How the hacker attack on Colonial Pipeline was possible

by time news

AGI – It could have been an email, or a click on a link that stopped the more than 8,850 kilometers of oil pipelines of the Colonial Pipeline on 8 May. The largest pipeline network in the United States, capable of transporting up to 2.5 million barrels of petroleum products to cities in the Southeast, has been brought to its knees by a powerful, but in itself simple, cyber attack: a ransomware. a code that is installed on the computer when an infected file is downloaded and which ‘protects’ with an encryption all the contents it encounters. Files, folders, documents.

As soon as a recipient opens a malicious attachment or clicks on a compromised link, the malware is downloaded to the user’s system and begins its data encryption work. At the moment, the details of the attack on the Colonial Pipeline are not known, but everything suggests that something similar must have happened. Because the mechanism has always been the same, for a few decades.

In this case, the infecting software (malware) has one more feature: it infects, blocks the systems by encrypting them, and the attacker asks for a ransom to remove the disturbance (ransom, in English, or ransom). An increasingly urgent problem for companies, especially when they work in strategic sectors.

The protection of critical infrastructures

But how was such an attack on such a delicate infrastructure possible? “It is not certain that a critical infrastructure is necessarily better protected than the others. In fact, the opposite is often true, because it is old infrastructures, managed by companies born in a pre-digital world, which at a certain point are go online out of necessity, very quickly and without risk-appropriate methodologies “. So at AGI Matteo Flora, IT security expert and CEO of The Fool.

“For many years, cybersecurity experts have been warning against this type of attack, which has become more and more frequent,” explains Flora. The most recent data collected by Statista says that in 2019 63% of companies experienced some type of ransomware attack. “To this we must add that these targets are objectively more vulnerable than others from a strictly socio-economic point of view. These infrastructures must be protected. In recent years, important vulnerabilities have emerged, which give the aggressor a power never seen before. And this power. it is used to hit strategic targets that can be oil pipelines, or dams, or turbines or credit institutions. A lot of money is invested to do so. If companies want to protect themselves they must invest as many resources, if not more “, adds the expert.

The matrix of attacks

But this may not be enough as an explanation. “This attack seems to have a clear matrix: it was done for money. But what happens if the attacker is moved by the aims of a state? A state can invest to hit a target that it considers fundamental much more than a private individual can invest. to defend oneself. This creates a misalignment that is difficult to bridge “, comments to AGI Stefano Zanero, associate professor of Computer Science at the Milan Polytechnic. A problem that at the moment “does not have a clear solution”, adds Zanero, who nevertheless identifies in a “public-private partnership a possible way to protect the most delicate infrastructures”.

“The attackers of Colonial Pipeline are not cyberterrorists, at least so it seems, it is a group that attacked to obtain a ransom. From the statement of the company it is clear that they have not infected the systems that allow you to move the fuel, but the computer systems business, however preventing them from working “, continues Zanero.

“The attack itself is surprising, but regardless of the type of work it does, Colonial Pipeline is a company like many others, and has had a ransomware attack just like tens of thousands of other companies. The problem in this case is that it has a fundamental role for society, and attacking a company of this type has a much greater impact for everyone. At the moment, however, it is not possible to understand the nature of this attack, that is, if it is due to a error of the company or the skill of the attackers. We will have to wait a few more days to understand “, he concludes.

What kind of attack did Colonial suffer

Beyond the responsibilities and consequences for the company, in this case the attack takes on particular importance, because the objective was the US oil infrastructure. “If we look at this attack, we can say that it is a classic Ryuk-type ransomware attack. This type is particularly fond of the US market, in fact 15% of Ryuk attacks take place in the United States compared to 3% in Italy” Pierluigi Torriani, Security Engineering Manager of Check Point, one of the main IT security companies, comments to AGI.

“However, if we consider that an organization in Italy is hit 817 times a week compared to the 695 times of an organization in the rest of the world and that every 10 seconds an organization is the victim of ransomware all over the world, it is good to reiterate. once again to all organizations to defend themselves from the growing threat of ransomware with solutions that can prevent these attacks and stop data leaks “, continues Torriani, and adds:” Obviously it is evident that the more the size of the target grows, the more the impacts of an attack becomes important. In large companies we talk about safeguarding the business, in the context of critical infrastructures we talk about safeguarding a country, therefore a cybersecurity strategy that involves both the individual citizen and the top government is absolutely fundamental “.

The shadow of another state

While Colonial’s responsibilities aren’t clear, it’s not entirely clear who he might have attacked. That the malware was ‘injected’ behind a ransom note is an important clue. But it does not clarify all doubts. “The Colonial ransomware attack is a prime example of the online assaults that American companies, schools, hospitals and other organizations face on a regular basis,” Gianclaudio Torlizzi, general manager of financial consulting firm T-Commodity, told AGI.

“It should also serve as a wake-up call to the particular exposure of the energy industry, according to consultants and others who work with companies to strengthen cybersecurity,” he adds. The May 8 attack on Colonial Pipeline could also “have a bearing on the defense if it is found to have been sponsored by the state. Reuters reported that it may have been carried out by ‘Darksidè, a cyber criminal gang. of a hypothesis at this point and and it is necessary that the investigations be completed “. Also because, concludes Torlizzi, “it must be pointed out that the attack took place after Secretary of State Blinken’s visit to Ukraine”.

.

You may also like

Leave a Comment