructure partners, to better protect themselves.”
“CSE and its Cyber Centre continue to regularly monitor and proactively share threat information with Canadian organizations, government partners, and industry stakeholders. This includes working collaboratively with partners across critical infrastructure by sharing tailored advice and guidance, including specific cyber threat information. As trends emerge, we have regular calls with industry stakeholders to help ensure they are staying on top of evolving threats. For example, these awareness efforts include an important and still active Cyber Threat Bulletin on Modern Ransomware and its Evolution. We have also issued Cyber Alerts on various ransomware threats, as well as publications on How to prevent and Recover Ransomware.”
They also noted the National Cyber Threat Assessment 2020 states cybercrime is the cyber threat most likely to affect Canadians and Canadian organizations. It also concludes ransomware directed against Canada will almost certainly continue to target all sizes of organizations.
On Monday, the FBI attributed the Colonial Pipeline attack to the DarkSide ransomware gang. At the same time, U.S. President Joe Biden said during a press conference that while there is no evidence the Russian government was behind the attack, DarkSide is based in Russia. Moscow “have some responsibility to deal with this,” he said.
Seemingly in response to that comment, DarkSide recently issued a statement saying they were trying to stay out of politics.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Some analysts interpret this as meaning the gang is embarrassed at the attention this attack has caused – particularly from a country with powerful cyber weapons.
Bleeping Computer reported that DarkSide operates as a ransomware-as-a-service operation and suggested an affiliate “picked the wrong target.”
On the other hand, Christian Leuprecht says it may not be a coincidence a Russian-based hacking group launched an attack on an American pipeline not long after Washington imposed sanctions on Moscow for being behind the SolarWinds Orion hack.
The New York Times and others reported the Biden administration has recently been putting the finishing touches on an executive order aimed at strengthening cybersecurity at federal agencies and contractors working on federal projects.
Among other things, it would reportedly mandate the use of multifactor authentication for employees and mandate federal agencies adopt a zero-trust design for data and access. Basically, the zero-trust approach means everyone inside the corporate network has to be verified for accessing assets.
Canada has had an eye on critical infrastructure – which includes the energy, finance, transportation, health, government, manufacturing and food sectors – for over a decade. That includes a Cyber Security and Critical Energy Infrastructure Program overseen by the Ministry of Natural Resources.
In 2018 it received an extra $2.24 million over five years to help the private sector enhance the security and resilience of its systems. The first project to receive funding was in February 2020 to help produce a series of cybersecurity standards for industrial internet of things devices in the electricity sector.
The attack on Colonial “is another example of an alarming trend – devasting cyberattacks on US infrastructure,” said Marcin Kleczynski, CEO of Malwarebytes. “This latest incident further escalates the tensions between Russia and the U.S. regarding cyberattacks, whether or not they are sanctioned by the Kremlin. In accordance with the Ransomware Taskforce’s recent recommendation, ransomware must be treated as a national security threat. The forthcoming executive order from President Biden meant to strengthen cyberdefenses must address the cracks in the nation’s cyber defence systems, as well as set strict regulations to not only how we respond to attacks once they happen but how companies, both private and public, work to proactively defend against these attacks. It is time to do more than just talk or write orders – we must take action. ”