CYBER ATTACK ON COLONIAL PIPELINE - BRIEFING NOTE May 18, 2021 - The Canadian Centre ...

CASIS-Vancouver                                                                             Page 1

                      CANADIAN ASSOCIATION FOR SECURITY
                                AND INTELLIGENCE STUDIES
                                                                             VANCOUVER

             CYBER ATTACK ON COLONIAL PIPELINE
                                                                              BRIEFING NOTE
                                                                                  May 18, 2021

                                                                               Disclaimer:
          This Briefing Note contains summaries of open sources and does not represent the views of
                                       the Canadian Association for Security and Intelligence Studies.

CASIS-Vancouver                                                                           Page 2

                       Title: Cyber Attack on Colonial Pipeline
                       Date: May 18, 2021
                       Disclaimer: This briefing note contains summaries of open
                       sources and does not represent the views of the Canadian
                       Association for Security and Intelligence Studies.

EXECUTIVE SUMMARY
This briefing note examines the ransomware attack against Colonial Pipeline that has forced
the shutdown of the pipeline since May 7, 2021. The disruption in pipeline services has the
potential to damage the reputation of Colonial Pipeline. A loss in consumer confidence has
the potential to significantly impact the bottom line of Colonial Pipeline. Additionally, this
briefing note highlights the rising threat of ransomware attacks across multiple industries and
the potential threat that this can pose to a state’s critical infrastructure.

THE SECURITY PROBLEM
The ransomware attack on Colonial Pipeline and its forced shutdown has jeopardized the
supply of oil to the East Coast of the United States (Porter, 2021; Saefong & Watts, 2021).
Additionally, the shutdown of the pipeline for an extended period of time can potentially
damage public confidence in the company’s ability to deliver reliable, critical energy
supplies. In terms of aggregate economic losses, it is reported that at the retail level, several
gas stations along the East Coast of the US were beginning to run out of fuel, and some
consumers observed hikes in gas prices 4 days after the shutdown of the pipeline (Isidore,
2021; Porter, 2021). Additionally, the price hikes resulting from this fuel shortage have
possibly affected the aviation industry, as price hikes affect businesses' bottom lines (Isidore,
2021; Porter, 2021). Cyber-attacks could potentially happen to any service provider,
regardless of public/private sector, industry, or company size (Canadian Centre for Cyber
Security, 2020). This entails that if cyber-attacks were to take place, consequential security
issues could be as minor as inconveniences caused by service disruptions, or as serious as
loss of human life when critical infrastructure such as railways, utilities and buildings
necessary to maintain normalcy in daily life were attacked and damaged. The less immediate
damages, such as reputational damages, could be difficult to estimate.

BACKGROUND AND KEY FACTS
On May 7, 2021, Colonial Pipeline was forced to shut down the operation of their pipeline,
due to a malicious ransomware attack that jeopardized their systems (Russon, 2021). This
shutdown led to the disabling of nearly 5,500 miles of oil pipeline and the disruption of
possibly around 45% of the oil supply on the East Coast of the United States (Russon, 2021).
The shutdown of the pipeline reportedly caused some fluctuation in oil futures markets and

CASIS-Vancouver                                                                            Page 3

an arguable panic buying by consumers along the East Coast (Rapier, 2021). Ransomware
attacks have become more common in the recent decades as more companies move their data
on to online platforms. A 2019 report from Emsisoft, estimated that ransomware attacks cost
companies and government agencies more than $7.5 billion in the US alone (Emsisoft
Malware Lab, 2019).
Although specific attribution for cyberattacks such as this is often difficult, the FBI attributed
it to the hacking group, DarkSide, shortly following the attack (Tucker et al., 2021). The FBI
has alleged that members of DarkSide were based within Russia; however, no links between
the group and a state actor have currently been established (Tucker et al., 2021). DarkSide
has reportedly been conducting cyberattacks since August 2020 (National Cyber Awareness
System, 2021). In addition, their website contains sensitive information that they have
released from more than 80 companies, which were allegedly unwilling to pay a ransom to
secure their data (National Cyber Awareness System, 2021; Barrett, 2020; Appendix A). In
this case, Colonial Pipeline reportedly paid a substantial ransom of $5 million dollars (Turton
et al., 2021). However, there is no concrete guarantee that the perpetrators will not release
their sensitive corporate data to the public.

