Pipeline Phishing: Colonial Pipeline Ransomware Attack
By Rohyt Belani, CEO
We keep saying it. It almost always starts with a phish.
The latest news of the Colonial Pipeline ransomware attack is not surprising, but it is alarming. The incident is one of the most disruptive digital ransom operations ever reported and has drawn attention to how vulnerable U.S. energy infrastructure is to hackers, according to Reuters. What’s disconcerting to me as a security professional who has spent two decades in this industry is that no one ever talks about the root cause of these major breaches.
Instead, media and pundits talk about the symptoms and how those can be managed. It reminds me of when my now 10-year-old was a toddler suffering from eczema. Every doctor we met prescribed steroids and harsh medication; not one of them took a step back to understand what was causing the condition. And though incident response is only in the beginning stages, chances are this attack began with an email. And thus, a phish as is the case 90% of the time and yet the average security department spends only 8% of their IT security budget on email security.
As we mentioned in the Cofense 2021 Annual State of Phishing Report, “we expect this trend of ransomware attackers leaking corporate data to force accelerated payment to continue, as it increases the pain for ransomware victims who may otherwise not pay. Organizations may be reputationally damaged by a data leak and, depending on laws and regulations, may be subject to fines and penalties.”
We weren’t wrong.
No matter how much automation drives a phishing campaign execution, behind every phishing attack is a threat actor. In this case: DarkSide. These adversaries understand what motivates and moves humans to action. They understand the power of social engineering, and how to outwit defense technologies and uneducated users. DarkSide, like many other attackers, finds or develops new malware and delivery tactics to stay ahead. Groups like this demand payment to decrypt the files and increasingly ask for additional money not to publish stolen content.
Phishing attacks are the single most common technique attackers use to compromise an organization. These attacks lead to ransomware, Business Email Compromise (BEC), credential theft and various other situations that increase risk to organizations. Reuters reported that in the Colonial attack, the hackers took more than 100 gigabytes of data.
Cofense believes there is a better approach. With a global network of 27 million people actively reporting suspicious emails, Cofense has the largest collection of phishing intelligence in the world. This intelligence is used to power our Computer Vision and Artificial Intelligence to stop phishing attacks fast. In fact, when configured to feed our auto quarantine capability, attacks seen in one Cofense customer environment, or for that matter anywhere by our Intelligence operations, can be searched for and removed in all other Cofense customer environments in close to real-time – a true network effect! Think Waze® for phishing detection.
At the end of the day, shifting left on the kill chain is what matters in ensuring that a cyber infection doesn’t turn into a full-blown data breach or disruption of service. Get real-world ransomware attack examples here and learn how to protect your organization.