Colonial Pipeline Company’s fuel tanks in Baltimore, Maryland, USA. (Photo: AFP/VNA) US Department of Homeland Security (DHS) on May 27 issued new security guidance for owners and operators of fuel pipelines. This move follows a cyber attack on the company’s fuel pipeline system Colonial Pipeline , leading to gas supply disruptions on the US East Coast this month. Homeland Security Secretary Alejandro Mayorkas said: “The recent malware attack on a major fuel pipeline shows that the cybersecurity of pipeline systems is a critical factor. pivotal to the homeland security of the United States.” Under DHS, owners and operators of fuel pipeline Key players will be required to immediately report confirmed and probable cyber-attacks to the Department of Cybersecurity and Infrastructure Security under their respective jurisdictions. DHS (CISA), and appoint a cybersecurity coordinator available 24 hours a day and 7 days a week. The issuance of the new guidance also requires fuel pipeline owners and operators to review current cybersecurity measures to detect any vulnerabilities, as well as remedial actions if necessary. there is a risk of a cyber attack. They must notify this result to the Transportation Security Administration (TSA), a unit of DHA, and CISA within 30 days. The DHS statement said TSA is considering additional mandatory measures to enhance cybersecurity to protect the US fuel system. Previously, on May 7, Colonial Pipeline announced that it was attacked by ransomware and forced to close some systems. This incident caused a large-scale supply disruption, causing thousands of gas stations on the US East Coast to fall into shortages and gasoline prices to the highest level since 2017. The US government has issued an order. state of emergency in 17 states and Washington, D.C. After more than 1 week of being affected, the Colonial Pipeline oil pipeline has returned to normal operation. Colonial Pipeline has publicly confirmed paying a ransom to restore computer networks. Meanwhile, the US Federal Bureau of Investigation (FBI) identified DarkSide as the hacker group behind the attack.

Ransomware is a type of malware that encrypts the victim’s data. Cybercriminals using ransomware also often steal data. The hackers then demanded a payment to unlock the files and promised not to leak the stolen data. In recent years, hackers have targeted victims with cyber insurance policies, and large volumes of sensitive consumer data make them more likely to pay ransoms, according to cybersecurity experts. According to the unnamed source, CNA paid the hackers about two weeks after a bunch of company data was stolen and CNA officials were locked out of its own network. CNA does not comment on the ransom, with a CNA spokesperson saying CNA followed all laws, regulations and guidelines, including OFAC’s 2020 ransomware guide, in handling the matter. CAN also shares attack intelligence and hackers’ identities with the FBI and the Treasury Department’s Office of Foreign Assets Control because facilitating ransom payments to hackers can cause punishment risk. The largest ransom amount Ransomware attacks – and payments in particular – are rarely disclosed so it’s difficult to know what the largest ransom is. The $40 million payout is larger than any previously disclosed payments to hackers. The hackers attacking CNA used malware called Phoenix Locker, a variant of ransomware called ‘Hades.’ According to cybersecurity experts, Hades was created by a Russian cybercrime organization called Evil Corp. Evil Corp. was sanctioned by the United States in 2019. However, identifying attacks can be difficult because hacking groups can share code or sell malware to each other. CNA, which provides cyber insurance, said its investigation concluded that the Phoenix hacker group was not on the US sanctions list. The disclosure of the payment is likely to draw outrage from lawmakers and regulators who are unhappy that US companies are paying large sums of money to criminal hackers who over the past year have targeted hospitals, drug manufacturers, police forces and other entities critical to public safety. The FBI discourages organizations from paying ransoms because it encourages additional attacks and does not guarantee data will be returned. Last year was a standout year for ransomware groups, with a task force made up of security experts and law enforcement agencies estimating that victims paid around $350 million in ransom last year, up 311% compared to 2019. The Task Force suggested 48 actions the Biden administration and the private sector could take to mitigate such attacks, including better regulation of money markets. digital currency used to make ransom payments. The report, prepared by the Institute for Security and Technology, was delivered to the White House days before the Colonial Pipeline Company was compromised in a ransomware attack that resulted in fuel shortages and long lines at stores. gas stations along the US East Coast Bloomberg reported that Colonial paid hackers nearly $5 million shortly after the attack. Colonial CEO Joseph Blount, in an interview with the Wall Street Journal published Wednesday, confirmed that the company paid the hackers – $4.4 million in ransom. According to two people familiar with the CNA attack, the company initially ignored the hacker’s request and attempted to recover the data without negotiating with the criminals. But within a week, the company decided to start negotiating with the hackers, who were demanding $60 million. Residents said the payment was made a week later. According to Barry Hensley, chief intelligence officer at cybersecurity firm