Search

Colonial Pipeline Ransomware Attack - Cymulate Simulation

Fraser Wadsworth - Cyber Security Analyst, Satisnet

INTRODUCTION


On Friday 7th May 2021, Colonial Pipeline, one of the United States' largest pipeline operators, confirmed that their network had been compromised by an advanced ransomware attack courtesy of cyber gang, DarkSide.


Leading experts are saying that the attack is the worst cyber attack against U.S. infrastructure in history. It is speculated that DarksSide could be Russian - but this is yet to be confirmed - as their software avoids encrypting any computer software where the language is set to Russian.


Example of DarkSide ransomware:


The pipeline was vulnerable to attack as most of the operations for the pipeline are digital with all of the operational technology (OT) leading to one central system.

As this system is connected to various computers, it is possible that the attackers could have accessed an administrative machine through conducting a successful phishing campaign or exploiting an IoT device that was vulnerable on the network.



SIMULATING THE ATTACK WITHIN CYMULATE


Cymulate is an attack automation tool that can launch recon, email and web attacks, phishing campaigns, chain attacks, and ransomware. Through launching attacks, the tool gives visibility into the current exposure of exploitable vulnerabilities on the network. Remediation will be offered in the form of a report to help guide and prioritise resources.


Through the Immediate Threats Intelligence page within Cymulate, we can see pre-built attacks to launch based on current cyber security threats using the MITRE ATT&CK framework. From this page, we can see that an attack has been generated to simulate the ransomware that DarkSide launched against Colonial Pipeline.


From the report, we can see that the attack launched successfully against Satisnet’s test envrionments web gateway, and a remediation was recommended.



MICROSOFT DEFENDER RESULTS


Within Microsoft Defender, the attack is visible and automatically remediated. Defender gives a summary of what actions took place such as: Microsoft Defender Antivirus detects and removes the threat and gives some background into ransomware itself. Defender recommends running a full scan to find any other hidden malware once the ransomware has been detected, contained, and removed.