Today, Explained - How America’s gas got hacked
Episode Date: May 12, 2021The largest-known ransomware attack on American energy infrastructure is driving up gas prices and creating shortages. Wired's Lily Hay Newman says Colonial Pipeline might be a turning point for cyber...security. Transcript at vox.com/todayexplained. Support Today, Explained by making a financial contribution to Vox! bit.ly/givepodcasts. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
The all-new FanDuel Sportsbook and Casino is bringing you more action than ever.
Want more ways to follow your faves?
Check out our new player prop tracking with real-time notifications.
Or how about more ways to customize your casino page
with our new favorite and recently played games tabs.
And to top it all off, quick and secure withdrawals.
Get more everything with FanDuel Sportsbook and Casino.
Gambling problem? Call 1-866-531-2600.
Visit connectsontario.ca.
You know, every now and then when you look at your phone or you turn on the news or you're listening to the radio or something and you hear that the country's been hacked and you're kind of
like, oh, that's concerning. And then you're kind of like, what do I do with this information?
And then you just go back to like boiling your spaghetti or whatever you're doing.
There was one of those this past weekend that was a little harder to ignore
because it was about gas.
And tonight, the governors of North Carolina, Georgia, and Virginia
have all declared states of emergency.
Now, all of this comes after a ransomware attack targeted Colonial Pipeline and forced
the company to shut down over the weekend, essentially turning off the tap for thousands
of gas stations.
People started panicking.
Most of the gas stations by my house are completely closed.
It's traffic jams, long lines.
I was just shocked, you know? are completely closed. It's traffic jams, long lines.
I was just shocked, you know?
And that panic started driving up gas prices.
But the suspension in the pipeline's operations
has caused gas prices to tick up across the affected region.
If this outage goes past the end of the week,
prices could spike pretty dramatically.
And creating shortages.
There has been a line here for hours. In fact,
we've been driving all throughout the area today, and the only gas stations where we have not seen
lines are those pumps that are empty. But you can't really blame people for panicking. This
was the biggest known ransomware attack on America's energy infrastructure like ever.
The colonial pipeline is pretty huge. It's 5,500 miles and runs from Texas to New Jersey. So
conveying oil and natural gas all up and down that corridor and, you know, all up the East Coast and delivering about, I think, a little less than half of all of that fuel.
So for the East Coast, this is the pipeline to worry about.
Lily Hay Newman is a senior writer at Wired.
We asked her what exactly happened this past weekend.
Yeah, so this is a pretty classic ransomware attack. But crucially, this targeting
was of Colonial Pipeline's business networks, like the, you know, the front office or the,
you know, sort of daily enterprise network. You know, they weren't targeting the industrial control systems that control the pipeline.
But the concern with ransomware is that it's built to spread.
So even in critical infrastructure where networks are very separated from each other, very segmented, and there are protections in place to keep anything from spilling anywhere else.
There's still concern.
And what you don't want to happen is somehow for the ransomware to worm its way in to your pipeline systems, industrial control systems, and have the pipeline locked up by the malware. But the company, out of an abundance
of caution and wanting to be very careful about the security of this critical infrastructure
component, took down all of their networks, all of their systems to ensure that there wasn't any sort of ransomware cross-contamination
or anything getting out of their control.
Okay, so hackers break into Colonial Pipeline's business side.
They did not hack the pipeline itself, but the hack spooks Colonial enough to the point
where they're like,
shut the whole operation down, which leads to all this panic.
The group of individuals behind the attack call themselves DarkSide. Who is DarkSide?
DarkSide is a ransomware for hire service. And unfortunately, that is pretty common because the ransomware industry,
you know, quote unquote, scare quotes, industry is very large, massive, you know,
similar to how we don't know that much about critical infrastructure necessarily, most of us also probably don't know about, you know, the enormous amount of ransomware
gangs that have, you know, are not only causing a lot of attacks, but also have really professionalized
and dark side the group that hit the colonial pipeline is a great example of an organization
that leases out their ransomware, provides sort of consulting services to clients
who want to run their own ransomware attacks.
They, you know, provide development on the malware,
but also they have like helplines, hotlines.
What?
Yeah, they're very organized. Hello, this is Darkseid. Who would you like to
hack today? They're running like a temp firm for hacking America. Providing for all their clients
needs. You know, in this case with the Colonial Pipeline and in general with ransomware for hire groups,
the question becomes who exactly ordered the attack and who chose the target?
Because it gets kind of murky
since maybe it was DarkSide itself,
maybe it was one of the clients,
and it's hard to know in this situation
who exactly was behind the attack.