Secureworks Corp. then the Phoenix Locker seems to be a variation of Hades based on the overlap of the code used in each. He said they have not yet identified which hackers used the Hades variant to attack CNA. Cybersecurity firm CrowdStrike Holdings Inc believes Hades was created by Evil Corp. to bypass US sanctions against the hacking group. In December 2019, the Treasury Department announced sanctions against 17 individuals and six entities associated with Evil Corp. At the time, the Treasury Department said Evil Corp used malware “to infect computers and collect login information from hundreds of banks and financial institutions in more than 40 countries, causing more than 100 million dollars of theft. “It is illegal for any U.S. company to knowingly pay a ransom to Evil Corp. According to Melissa Hathaway, President of Hathaway Global Strategies and a former cybersecurity adviser to Presidents George W. Bush and Barack Obama, demand for ransomware has grown exponentially over the past six months. Hathaway said the average hacker’s ransom demand is between $50 million and $70 million. Those claims are often negotiable, and companies often pay ransoms in the tens of millions of dollars, in part because cyber insurance policies cover some or all of the costs. Hathaway estimates that the average payout is between $10 and $15 million. Ngoc Linh – According to Insurance Journal

Illustration. https://tinhtexaydung.petrotimes.vn According to GasBuddy, about 30% of all retail gas stations in North Carolina, South Carolina and George are out of gas. Virginia and Tennessee are also experiencing significant blackouts. Colonial Pipeline’s main pipeline transporting gasoline and diesel to the US East Coast has been shut down, following a ransomware attack earlier this month. More than a thousand fuel stations in the Southeast have run out of petrol and diesel due to panic buying and pipeline closures. Even people in Texas, in the Rio Grande Valley, are flocking to gas stations to fill up with fuel, when news of gas stations running out of fuel. Colonial Pipeline paid almost $5 million in ransom in the form of a cryptocurrency to the hackers. But 2 weeks after shutting down, some gas stations are still shutting down. In Georgia, according to AAA data, the average price of a gallon of regular retail gasoline was $2,944 as of May 20, up from $2,708 a month before the pipeline failure. In North Carolina, the average price for gasoline is $2,929 per gallon, compared with $2,627 a month ago. According to Reuters, U.S. gasoline consumption is nearing pre-pandemic levels and is now down just 4% in the four weeks since May 14 from the five-year pre-pandemic average. https://tinhtexaydung.petrotimes.vn

Colonial Pipeline’s Dorsey hub in Maryland, USA. Photo: Reuters The difficulty in fuel supply has raised concerns that gasoline prices at pumping stations will escalate during the peak summer travel season. Colonial Pipeline said the company is trying to resume operations this weekend after its fuel pipeline system was paralyzed since May 7 after being hit by a cyber attack. The shutdown of the Colonial Pipeline’s fuel pipeline system shut down nearly half of the US East Coast’s fuel supply. The US Energy Administration on May 10 called for mandatory cybersecurity standards for fuel pipeline operators and operators. “Incentivizing the voluntary application of standards to pipelines is inadequate,” said US Federal Energy Regulatory Commission Chairman Richard Glick. The US Federal Bureau of Investigation (FBI) has accused a cybercriminal group called “DarkSide” of causing a ransomware attack on Colonial Pipeline. Reuters news agency quoted cybersecurity experts as saying that DarkSide is based in Russia or Eastern Europe, so the gang usually avoids targeting computers that use the languages ​​of the former Soviet republics. However, US President Joe Biden on May 10 expressed he did not believe that the Russian government was behind the cyber attack on the Colonial Pipeline. “So far there is no evidence based on our intelligence that Russia is involved,” Biden said. A statement titled DarkSide group on May 10 stated: “Our goal is to make money and not create problems for society.” Ransomware attack is a type of malware designed to disable computers by encrypting data and blackmailing victims if they want to regain system access. It is not clear what price the hackers offered for Colonial Pipeline, and the company has not commented on the matter. Fuel demand in the southeastern United States has increased sharply in recent days as consumers fear fuel shortages. The Southeastern region of the United States has long depended mainly on the supply of fuel flowing through the Colonial Pipeline’s pipeline system. The average national gasoline price rose 6 cents to $2.96 a gallon last week, the highest since May 2018 and close to a peak set in 2014, the American Automobile Association said. also warned of speculation about fuel hoarding as the supply continued to decrease. Katina Willey, a resident of Florida on May 10, said she had to go to 5 gas stations to buy gas. “Consumers have to wait in long lines at three of the five gas stations I go to,” added Katina Willey. Many other car owners said they were also looking to refill their gas tanks out of fear that the fuel situation could worsen. If the Colonial Pipeline’s pipeline disruptions continue, fuel suppliers may be able to force fuel transportation by trucks and trains to partially ease the fuel shortage. The US Department of Transportation on May 9 lifted travel restrictions for fuel truck drivers in 17 states affected by supply disruptions.