KEY CONSIDERATIONS AND IMPLICATIONS
The ransomware attack on Colonial Pipeline could potentially have serious implications for
the company’s reputation and consumer confidence, as well as possibly posing national
security concerns such as maintaining stable energy supply to the military in the US.
Research has demonstrated that companies that are victims of cyberattacks that endanger the
security of consumer data can suffer from a loss in consumer confidence, and ultimately, they
may lose customers (Beyeler et al., 2012; Canadian Centre for Cyber Security, 2020;
Mossburg et al., 2016). In the case of Colonial Pipeline, their customers include private
corporations and government agencies, including the US military (Jowers, 2021). A loss of
confidence with clients as large as the US military has the potential to significantly impact
the bottom line of Colonial Pipeline.
The reported $5 million dollars that Colonial Pipeline allegedly chose to pay the DarkSide as
a ransom for their data is a small amount in comparison to their overall revenue (Dun &
Bradstreet, n.d.). However, for other smaller and medium sized companies, the demands of
hacking groups like DarkSide could be large enough to cripple their businesses.
Additionally, if a business is unwilling or unable to pay a ransom, the potential public release
of their sensitive data could grant their direct competitors’ access to important data, such as
customer information, financial statements, and contract information (National Cyber
Awareness System, 2021; Barrett, 2020; Appendix A).
Ransomware attacks on private firms, such as the one that Colonial Pipeline faced, have been
occurring at a debatably increased rate over the past three years (Canadian Centre for Cyber
Security, 2020). The potential vulnerability to cyberattacks of private companies that play a
critical role in a nation’s infrastructure not only jeopardizes individual companies, but also
arguably could have consequences for national security. If private companies in charge of
critical infrastructure fail to secure their data from ransomware and other cyberattacks, the
fallout may not be contained at the retail or individual level. It is possible that the negative

CASIS-Vancouver                                                                          Page 4

consequences could have serious impacts at the national level, such as being unable to
maintain energy supply to the military. The Colonial Oil pipeline shutdown, for example,
could arguably be the major contributing reason to the severely restricted oil supply for the
entire East Coast of the United States. If other aspects of critical infrastructure, such as
healthcare or the electrical grid, were to be shut down because of a cyber-attack, further
damage and loss of life are a realistic and potential consequence.

WHAT IS NOT KNOWN
As of May 12, 2012, 5 days after the initial ransomware cyber-attacks, it is still not known
who the individual members of DarkSide are, or whether the hacking group was financially
supported by Russia or another state actor. There has not been any claim of responsibility
from the Kremlin, yet the software involved in perpetrating the attack and data traffic has
been traced to servers located in Russia (Tucker et al., 2021).

NEXT STEPS
Continued investigations by law enforcement and intelligence agencies should be conducted
in order to determine the individual members of DarkSide. Additionally, further efforts
should be made to determine whether the group has any connection to an adversarial state
actor. There are four possible options for policy considerations:
Option #1: The development and implementation of hacking back technology as an active
cyber defence (ACD) strategy in order to deter future cyber-attacks.
Option #2: Individual businesses invest more resources into strengthening and building upon
their existing cybersecurity framework.
Option #3: Do nothing, while continuing to monitor the situation to come up with a more
suitable solution to address the evolving hacking technologies.
Option #4: Increased collaboration between the public and private sectors to promote the
expansion of system-wide cybersecurity capabilities to secure critical infrastructure.

RECOMMENDATIONS
A combination of individual companies investing more heavily in their cyber defence (Option
#2) and increased collaboration between the public and private sectors on cybersecurity
(Option #4) would potentially be the most effective and efficient steps to protect industry and
critical infrastructure from cyber-attacks moving forward. By investing in their cyber
defence before suffering from an attack, firms can possibly protect themselves from the even
higher reputational and revenue costs that may occur from a malicious cyber-attack (Emsisoft
Malware Lab, 2019; Beyeler et al. 2012; Mossburg et al., 2016). Additionally, increased
collaboration on cyber security between the public sector and private companies could
promote technology sharing and system wide protection to help ensure security for industry

CASIS-Vancouver                                                                           Page 5

and critical infrastructure. This also has the capacity to facilitate cyber security technology
sharing between different companies.
Although undertaking offensive ACD has been shown by some researchers to be effective in
deterring future attacks and less expensive than passive cyber defence, at the moment, there
are technical, legal, and ethical issues that remain unresolved for private companies to
conduct ACD (Broeders, 2021). Most importantly, hacking of any form remains illegal in
Canada and many other countries around the world (United Nations Conference on Trade and
Development, n.d.). Doing nothing (Option #3) after suffering from a cyber-attack would
leave a company in the same vulnerable state that they were in, knowingly or unknowingly,
before the attack occurred.