But DarkSide is, they're an interesting group. They have shown that they're very concerned about their public image. They seem to essentially
have a PR department that releases statements about their corporate culture and what targets
they will and won't hit. And they have, you know And they're trying to sort of convey that they have morals and standards.
They said early on when they emerged in August 2020
that they won't hit hospitals, universities.
And with the Colonial Pipeline incident,
they're now sort of seemingly trying to imply with a public statement that, you know, this wasn't really them.
It was like a rogue actor. They made a comment about we're going to take additional precautions to ensure that our clientele doesn't do this type of targeting. And it's probably because they're really trying to, in all of this, manage their
image and keep a low profile, even as they're demanding massive ransoms, because they don't
want to call too much attention to themselves. And it seems like now they're concerned that they have
because of this incident. Like this is bad publicity for this very illegal thing that they had a part in? Yeah, come on, aren't you keeping
your illegal, massive global crime syndicate on the down low? I wish. I'm just here making a podcast
in a closet, you know? They also had this idea to even try to give to charities. So they tried to give a little more than 0.8 Bitcoin, I believe,
so less than one Bitcoin,
to Children International and The Water Project,
and then posted, like, tax receipts, you know,
so you can deduct your charitable giving.
What? I'm so confused.
This is a ransomware firm that goes after our infrastructure for money, which is a crime.
And they're donating money to charities?
Yeah, like, I just want to be super clear.
This is all a crime.
Like, none of this is okay. Nothing, no amount of donating or choosing your targets carefully or only choosing targets who can afford to pay makes any of this okay. Very, very fascinating public image management from them. Do we know what kind of clientele DarkSide has? Are they like,
you know, contracting out temps to North Korea, to Russia, to Iran? Or is this more like an underground situation? Yeah, so certainly not anyone can approach DarkSide. You know,
we probably can't call now and, you know, pay to launch a
ransomware attack. Hi, yeah, I'm calling because my ex moved to Australia to work remotely.
And I don't know, do you think we could shut down the internet in Australia for a week?
How much would that cost? Seemingly, the vast majority of their clients or possibly all of their clients are financially motivated criminal
actors. Excuse me. I'd like to start by saying a few words about the ransomware cyber attack
currently impacting Colonial Pipeline. And the federal government seems particularly concerned
here because of the implications on our energy infrastructure, on gas prices.
The agencies across the government have acted quickly to mitigate any impact on our fuel supply.
Beginning on Tuesday, I definitely started to see indications that long lines at the pump and price increases seem to be related to this
incident. But obviously, you know, especially in terms of prices, some trends began before this
attack even happened. You know, I don't want to sort of over-index so soon. But certainly, both state governments and the federal government
is taking a lot of steps, including issuing emergency orders about how you can transport
fuel, allowing more trucking and vehicles to move fuel, things like that. Right. The latest I've heard is that Colonial
will announce plans to reopen the pipeline today, Wednesday. What happens in the meantime while
people are dealing with these shortages and, you know, panic buying gas? We just really go to a lot
more reliance on using vehicles to move fuel. I think typically,
there's, you know, very specific limits on how many vehicles can be moving what volume of,
you know, oil at a given time, you know, trying to reduce the possibility of, you know, crashes or other dangerous situations. And in still a controlled and supervised way,
the federal government is saying, okay, we got to go to our contingencies and, you know,
carefully increase the number of trucks that are moving fuel to fill stations.
Okay. So what I'm getting from you, Lily,
is this was sort of like a par for the course ransomware hack
that happened over the weekend
that has now blown up unintentionally so big
that it has disrupted the entire natural gas,
oil, fuel infrastructure of this country
and could have just dramatic implications for
prices, for safety, for people heating their homes, cooking, who knows?
Yeah, correct. And I think what's a bit sad about the situation to me is that while
this is a catastrophic situation that has every right to be the turning point. It's sad to me
that we've actually had a lot of really dramatic, impactful, destructive, you know, criminal
ransomware attacks that somehow were not that turning point. Hackers are targeting hospitals
and healthcare providers in what cybersecurity experts believe to be a massive attack.
And this is in the middle of a pandemic, days before the election.
Certainly these attacks could not come at a worse time.
All of these hospital attacks, including the rash of attacks in October 2020, amidst the pandemic.
You know, it's the middle of a pandemic. On top of that,
healthcare workers and patients are now having to deal with, you know, their hospital or their
healthcare provider going to back up paper systems, delaying surgeries, all sorts of stuff
because of just criminal, you know, profit-seeking ransomware attacks. And though that those, I don't want to say no one took
notice of those incidents or they were completely ignored, but even that ended up not really feeling
like the turning point. It just felt like more of the same. And so it's not to diminish the
Colonial Pipeline attack. It's just disheartening that it took so long to get to this point.