Illustration. The breach at Alpharetta, Georgia-based Colonial Pipeline is the latest in a series of cybersecurity incidents confronting the administration of President Joe Biden – as well as a striking reminder that many companies Operators of the nation’s most basic infrastructure, from dams to power plants, are still unprepared to deal with the threats posed by toxic numbers. Here’s a summary of how a criminal gang managed to get into Colonial’s systems and why the tool they use – ransomware – is such a persistent threat. How can a hacker shut down a pipeline? On May 7, Colonial Pipeline said it learned that hackers had infected their computer networks with ransomware, malicious code used to take control of computers and extract payments from victims. The breach affected Colonial’s business network, which it uses for tasks like payroll management and data reporting to regulators. Colonial disabled those systems, but it also turned off the much more sensitive technology running its pipeline operations — a precaution meant to prevent hackers from accessing it if they hadn’t already. These systems monitor air flow for impurities and leaks, control power levels, and perform other automated tasks to keep pipelines running smoothly. What exactly was closed? Colonial shut down its entire main pipeline, more than 5,500 miles long from Houston, Texas, to Linden, New Jersey. The pipeline transports 45% of gasoline, jet fuel and diesel to the US East Coast, according to the company. The short-lived outage sent wholesale gas prices up on financial markets in the affected region, but that rally cooled slightly during trading on May 10. And while some gasoline retailers may try to add a few cents a gallon to the price at the pump, there have been no reports of shortages at suppliers serving those retail points. Market analysts say the pipeline shutdown will need to last through at least the middle of the week to start affecting supply in some parts of the Southeast, and Houston’s refineries won’t start. reduce production unless Colonial shuts down until next week. Overall, the US is stockpiling 235 million barrels of gasoline, enough to supply the whole country for nearly a month. However, retail gasoline prices have risen steadily in recent weeks and any anxiety could accelerate gains as the country approaches Memorial Day weekend, which the industry considers is the beginning of the “summer driving season” in high demand. How bad could this be? It depends on whether the outage turns into a protracted crisis for Colonial’s customers, which include busy airports and US military bases. Some customers can buy fuel from foreign suppliers, but they will face more financial pressure as Colonial’s pipeline network remains offline. Colonial said on May 10 that it has begun reactivating segments of the pipeline and anticipates “significantly restoring operational service by the end of the week”. However, they did not explain what “basically” means and did provide some other details about the attack investigation. What is Ransomware? Ransomware is software that hackers deploy to lock down victims’ data so they can’t access or use it – in the worst case scenario, essentially shutting down an entire company or government office. The hacker then demands a ransom in exchange for providing a digital key to unlock the files. Over the past few years, ransomware has grown from an occasional nuisance to a ubiquitous threat. Victims include the hospital system, the school district and the DC police department, as well as many small businesses. According to the FBI report, ransomware attacks increased by 37% from 2018-2019 and 20% from 2019-2020. According to one report, the pandemic has led to a significant increase in ransomware, with the number of attacks Attacks more than doubled year-on-year, with a particularly large increase in the healthcare sector. The Department of Justice recently launched a task force to explore new solutions to the problem. But in the meantime, the problem continues to get worse as criminal motives grow. Why aren’t pipelines and power plants better protected against ransomware? The private companies that operate much of America’s critical infrastructure — power plants, dams, natural gas pipelines, and other critical facilities — often neglect to implement safety protocols. government-recommended cybersecurity. While protecting against foreign government hackers sometimes requires complex technology that small critical infrastructure operators cannot afford, protecting against ransomware is are not. Use strong passwords, train employees not to click on suspicious links, and require employees to use multi-factor authentication – which involves entering a randomly generated number after entering one’s password – can prevent all but the most advanced types of hacks, including ransomware. Despite years of warnings from government officials and cybersecurity experts, most companies outside of the highly regulated financial sector have not taken many of these steps. And even organizations that try to take cybersecurity seriously can be covered by small holes. A long-neglected office worker or old computer in a closet is often the weak link that opens an organization’s doors to hackers. With so many companies leaving themselves with easy targets, many cybercriminals have started using ransomware to make money. By choosing victims they know there can be no downtime, these criminals virtually guarantee themselves an easy profit. Additionally, many ransomware