The Colonial pipeline breach: the intention and the reality

By Ross Bailey, Chief Commercial Officer

I watched the reaction to last week’s ransomware attack on the Colonial Pipeline organisation with interest. The consequences of the event, which in all probability could have been prevented, have been wide ranging. We are talking about cyberattacks more in 2021 than ever before. That might be because we know more about them; technological advancements in AI and machine learning allow us to see the analytics of an attack in more detail than ever before; but more likely is the realisation that we have a sweeping global problem and keeping quiet will not solve the issue. I question how many attacks on private businesses are kept under wraps in order to save devastating financial and reputational consequences. Colonial had no choice but to be open about the breach to their operating systems as the consequence was having to temporarily close down their fuel pipeline.

The cybersecurity problem is large and unwieldy. Take the Solar Winds attack. Hackers identified network management software that they could access, installed malware into an update of that software by changing thousands of lines of code, and watched as that update infected over 18,000 organisations globally. One single remote device that has security vulnerabilities can be responsible for the temporary halt of massive amounts of infrastructure.

It’s interesting to see that DarkSide, the organisation behind the ransomware attack, didn’t intend the widescale disruption that they created. This is a major point to consider when discussing cyber attack; the intention of the hacker versus the reality of their actions. Hackers can often only see part of the network they are infiltrating, so can be unaware of the knock on effect or the decisions that will be taken in the wake of their attack. In the Colonial instance, the company itself chose to shut down their physical operation once they became aware of the problem. Not knowing how far reaching the DarkSide infiltration was, it was their only option while they reviewed the breach. DarkSide, it seems, had meant only to attack legacy IT hardware within the organisation and hold the systems ‘ransom’ for a cash reward. They did not set out to disrupt the physical pipeline itself.

DarkSide are rumoured to have disbanded as the furore centred around their organisation has grown. Most cyber hackers will pop up elsewhere under a different guise, so it’s unlikely to be the last we hear from them. DarkSide have previously portrayed themselves as a rather heroic figures, targeting large corporations for cash in ransomware attacks. Shutting down over 5000 miles of national US infrastructure, the end result affecting normal citizens, was not on the agenda. Defences of national infrastructure by governments all over the world have been low for years and cyber criminals know that, so it suggests their focus is on ransomware attacks on private businesses. There is the possibility that the ease of infiltration at Colonial does now spark attacks on national infrastructures, possibly by opposing nation states. But that’s another story entirely.

Not having the means to monitor, prevent and manage cyber attack leaves a business wide open to unknown intrusions that cannot be managed without a massive and ongoing impact. Learn from last week’s attack at Colonial and super impose that ransomware attack on your business. Do you have good enough cyber hygiene in place should an external or internal bad actor target your network? In the current threat landscape, the surest way to fight AI is with AI.


Discover more about our expertise in this area.
Connect with us

Connect with us