Colonial Pipeline Attack: Phishing Email Likely the Culprit

May 13, 2021
As the details emerge on the ransomware attack that sent a major U.S. oil pipeline operated by Colonial Pipeline offline for a week, what we do know is that the likelihood the attack emerged from a malicious phishing email attack is extremely high. Earlier this week, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) tied the threat actors behind the attack, DarkSide, to prior phishing-related attacks as a way to deliver ransomware to their targets.

“According to open-source reporting, DarkSide actors have previously been observed gaining initial access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI).”

DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks (U.S. CISA)

Additionally, recent history indicates that email has been the primary delivery method for high-profile infrastructure attacks.

  • February 2020: U.S. Department of Homeland Security reports that a U.S. natural gas facility is brought down by a ransomware attack that originated from an email that contained “a malicious link, known as a phishing attack, to gain control of the facility’s information technology system.” (Bloomberg)
  • February 2021: SolarWinds self-reports that “a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.” (SolarWinds)

Finally, the just-released 2021 Verizon Data Breach Investigations report further corroborates phishing as a likely cause of the attack. The report states that phishing was the top action in breaches, with credentials remaining the most sought-after data type. The report further states that two top vectors for the installation of ransomware are through the use of stolen credentials (gained through credential phishing attacks) and email.

Presumably, in each instance, existing email security defenses were in place. Yet, in each instance, those defenses failed at stopping the targeted employee from accessing and engaging with the malicious email. While the details behind the attacks are unknown, we can surmise the reason these attacks reached the inbox is due to two factors.

First, the email threats that have the most success reaching unsuspecting employees are socially-engineered, never-before-seen attacks from impersonated domains and compromised employees and vendors.

Second, the prevalence of threat intelligence-based security defenses at the enterprise level. This approach relies on known bad or indicators of compromise, like a bad reputation, suspicious links, or malicious attachments. Unfortunately, threat intelligence has known limits to what it can stop—namely the very same highly dangerous, never-before-seen attacks that wreak havoc on organizations. According to the FBI, socially engineered email attacks are responsible for over $2.1B in lost revenue in 2020—by far the most of any security threat.

As for the link between ransomware and never-before-seen attacks, Megan Stifel from Global Cyber Alliance, an international nonprofit dedicated to reducing cyber risk, said:

“Technically, in most cases, ransomware evolves from a suspicious e-mail. Someone clicks on an e-mail that we call these phishing e-mails where someone who you think is an associate or a colleague sends you an e-mail saying, I need you to open this, I need you to do this right now, luring you into clicking on a link.

That link often reroutes the user to not the intended place they thought they were going, but to a malicious Web site, that then is involved in downloading further malicious software, allowing the perpetrators to gain access to that particular individual's computer and thereby the organization's network.

And depending on how well the network is architected, they may have access then to a range of places within the network, to very sensitive data, to, in some cases, not-so-sensitive data. But, in most cases, these types of actors will look for data that they know is valuable, and that they can then, again, hold it ransom, so that they can make money.”

Megan Stifel, Global Cyber Alliance (PBS)

To solve the problem, there needs to be a fundamentally different approach.

The new API-driven approach pioneered by Abnormal Security uniquely leverages behavioral data science to profile and baseline good behavior to detect anomalies. We deliver this approach through a cloud-native email security platform that can be deployed instantly through a one-click API integration and can be used to extend and complement your existing secure email gateways.

This API-level access allows us to provide complete protection against the full spectrum of email threats, including spam and graymail, as well as advanced never-before-seen, socially engineered attacks such as executive impersonations and employee and vendor compromises.

To protect your organization from never-before-seen attacks that get past threat intelligence-based solutions, request a demo to see how Abnormal Security can help you.

Related Posts

Blog customer communications leads to product innovation
Learn how customers have influenced the latest round of product enhancements to better protect your organization from email-borne threats.
Read More
Blog attack detection efficacy cover
Abnormal’s relentless pursuit of innovation significantly improves the detection efficacy of hidden payloads in emails by an additional 5%.
Read More
Blog mnru cover
Estimating both the time and cost to complete a task has been a continual challenge for engineering teams as long as I’ve been working in industry. Coordinating the complex interactions and execution task sequencing across multiple tasks and people is a complex, ever-evolving challenge, and one that most teams struggle with daily.
Read More
Blog what do phishing emails cover
Phishing attacks are on the rise; the FBI reports that such attacks cost $54 billion in 2020, and phishing complaints increased by a whopping 110% from 2019 to 2020. If you're one of the many people targeted by a phishing email, you're not alone.
Read More
Blog holiday scams cover
We've arrived at that time of year—a time for reflection and celebration and spending time with family, and also that time of year where the cyber grinches hope to spoil the holiday fun.
Read More
Log4j email blog cover
Over the last few days, Abnormal has successfully blocked multiple attempts by attackers to deliver emails similar to these to our customers’ unsuspecting end users.
Read More
Blog securitry privacy cover
Customers place tremendous trust in Abnormal to protect them from the full spectrum of attacks when they provide us access to the email stored in Microsoft 365 or Google Workspace. To that end, we’re focused on protecting your data and building your trust.
Read More
Blog podcast role cto
Tim Tully, Partner at Menlo Ventures, grew up in Silicon Valley, where a love for coding was kindled in him. Tim is a technologist to the core, which innately led him to become an elite technical leader at companies like Splunk and Yahoo.
Read More
Blog canadian visa cover
Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.
Read More
Automate abuse mailbox cover
Managing and monitoring an Abuse Mailbox can be a significant pain point for IT security teams, particularly large organizations with thousands of employees.
Read More
Blog calendar invite attack cover
Meeting invites are one of the most common types of emails sent today, so it should come as no surprise that attackers have found a way to manipulate them. Scores of recipients that utilize Abnormal Security recently received emails that contained a .ics attachment—an invitation file commonly used to populate online calendar applications with meeting and event information.
Read More
Blog saving memory python cover
At a hyper-growth startup, a solution from six months ago will unfortunately no longer scale. The business is growing rapidly, and this traffic to this service in particular was growing at an unprecedented rate. We hit a point where it needed re-architecting to support 10x the current scale.
Read More