operators have begun exploiting a secondary source of profit: reselling stolen data on the dark web, where sensitive personal information can fetch huge sums. Between victims and hackers is a burgeoning crypto ecosystem, consisting of unscrupulous payment facilitators ready to handle ransom transactions and rock wall law enforcement. How often do victims pay the ransom? The US government discourages ransomware victims from paying attackers to regain access to their data. While some ransomware operators honor their agreements and unlock victims’ files to foster trust and increase their chances of receiving a future ransom, many of these criminals simply take the money and disappear. Paying the ransom also encourages cybercriminals to continue their attacks. Anne Neuberger, deputy national security adviser for cyber and emerging technologies, said: “We recognize that victims of cyberattacks often face very difficult situations and they must balance the cost-benefit when there is no other option about paying the ransom,” – told reporters on May 10 In the US, it is not illegal to pay a ransom to regain access to locked data. However, it is illegal to pay ransoms to entities on the Treasury’s sanctions list, and the Treasury Department has warned companies that assist ransomware victims to conduct due diligence on hackers. before making payment arrangements. DarkSide, what is the group behind the attack? The FBI has confirmed that the Colonial Pipeline hack was the work of the DarkSide ransomware gang. This group is a relatively newcomer to the ransomware ecosystem, but they are already well known for their professionalism, patience, and large ransom demand. Security firm Cybereason wrote in a report last month: “The team has a phone number and even a help desk to facilitate negotiations with the victim, and they are putting a lot of effort into gathering information. about their victims – not just technical information about their environment, but more general information about the company itself, like the size of the organization and estimated revenue.” DarkSide is based in Russia, but so far the US has said it does not believe the hackers acted on behalf of the government of Russian President Vladimir Putin. Mr. Biden said on the afternoon of May 10: “To date, there is no evidence … from our intelligence people that Russia is involved. However, he added: “There is evidence that the actor’s ransomware is in Russia. They have some responsibility to deal with this.” Like other ransomware gangs, DarkSide operates on a so-called “ransomware-as-a-service” model, in which it provides code to less sophisticated hackers and helps them carry out attacks enter in exchange for their share of the profits. After being closely watched by the Colonial Pipeline attack, DarkSide seems to be rethinking this model. On May 10, a purported statement from the DarkSide hackers announced the group’s intention to scrutinize the partners’ planned attacks in the future to “avoid social consequences.” festival”. “Our goal is to make money, and not create problems for society.” What is the US government doing with this attack? The White House has established a working group that includes the Department of Homeland Security’s Cybersecurity and Infrastructure Agency; The Department of Transport’s Pipeline and Hazardous Materials Safety Administration; FBI; and the Departments of Energy, Treasury and Defense. These agencies are working together to prepare for various scenarios should the pipeline remain shut, including planning for shortages and higher gas prices. In addition, the Department of Transportation waives regulations that limit the driving time without rest of fuel trucks in 17 states and Washington DC. That could make it easier to deliver to customers due to Colonial’s closure.

Illustration. The hack brought down the pipeline, now in its sixth day, and led to panic buying and gas shortages in the Southeastern United States. Colonial said it began reopening its pipeline late Wednesday afternoon, a process that could take days, but declined to comment on the ransom issue. Colonial is working closely with law enforcement, the Department of Energy, and US cybersecurity company FireEye to minimize damage and restore operations. Colonial and government responses to the breach are being closely watched following one of the most direct hacking attacks on US critical infrastructure after years of warnings. Ransomware attacks have increased in number and ransom prices, with hackers encrypting data and seeking cryptocurrency payments to unlock. Investigators in the Colonial case say the malware was distributed by a gang known as DarkSide, which consisted of Russian-speaking people and evaded attack targets in the former Soviet Union. DarkSide previously said that it has no intention of meddling in geopolitics and will be more careful about its affiliates going forward. On Wednesday, the group said on its website that it was “dropping” data from three other victims, including a technology company in Chicago. Officials have so far found no significant connection to the Russian government, concluding instead that the pipeline company that supplies 45% of the US East Coast’s oil was crippled by the attack. ransomware. DarkSide allows “affiliates” to infiltrate targets in different places, then handle ransom negotiation and data release. Two people involved in the Colonial investigation said the man linked in this case was a Russian criminal with no special ties to the government.