Colonial Pipeline disclosed Saturday that it has been the victim of a ransomware attack, and that it had taken some systems offline as a precautionary measure. The attackers appear to have accessed business systems from which they stole nearly a hundred gigabytes of data before they locked Colonial computers and demanded ransom.
Recorded Future told Bloomberg that the ransomware strain involved appears to be DarkSide, a strain associated with a Russian gang. NBC reports that most observers regard the incident as financially motivated as opposed to state-directed sabotage. An evergreen interview with Dragos from 2020 offers some perspective on ransomware attacks against industrial targets.
The attack represents a major disruption of the US energy sector, WIRED notes, and Reuters reports that oil futures have risen in anticipation of shortages. The incident is seen, POLITICO says, as a major challenge to the US Administration, which is investigating the attack and has issued an emergency waiver of some trucking safety regulations to enable road transportation to make some of the expected shortfalls good.
A joint advisory issued Friday by the UK's National Cyber Security Centre (NCSC) and three US agencies (CISA, FBI, and NSA) describes the tactics, techniques, and procedures (TTPs) Russia's SVR foreign intelligence service used in the SolarWinds compromise and elsewhere. The advisory is specific and unambiguous in attributing the attacks to the SVR. BleepingComputer notes that a foreseeable reaction to the US and UK advisories has indeed been observed: the SVR is changing both its targeting and its TTPs.