Hackers hacked Colonial Pipeline with a dangerous password News of Cybercrime

It was the result of a single password that threatened to dump the largest fuel pipeline in the U.S. and cause a shortage on the East Coast, according to a cybersecurity consultant who responded to the attack.

The hackers broke into Colonial Pipeline Co’s networks on April 29 through a virtual private network account that allowed employees to access the company’s computer network remotely, said Charles Carmakal, vice president of cybersecurity company Mandiant, FireEye Inc. in an interview. The account was no longer used at the time of the attack, but he said it could be used to access the Colonial network.

The account password was found within a set of passwords filtered on the dark website. This means that a Colonial employee may have used the same password on another account that was previously hacked, he said. However, Carmakal said he is not sure that the hackers got the password that way, and said the investigators will never know how the certificate was obtained.

The VPN account, since deactivated, did not use multi-factor authentication, a basic cybersecurity tool that could allow hackers to hack Colonial’s network, putting their username and password at risk. We don’t know how hackers got the correct username or were able to determine for themselves.

“We did a fairly detailed search of the environment to determine how these credentials were obtained,” Carmakal said. “We have not seen any evidence of phishing from the employee who used the accreditation. We have not seen any other evidence of the attackers’ activity until April 29.”

Ransom Note

A little over a week later, on May 7, an employee in the Colonial’s control room saw a rescue note asking for a cryptocurrency before 5 p.m. The worker informed an operations supervisor and immediately began the process of closing the pipeline, Colonial General Manager Joseph Blount said in an interview. By 6:10 a.m., Blount said the entire pipeline was closed.

Blount said it was the first time Colonial had shut down the gas pipeline system in its 57-year history. “We didn’t have a chance at the time,” he said. “It was absolutely correct. At the time, we had no idea who was attacking us or what their motives were. ”

Colonial Pipeline made Carmakal and Blount available for dialogue next week before Blount’s testimony before the Congressional committees, where he hopes to provide more details about the engagement and the company’s decision to pay a ransom to the attackers.

It was not long before the news of the closure of the Colonial spread. The company’s system transports about 2.5 million fuels daily from the Gulf Coast to the East Coast. The disruption caused long queues at gas stations, many of which were depleted and fuel prices rose. Colonial began service again on May 12th.

Shortly after the attack, Colonial conducted a detailed examination of the pipe, following 29,000 miles on land and in the air, to look for visible damage. The company eventually determined that the pipe was not damaged.

Sweeping Network

Meanwhile, hackers who were scouring the Mandiant network tried to understand how far Colonial was installing new detection tools that would alert them to follow-up attacks, which are not uncommon after a major breach, Carmakal said. Investigators found no evidence that the same group of hackers attempted to regain access.

“The last thing we wanted was for a threat actor to have active access to a network where there is a potential risk to a pipe. That was until it was turned on again,” Carmakal said.

Mandiant also explored the movements of network hackers to jeopardize systems close to Colonial’s technology operating network, a system of computers that control the actual flow of gasoline. As hackers moved into the company’s information technology network, there was no indication that they were capable of violating more critical technology operating systems, he said.

Bliant said Mandiant and Colonial were able to find out that they were able to resist the attack once and for all because they thought they would reopen their pipeline.

Colonials paid hackers who were members of a cybercrime group linked to Russia known as DarkSide, a $ 4.4 million ransom shortly after the hack. The hackers stole nearly 100 gigabytes of data from the Colonial Pipeline and threatened to leak it if the rescue was not paid, Bloomberg News reported last month.

Colonial by Rob Lee, Dragos Inc. he has hired the company’s founder and CEO, a cybersecurity company focused on industrial control systems, and John Strand, owner and security analyst at Black Hills Information Security, to conduct consultations on its cyber defenses. focus on repelling future attacks

After the attack on his company, Blount said he would like the U.S. government to go after hackers who have found a safe haven in Russia. “Ultimately the government needs to focus on the actors. As a private company, we do not have the political capacity to close down recipient countries with these bad actors. “