According to a cybersecurity consultant who responded to the attack, the hacking that tore down the largest gas pipeline in the United States and caused shortages on the east coast was the result of a single compromised password.
Hackers broke into Colonial Pipeline Co.’s networks. on April 29 through a virtual private network account, which allowed employees to remotely access the company’s computer network, said Charles Carmakal, senior vice president of cybersecurity firm Mandiant, which is part of FireEye Inc. . in an interview. The account was no longer used at the time of the attack, but could still be used to access Colonial’s network, he said.
The account password has since been discovered within a batch of passwords filtered in the dark network. This means a Colonial employee may have used the same password on another account that was previously hacked, he said. However, Carmakal said he is not sure how hackers got the password and said investigators will never know for sure how the credential was obtained.
The VPN account, which has since been shut down, did not use multifactor authentication, a basic cybersecurity tool that allowed hackers to breach Colonial’s network with only a compromised username and password. It is not known how hackers got the correct username or whether they were able to determine it on their own.
“We did a pretty thorough search of the environment to try to determine how they got those credentials,” Carmakal said. “We don’t see any evidence of fishing for the employee whose credentials have been used. We haven’t seen any other evidence of attacker activity until April 29.”
Just over a week later, on May 7, an employee of the Colonial control room saw a rescue note appearing on the computer demanding cryptocurrency just before 5 p.m. The employee notified an operations supervisor that he immediately began the process of stopping the pipeline, Colonial CEO Joseph Blount said in an interview. By 6:10 a.m., the entire pipe had closed, Blount said.
It was the first time Colonial shut down its entire pipeline system in its 57-year history, Blount said. “At the time we had no choice,” he said. “It simply came to our notice then. At that time, we had no idea who was attacking us or what their motives were. “
Colonial Pipeline made Carmakal and Blount available for an interview before Blount’s testimony next week before congressional committees, in which he is expected to provide more details on the scope of the commitment and address the decision. company to pay ransom to attackers.
It did not take long to spread the news about the Colonial shutdown. The company’s system transports approximately 2.5 million barrels of fuel daily from the Gulf Coast to the East Coast. The cut caused long lines at gas stations, many of which ran out, and fuel prices rose. Colonial began resuming service on 12 May.
Shortly after the attack, Colonial began a thorough examination of the pipeline, tracking 29,000 miles by land and air for visible damage. The company finally determined that the pipe was not damaged.
Mandiant, meanwhile, was sweeping the net to understand the extent to which hackers had investigated while installing new detection tools that would alert Colonial of any subsequent attack, which is not uncommon after a substantial breach, Carmakal said. Investigators have found no evidence that the same group of hackers attempted to regain access.
“The last thing we wanted was for a threatening actor to have active access to a network where there are potential risks to a pipe. That was the main focus until it was re-ignited,” Carmakal said.
Mandiant also tracked the movements of hackers on the network to determine the extent to which they compromised the systems adjacent to Colonial’s operating technology network: the computer system that controls the actual flow of gasoline. Even as hackers moved through the company’s information technology network, there was no indication that they were capable of breaching the most critical operating technology systems, he said.
It was only after Mandiant and Colonial were able to conclusively determine that the attack had been contained that they considered reopening their pipeline, Blount said.
Colonial paid the hackers, who were affiliated with a Russian-linked cybercrime group known as DarkSide, a $ 4.4 million ransom shortly after the hack. Hackers also stole about 100 gigabytes of Colonial Pipeline data and threatened to leak it if the ransom was not paid, Bloomberg News reported last month.
Colonial has hired Rob Lee, the founder and CEO of Dragos Inc., a cybersecurity company that focuses on industrial control systems, and John Strand, owner and security analyst at Black Hills Information Security, to inquire about their cyberdefenses and focus on preventing future attacks.
After the attack on his company, Blount said he would like the U.S. government to prosecute hackers who have found safe haven in Russia. “Ultimately, the government must focus on the actors themselves. As a private company, we do not have the political capacity to stop the host countries that have these bad actors.