CASIS-Vancouver                                                                      Page 6

Appendix
Screenshots from DarkSide’s website allegedly showing leaked data from various companies

Figure 1:

                                 Source: DarkSide website
Figure 2:

                                 Source: DarkSide website

CASIS-Vancouver                                                                          Page 7

References
Barrett, B. (2020, August 26). Ransomware has gone corporate—and gotten more cruel.
        Wired. https://www.wired.com/story/ransomware-gone-corporate-darkside-where-
        will-it-end/
Beyeler, W.E., Andjelka, K., Michael, M., & Syed, A.M. (2012, November 1). Copy of a
       model: How cyber-attacks affect brand value in the financial industry. U.S.
       Department of Energy Office of Scientific and Technical Information.
       https://www.osti.gov/biblio/1141054-copy-model-how-cyber-attacks-affect-brand-
       value-financial-industry
Broeders, D. (2021). Private active cyber defense and (international) cyber security—Pushing
       the line? Journal of Cybersecurity, 7(1) https://doi.org/10.1093/cybsec/tyab010
Broeders, D. (2021). Private active cyber defense and (international) cyber security—pushing
       the line? Journal of Cybersecurity, 7(1), 1-14.
       https://doi.org/10.1093/cybsec/tyab010
Canadian Centre for Cyber Security (2020, November 16). Cyber threats to Canadian
       organizations. Government of Canada. https://cyber.gc.ca/en/guidance/cyber-threats-
       canadian-organizations
Demy, T. J., Lucas, George. R. Jr. & Strawser, B. J. (2014). Military Ethics and emerging
       technologies. Routledge.
Dun & Bradstreet. (n.d.) Company Profile. Colonial Pipeline Company.
       https://www.dnb.com/business-directory/company-
       profiles.colonial_pipeline_company.11bf157f4e91ff2d98b81cdf484d9f24.html
Emsisoft Malware Lab (2019, December 12). The state of ransomware in the US: Report and
       statistics 2019. Emsisoft. https://blog.emsisoft.com/en/34822/the-state-of-
       ransomware-in-the-us-report-and-statistics-2019/
Isidore, C. (2021, May 11). American Airlines has to add fuel stops after pipeline shutdown.
       CNN Business. https://www.cnn.com/2021/05/11/business/american-airlines-fuel-
       stop-colonial-pipeline-shutdown/index.html
Jowers, K. (2021, May 12). Some military bases limiting gas purchases, encouraging
       telework in wake of pipeline shutdown. Military Times.
       https://www.militarytimes.com/pay-benefits/2021/05/11/some-military-bases
       limiting-gas-purchases-encouraging-telework-in-wake-of-pipeline-shutdown/
Mossburg, E., Gelinne, J., & Calzada, H. (2016). Beneath the surface of a cyberattack. A

CASIS-Vancouver                                                                         Page 8

       deeper look at business impacts. Deloitte.
       https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-risk-beneath-
       the-surface-of-a-cyber-attack.pdf
National Cyber Awareness System (2021, May 11). DarkSide ransomware: Best practices
       for preventing business disruption from ransomware attacks. Cybersecurity &
       Infrastructure Security Agency. https://us-cert.cisa.gov/ncas/alerts/aa21-131a
Porter, T. (2021, May 12). More than 1,000 gas stations ran dry, with massive lines, after a
       cyberattack knocked the crucial fuel pipeline to the East Coast. Business Insider.
       https://www.businessinsider.com/1000-gas-stations-run-dry-after-colinial-pipeline-
       hack-2021-5#
Rapier, R. (2021, May 11). Panic buying is causing fuel shortages along the Colonial
       Pipeline route. Forbes. https://www.forbes.com/sites/rrapier/2021/05/11/panic-
       buying-is-causing-gas-shortages-along-the-colonial-pipeline-route/?sh=31e5c5916b49
Russon, M. (2021, May 11). US fuel pipeline hackers 'didn't mean to create problems'. BBC
       News. https://www.bbc.com/news/business-57050690
Saefong, M.P., & Watts, W. (2021, May 11). Oil settles higher as traders eye gasoline
       demand and Colonial Pipeline developments. MarketWatch.
       https://www.marketwatch.com/story/oil-prices-fall-on-expectations-colonial-pipeline-
       outage-will-be-temporary-11620736029
Tucker, E., Bussewitz, C. & Suderman, A. (2021, May 10). FBI says DarkSide behind
       Colonial Pipeline cyberattack. Global News. https://globalnews.ca/news/7850481/fbi-
       colonial-pipeline-cyber-attack/
Turton, W., Riley, M., & Jacobs, J. (2021, May 13). Colonial Pipeline paid hackers nearly $5
       million in ransom. Bloomberg. https://www.bloomberg.com/news/articles/2021-05-
       13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom
United Nations Conference on Trade and Development. (n.d.). Cybercrime legislation
       worldwide. https://unctad.org/page/cybercrime-legislation-worldwide