And we don't even know. We have to see if the urgency really takes hold and this truly becomes a top priority after this incident.
We didn't know if those would. They didn't.
We don't know if this will, but it certainly seems to be affecting more people
and upsetting more people, so it might.
Right.
And people really don't like paying more for gas,
so maybe that's the ticket.
Quick break, and then we'll hear from a guy whose job it is to protect companies from all these kinds of ransomware attacks.
Support for Today Explained comes from Ramp. Ramp is the corporate card and spend management software designed to help you save time and put money back in your pocket.
Ramp says they give finance teams unprecedented control and insight into company spend. Thank you. ramp. You can go to ramp.com slash explained ramp.com slash explained r a m p.com slash
explained cards issued by Sutton bank member FDIC terms and conditions apply.
Bet MGM authorized gaming partner of the NBA, has your back all season long.
From tip-off to the final buzzer, you're always taken care of with a sportsbook born in Vegas.
That's a feeling you can only get with BetMGM.
And no matter your team, your favorite player, or your style, there's something every NBA fan will love about BetMGM.
Download the app today and discover why BetMGM is your basketball home for the season.
Raise your game to the next level this year with BetMGM,
a sportsbook worth a slam dunk,
an authorized gaming partner of the NBA.
BetMGM.com for terms and conditions.
Must be 19 years of age or older to wager.
Ontario only.
Please play responsibly.
If you have any questions or concerns about your gambling or someone close to you,
please contact Connex Ontario at 1-866-531-2600 to speak to an advisor free of charge.
Bet MGM operates pursuant to an operating agreement with iGaming Ontario. All right, so apparently you can unintentionally disrupt the
entire country's fuel infrastructure in 2021. Good to know. But that set us on a journey. We
wanted to know why. Why are we so bad at doing something about this? So we reached out to
Robert M. Lee. He's the CEO and co-founder of Dragos.
We get called into these types of attacks when they happen on the operational side.
At what point, Rob, did ransomware attacks get so established that an outfit like DarkSide
could have a hotline and a bunch of contractors and a public-facing PR operation?
To be fair, this has been for years now that
these groups have operated like businesses. What we've seen recently, though, is in the last couple
of years, there's been so many remote vulnerabilities, so vulnerabilities that take
advantage of how you log into work and how you get access from a remote home location.
Those vulnerabilities coming out, which allows these criminals more
access than ever into targeting these companies.
And we've covered this issue before on the show when, you know, this was a huge problem
in Baltimore.
Baltimore city leaders voted Wednesday to use $6 million in park funding to help pay
for a ransomware attack that infected local government computers last May.
Lily told us about how problematic ransomware attacks have been in the past year during this pandemic,
especially attacks on hospitals.
But how typical are the kinds of attacks that we're seeing this week with this colonial pipeline?
Yeah, it's not typical for an IT or this corporate network compromised impact operations. It can happen,
but that's not super common. However, there's a lot of these cases that happen and they're way
more common than people realize on the operations side. We get called in all the time to when folks
are experiencing ransomware attacks and others on their production environments. It's just
generally not reported and it usually doesn't have the type of impact that we saw. I mean, I imagine it's a pretty profitable business to be
executing these ransomware attacks, especially ones as big as the one we saw this week on the
Colonial Pipeline. How profitable a business is it to try and protect companies from these
kinds of attacks? Yeah, not as profitable. If you want to make money, the criminal route is probably better, but you can't sleep well at night with that. So
each of these ransomware groups, when they target these companies, it's a multi-million dollar
ransom, which may not sound huge. I mean, obviously scales up the size of the companies,
but that's very impactful. And when they're running dozens of these at a time,
it's an extremely profitable business for these gangs. And can you and your team actually protect these companies
from these kinds of attacks? There's so many companies that go to battle with these adversaries
every day and you never hear about them. They never make the news because they're winning and
they're doing really well. And what we see time and time again is a lot of the security work put
in these companies is preventative. It's how do we prevent attacks? How do we prevent issues? How do we put up our guard? But if you don't actually
have visibility of what's happening inside the house and you can't detect and you can't respond,
that's when people get in trouble. And on the operation side of the house, these operation
technology environments, it's historically just been preventative. So people are waking up to the
fact that we need to do more on that side of the house and make sure that we can be more proactive against these threats. A lot of these companies
don't do the things that they could or should. Now, I'm not saying that in context of colonial.
