{"id":400357,"date":"2021-06-05T10:51:10","date_gmt":"2021-06-05T08:51:10","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=400357"},"modified":"2021-06-05T10:52:48","modified_gmt":"2021-06-05T08:52:48","slug":"one-compromised-password-let-attackers-break-into-colonial-pipeline","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/400357-one-compromised-password-let-attackers-break-into-colonial-pipeline.html","title":{"rendered":"One compromised password let attackers break into Colonial Pipeline"},"content":{"rendered":"<p>The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack.<\/p>\n<p>Hackers gained entry into the networks of Colonial Pipeline Co. on April 29 through a virtual private network account, which allowed employees to remotely access the company\u2019s computer network, said Charles Carmakal, senior vice president at cybersecurity firm Mandiant, part of FireEye Inc., in an interview.<\/p>\n<p>The account was no longer in use at the time of the attack but could still be used to access Colonial\u2019s network, he said.<\/p>\n<p>The account\u2019s password has since been discovered inside a batch of leaked passwords on the dark web. That means a Colonial employee may have used the same password on another account that was previously hacked, he said.<\/p>\n<p>However, Carmakal said he isn\u2019t certain that\u2019s how hackers obtained the password, and he said investigators may never know for certain how the credential was obtained.<\/p>\n<p>The VPN account, which has since been deactivated, didn\u2019t use multifactor authentication, a basic cybersecurity tool, allowing the hackers to breach Colonial\u2019s network using just a compromised username and password. It\u2019s not known how the hackers obtained the correct username or if they were able to determine it on their own.<\/p>\n<p>\u201cWe did a pretty exhaustive search of the environment to try and determine how they actually got those credentials,\u201d Carmakal said. \u201cWe don\u2019t see any evidence of phishing for the employee whose credentials were used. We have not seen any other evidence of attacker activity before April 29.\u201d<\/p>\n<h3 class=\"my-4\">Ransom Note<\/h3>\n<p>A little more than one week later, on May 7, an employee in Colonial\u2019s control room saw a ransom note demanding cryptocurrency appear on a computer just before 5 a.m.<\/p>\n<p>The employee notified an operations supervisor who immediately began to start the process of shutting down the pipeline, Colonial Chief Executive Officer Joseph Blount said in an interview. By 6:10 a.m., the entire pipeline had been shut down, Blount said.<\/p>\n<p>It was the first time Colonial had shut down the entirety of its gasoline pipeline system in its 57-year history, Blount said. \u201cWe had no choice at that point,\u201d he said. \u201cIt was absolutely the right thing to do. At that time, we had no idea who was attacking us or what their motives were.\u201d<\/p>\n<p>Colonial Pipeline made Carmakal and Blount available for an interview in advance of Blount\u2019s testimony next week before Congressional committees, in which he\u2019s expected to provide further detail regarding the scope of the compromise and address the company\u2019s decision to pay ransom to the attackers.<\/p>\n<p>It didn\u2019t take long for news of Colonial\u2019s shutdown to spread. The company\u2019s system transports roughly 2.5 million barrels of fuel daily from the Gulf Coast to the Eastern Seaboard. The\u00a0<span id=\"3b7bf3a0-c575-11eb-af82-fa163eb8fd71\">outage<\/span>\u00a0led to long lines at gas stations, many of which ran out, and higher fuel prices. Colonial began resuming service on May 12.<\/p>\n<p>Soon after the attack, Colonial embarked on an exhaustive examination of the pipeline, tracking 29,000 miles on the ground and through the air to look for visible damage. The company ultimately determined the pipeline wasn\u2019t damaged.<\/p>\n<h3 class=\"my-4\">Sweeping Network<\/h3>\n<p>In the meantime, Mandiant was sweeping the network to understand how far hackers had probed while installing new detection tools that would alert Colonial of any follow-on attacks &#8212; which aren\u2019t uncommon after a substantial breach, Carmakal said.<\/p>\n<p>Investigators haven\u2019t found any evidence the same group of hackers tried to regain access.<\/p>\n<p>\u201cThe last thing we wanted was for a threat actor to have active access to a network where there is any possible risk to a pipeline. That was the biggest focus until it was turned back on,\u201d Carmakal said.<\/p>\n<p>Mandiant also traced the hackers\u2019 movements in the network to determine how close they got to compromising systems adjacent to Colonial\u2019s operational technology network &#8212; the system of computers that control the actual flow of gasoline.<\/p>\n<p>While the hackers did move around within the company\u2019s information technology network, there wasn\u2019t any indication they were able to breach the more critical operational technology systems, he said.<\/p>\n<p>It was only after Mandiant and Colonial were able to conclusively determine that the attack had been contained that they considered re-opening their pipeline, said Blount.<\/p>\n<p>Colonial paid the hackers, who were an affiliate of a Russia-linked cybercrime group known as DarkSide, a $4.4 million ransom shortly after the hack.<\/p>\n<p>The hackers also stole nearly 100 gigabytes of data from Colonial Pipeline and threatened to leak it if the ransom wasn\u2019t paid, Bloomberg News\u00a0<a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2021-05-09\/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>reported last month<\/strong><\/a><strong>.<\/strong><\/p>\n<p>Colonial has hired Rob Lee, the founder and chief executive officer of the Dragos Inc., a cybersecurity firm that focuses on industrial control systems, and John Strand, owner and security analyst at Black Hills Information Security, to consult on its cyber defenses and to focus on warding off future attacks.<\/p>\n<p>In the wake of the attack on his company, Blount said he would like the U.S. government to go after hackers who have found safe haven in Russia.<\/p>\n<p>\u201cUltimately the government needs to focus on the actors themselves. As a private company, we don\u2019t have a political capability of shutting down the host countries that have these bad actors in them.\u201d<\/p>\n<h3 class=\"my-4\">Now read: <a href=\"https:\/\/mybroadband.co.za\/news\/security\/399527-how-to-avoid-your-bank-card-getting-cloned-and-money-stolen.html\" rel=\"bookmark\">How to avoid your bank card getting cloned and money stolen<\/a><\/h3>\n","protected":false},"excerpt":{"rendered":"<p>The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack.<\/p>\n","protected":false},"author":341034,"featured_media":400359,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_sma_x_autopost_status":"idle","_sma_x_autopost_error":"","_sma_x_post_id":"","_sma_x_attempts":0,"footnotes":""},"categories":[27],"tags":[70095,15227,60121,461],"class_list":["post-400357","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-colonial-pipeline","tag-cybersecurity","tag-fuel","tag-hacking"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/400357"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341034"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=400357"}],"version-history":[{"count":0,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/400357\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/400359"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=400357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=400357"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=400357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}