The Colonial Pipeline Company has managed the supply of fuel to the US east coast for more than 50 years. Completed in 1964, the company’s 5,500-mile tunnel carries millions of barrels of petrol, diesel and kerosene between Texas and New York each day. But on 7 May, the company paused operations. It had been hit by a cyber attack that would lead to fuel shortages across the country and, ostensibly, a reckoning for cybercriminals around the world.
The hackers didn’t overpower the software that controls the pipeline. They didn’t need to – the company’s billing system appears to have presented a softer and equally effective target. Executives reportedly turned off the fuel supply because they wouldn’t have been able to charge their customers correctly had they kept the gas flowing. They proceeded to pay a ransom demand of nearly $5m. It took more than a week for the pipeline to return to normal capacity.
Less than seven days after the breach, the Darkside cybercrime gang blamed for the attack announced it would also cease operating. In a statement it said it had lost access to two key servers, one of which had included victims’ payments, after an undisclosed law enforcement agency intervened. “In view of the above and due to the pressure from the US, the affiliate programme is closed,” Darkside said in remarks that have been translated from Russian. “Stay safe and good luck.”
On the same day, Babuk – another major ransomware vendor – announced it would also be winding down certain parts of its operations. According to threat analysis published by the security firm Intel 471, the group said it would pass on the code behind its ransomware to another team. Babuk also encouraged other ransomware vendors to move further underground. Cybercrime forums, on which hackers discuss vulnerabilities and software, have banned ransomware vendors in an attempt to curb negative publicity.
Within the cybercrime community, this de-escalation is seen to have been motivated by pressure from the Russian government, said Mike McGuire, a cyber criminologist at the University of Surrey. President Joe Biden had said he would speak to Vladimir Putin about the Colonial Pipeline attack, given there was evidence it had been launched from inside Russia, and McGuire believed this is likely to have led to a local intervention.
A former senior UK security official told the New Statesman they also believed the Russian government was likely to have played a role in Darkside’s about-turn, and that pressure may have come from the cybercrime community itself. “Parts of the criminal underworld may feel they are causing too much trouble,” the former security official added.
Another factor is likely to have influenced how events unfolded: Darkside’s desire to take the money and run. “Most likely, it’s a scam, they’re feeling the heat, and they’re dismantling things and will be back,” said the former official.
Alan Woodward, a cyber security expert who advises Europol, also suggested that the Colonial Pipeline attack may have been an exit scam. “I think they’ll rebrand and come back.”
None of the security experts who spoke to the New Statesman said they believe that recent events are likely to lead to a permanent drop in the number or severity of attacks, however.
“They can still operate freely out of Russia, still exploit aspects of infrastructure, and still make a fortune,” said the former security official. “The challenge is to break part of that vicious circle.”
The Colonial Pipeline wasn’t the only high-profile organisation to have fallen victim to ransomware in recent days. Last week, the Irish health service was also breached in an attack that officials have said has caused tens of millions of pounds‘ worth of damage.
The obvious solution to these issues is to develop more robust security measures to protect critical national infrastructure, such as healthcare and energy providers. After the WannaCry attack forced doctors to cancel tens of thousands of operations across the NHS in May 2017, the UK government made a major investment in the health service’s cyber defences. It has so far avoided another such attack.
But another more contentious policy proposal has gained traction in recent months. In February, Ciaran Martin, the founding chief executive of the National Cyber Security Centre, called for a review of the law that allows insurers to subsidise their clients’ ransom payments.
“I see this as so avoidable. At the moment, companies have incentives to pay ransoms, to make sure this all goes away,” he said at the time. “You have to look seriously about changing the law on insurance and banning these payments, or at the very least having a major consultation with the industry.”
McGuire agreed, warning that “the insurance industry is propping up the cyber security failings of a lot of these companies. There are attitudes there that are slightly lackadaisical: ‘We can afford it, we will pay it, and anyway we will get our money back from the insurance company.’”
Following pressure from regulators, the French insurance giant Axa made history last week by pledging to no longer refund new clients’ ransomware payments. Unless fellow insurers are encouraged to follow suit, attacks such as those on the Colonial Pipeline are likely to continue.