CISA Lacks Key Data On Colonial Pipeline Hack

UPDATE: Adds information on CISA-FBI joint advisory on DarkSide released this evening.

WASHINGTON: CISA, the agency charged with heading up federal government cyber defense of domestic networks, is still “waiting for additional technical information on what exactly happened at Colonial,” Acting Director Brandon Wales told Congress this morning.

“We received some information fairly quickly in concert with the FBI,” Wales told the Senate Homeland Security and Government Affairs Committee, but that was days ago.

Four days after the ransomware attack on Colonial Pipeline, which has paralyzed the transport of a significant volume of East Coast fuel supplies, CISA still does not have key information the agency could use to communicate how to detect and mitigate additional cyberattacks using the same ransomware variant that hit Colonial.

CISA often uses such information to inform government agencies, industry, and the public about ongoing or potential future cyberattacks, such as this alert developed using data from an energy pipeline incident last year. Wales told the committee that CISA was brought in on the Colonial Pipeline cyber incident by the FBI.

Asked by Sen. Rob Portman whether he believes Colonial would have contacted CISA directly for assistance if the FBI had not brought in CISA, Wales said, “No.”

“Do you think that’s a problem?” Portman asked.

“I think there’s a benefit when CISA is brought in quickly because the information we glean we work to share it in a broader fashion to protect other critical infrastructure.”

UPDATE BEGINS Despite a lack of Colonial-specific incident information, CISA issued an alert this evening for a new CISA-FBI joint advisory that details what is known about DarkSide and how organizations can mitigate DarkSide ransomware attacks.

The joint advisory urges critical infrastructure owners and operators to “adopt a heightened state of awareness” and apply the provided mitigations to include “implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections.” UPDATE ENDS

Companies are not required to share threat intelligence or forensic data with CISA, but there’s been a growing push by Congress and several administrations to encourage better information sharing between the public and private sectors. There’s broad consensus in the cybersecurity community that improved info sharing is key to effective national cyber defense, especially because over 80 percent of critical infrastructure in the US is owned and operated by the private sector.

One sign of the growing disquiet on the Hill about the paucity of shared information is that the powerful chairman of the Senate Intelligence Committee, Sen. Mark Warner, says he’s drafting a bill that will likely include “mandatory reporting” on cyber incidents and public-private cyber threat intelligence sharing.

Meanwhile, Colonial’s pipeline wasn’t the only thing down today. The company’s website repeatedly crashed throughout the morning and remained down for most of the afternoon.

Colonial last posted an update (at least that Breaking Defense could access) just before 8 p.m. yesterday, in which the company said that “Line 4, which runs from Greensboro, N.C., to Woodbine, Md., is operating under manual control for a limited period of time while existing inventory is available.”

The company reiterated that “while our main lines continue to be offline, some smaller lateral lines between terminals and delivery points are now operational as well.”

Energy Secretary Jennifer Granholm said today during a White House press briefing that Colonial should have the pipeline “substantially operational by the end of this week and over the weekend.”

In the meantime, many states are reportedly experiencing fuel shortages and rising prices. The US government “will have no tolerance for price gouging,” Granholm said in the White House briefing.

The Environmental Protection Agency also today issued an “emergency fuel waiver” in D.C. and some states affected by potential shortages. “EPA has waived the federal Reid vapor pressure requirements for fuel sold in Reformulated Gasoline areas of District of Columbia, Maryland, Pennsylvania, and Virginia to facilitate the supply of gasoline,” the statement said. The waiver means suppliers can deliver winter fuel blends to ease shortages and will continue through May 18.

Pentagon spokesman John Kirby told a press briefing yesterday that “there is no immediate mission impact” on DoD resulting from the pipeline shutdown. “The Defense Logistics Agency is monitoring inventory levels, and we’re awaiting updates from Colonial Pipeline,” Kirby said. “There’s sufficient inventory on hand for downstream customers.”

The FBI confirmed in a two-sentence statement that DarkSide ransomware was used in the Colonial attack. As reported yesterday, DarkSide is a ransomware-as-a-service (RaaS) cybercriminal group believed to be operating out of Eastern Europe, with potential elements inside Russia, according to security researchers.

Part of DarkSide’s RaaS “business model” — essentially leasing its ransomware to other cyber actors to conduct cyberattacks — means that one of DarkSide’s “affiliates” could be the cyber actor ultimately behind the Colonial attack — using DarkSide’s ransomware. Such a scenario complicates attribution. However, there’s no known cyber threat intelligence or digital forensic evidence right now to confirm or rule out whether DarkSide or one of its affiliates conducted the attack on Colonial.

Following widespread speculation of a DarkSide-Russian government link, however oblique, Russia and DarkSide have now both denied any affiliation. Today, Russian President Vladimir Putin’s spokesman Dmitry Peskov told reporters that “Russia has nothing to do with these hacker attacks and had nothing to do with the previous hacker attacks. We categorically do not accept any accusations against us.”

DarkSide posted a statement online yesterday saying it does not work with any governments, declaring itself “apolitical,” profit-driven, and not interested in “creating problems for society.”

Last night, Sen. Angus King, co-chair of the Cyberspace Solarium Commission, took to the airwaves and urged US action. “We’re looking at the longest wind-up for a punch in the history of the world,” Sen. King told CNN, which is a line he’s used before. “We keep getting these wake-up calls, and we’re not waking up.”

“The sad truth is, cyber is cheap,” he added. “Putin can hire 8,000 hackers for the price of one jet airplane. So, what they’re doing, they’re going to keep doing now. We can quit being a cheap date. We can start responding. We can start imposing costs.”