A lot of the things that they're doing right now seem really good. But when you talk about various
city and municipal infrastructure, they are definitely lagging in the investments that
happen to other companies. And if you look at the industrial sector writ large, they historically significantly lag financial sector and others
who are doing a lot more in security. So I don't think it's an issue of do we not know how to do
it? It's usually an issue of are we investing in the problem? And who's the we is the United
States government? Is it these businesses? Who is it? I put that in the context of businesses. I
think it's very fair
that everyone always goes, what is the government doing about this? What can the government do more,
et cetera? But the government's got their own problems. The OPM breach. More than 21 million
Americans had personal information stolen from government files in a data breach that was six
times as large as originally disclosed. The solar winds breezed. The reverberations continue about this large-scale computer hacking operation that infiltrated the networks of several government
agencies and thousands of private companies. We're constantly hearing about federal government
networks getting compromised, and they've got a lot of mission space to do. So they don't need
to be trying to fix everybody else's problem. They need to fix theirs and then share the insights of how they did it and share this lesson learned and encourage the private sector to do the right things. that seems to be operating on such a sort of like corporate level. They've got a hotline.
They've got a PR agency.
They're donating charities.
Like it starts to make you wonder if they're being policed at the level they should be
when they're executing these kinds of attacks we saw this week.
They're not being policed at all.
So when you look at criminal prosecution rates and what's actually happened in this space,
if DOJ, Department of Justice, FBI, whoever says something, these companies are still operating out of Russia, Eastern Europe, Brazil, Iran, North Korea, places that are not all too excited to go
and do the bidding of US or Canadian law enforcement and lock these companies and these
people up. Also, a lot of times these foreign
military intelligence services sometimes have a symbiotic relationship with these criminal groups,
where they're learning from them, they're getting capabilities from them, they're using some of
their people. So there's not a big advantage to them to do anything to them, which means they
operate with complete, you know, sort of novelty. I mean, when you bring up Russia, North Korea, Iran,
less so Brazil, of course, I start to wonder, where is the line between the solar winds attacks and the colonial pipeline attacks? How do we differentiate the two if some of these hackers
are based in Russia or North Korea? Yeah, it can be difficult for sure. But where the
US government has taken a position before is if it can really identify that it was state directed. If the Kremlin, as an example, directed the operation, whether or not it was Russian military or Russian civilians, that if it was directed by the Russian government, there's culpability and responsibility to Russian government, you see sanctions, you see actions as it and there's consequences. Not doesn't fix it, but there are some consequences.
But when you really can't make that connection, like here with Dark Side,
they could have a connection to the Russian government, but we just don't know.
Then there's not a whole lot you can do besides hoping that Russian or Eastern European police
happen to take action. Rob, I understand it used to be in the NSA. Is that right?
Correct. Are we allowed to talk about that? in the NSA. Is that right? Correct.
Are we allowed to talk about that?
Yeah, sure.
I mean, the United States hacks all these other countries too, right?
Oh, yeah.
Cool. I'm glad you're as forthcoming as you are. I mean, that makes me wonder,
is part of the reason we don't police this at all, according to you, that we also apparently, as the country,
enjoy hacking all of these other countries. And we don't want to be saying you shouldn't be doing
that because we're doing it. Well, it's even worse. We say you shouldn't be doing it. And
then the other countries go, well, hold on now. You know, like you're being a little hypocritical
here. And so I don't think internationally we have too many legs to stand on that topic.
We'll say, hey, now we play by certain rules.
We don't steal intellectual property and pass it to our private sector companies like China does.
We don't do criminal hacking and let them run amok like Russia does.
But at the same time, Russia and China will come back and be like, well, we don't do certain things that you do.
And it's just this back and forth of different perspectives. And ultimately, policy is mired
by things that aren't technical in reality. They're not grounded in technical realities.
And they often confuse the technical with the policy. And then it's just communication between
states. So I don't mean to dodge it at all. I'll just say we look hypocritical. We act hypocritical. But a lot of times we do the right things,
but it's sort of our worldview in terms of what is and isn't right.
Are these just going to keep escalating until something very, very bad happens?
Yeah, we're a lot closer than people think.
But at the same time,
things aren't as scary as people like to make them out to be.
This isn't Die Hard 4
and our entire country's going down with a fire sale.
It's a fire sale.
Hey, we don't know that yet.
But at the same time, in 2017,
a state actor broke into a petrochemical facility
in Saudi Arabia
and tried to kill people through a cyber attack.
They came really close to killing people there from a cyber attack.
That's insane.
Our industries are becoming more connected than ever.
Our operations environments are becoming cloud connected.
And we have specific focused adversaries on targeting these industrial companies.
We tracked today 15 different state actors trying to compromise these different companies. So to sit back and look without trying to freak anybody out, you have to appreciate
that it's getting worse and we can do security.
Defense is doable, but we better get on it.
Robert M. Lee used to be in the NSA.
Now he runs Dragos.
They do cybersecurity.
I'm Sean Ramos for him.
This is Today Explained.
Consider changing your password. Thank you.