Hackers who attacked Colonial Pipeline breached the company’s system using a single password to access its systems remotely.
Charles Carmakal, who consulted on the Colonial Pipeline’s attack response, told Bloomberg News on Friday that the password was one used to access the company’s virtual private network (VPN).
VPNs allow staff to access work systems from their home computers by using a password, and have become common for many working from home during the COVID pandemic.
Carmakal also told of how details of the same VPN password were later found leaked on the dark web.
That password, though still functioning, had not been used by employees to access the VPN for some time before it appeared on the dark web, Carmakal said. The VPN account which was used to breach Colonial Pipeline has since been deactivated.
Carmakal, a senior vice president at Mandiant – a product line of the cybersecurity firm FireEye Inc., said it remains unclear how the hackers obtained the password.
It was not immediately clear why the password was still functioning even though it had not been used by employees, why the password was no longer in use and how long it had not been in use, and if any employees are expected to be disciplined.
FireEye Inc. declined requests from DailyMail.com seeking clarification and additional details.
The hackers who attacked Colonial Pipeline with ransomware breached the company’s system using a single shared password used by multiple workers
Charles Carmakal, senior vice president at cybersecurity firm Mandiant, said that the password for an account to access Colonial Pipeline’s virtual private network was later found in a set of passwords leaked on the dark web
The VPN account which was used to breach Colonial Pipeline has since been deactivated
Bloomberg also revealed that the account did not have multifactor authentication enabled. #
Multifactor authentication is a cybersecurity method in which an account holder presents at least two pieces of evidence the account belongs to them – such as a PIN number or fingerprint on top of the account’s password.
It has become commonplace in recent years, with most Americans required to enter a code sent to them by text or email to access online accounts such as banking or social media even after entering their initial password.
FireEye Inc. declined requests to comment if the hackers would have still been able to breach Colonial Pipeline if the company had multifactor authentication enabled on the compromised VPN account.
‘We did a pretty exhaustive search of the environment to try and determine how they actually got those credentials,’ Carmakal told Bloomberg.
‘We don’t see any evidence of phishing for the employee whose credentials were used. We have not seen any other evidence of attacker activity before April 29.’
Colonial Chief Executive Officer Joseph Blount, who is set to provide testimony next week before Congressional committees with further details about the hack, told Bloomberg that the company ‘had no choice’ but to close the pipeline.
It was later determined that the hackers had not been able to access the pipeline’s actual fuel supply, although bosses nonetheless decided to halt the network while finding out the scale of the breach.
Blount said the company first became aware of the attack when a control room employee saw a note demanding the ransom of cryptocurrency appear on a computer just before 5 a.m. on May 7.
The employee told a supervisor, who began to immediately shut down the pipeline – a process which ended by 6:10 a.m., Blount said.
‘It was absolutely the right thing to do. At that time, we had no idea who was attacking us or what their motives were,’ Blount said.
The attack on Colonial Pipeline, which transports 45 percent of the East Coast’s fuel supply, was the largest assault on US energy infrastructure in history
The standard ransom note used by the DarkSide hacker gang is seen above. A Colonial worker discovered a note like this one at about 5.30am on May 7 on a control room computer
Blount said that the company then began tracking the pipeline on the ground and through the air to look for visible damage, which the company did not find.
After the attack, Mandiant searched through Colonial Pipeline’s network to understand how much access the hackers had and how close they were to compromising the systems that actually control the flow of gasoline.
Blount told Bloomberg that there has been no indication the hackers were able to breach critical operational technology systems.
The pipeline only reopened when investigators determined that the hack had been contained after paying the $4.4 million ransom. Investigators said there has been no evidence that the hackers have tried to access the systems again.
The hackers also stole almost 100 gigabytes of data from Colonial Pipeline that it threatened to leak online if the ransom was not paid, Bloomberg News previously reported.
A fuel truck driver checks the gasoline tank level at a United Oil gas station in Sunset Blvd. as the price of gasoline jumped during the 10-day shutdown of the Colonial Pipeline
The shutdown of the pipeline led to gas shortages, particularly along the East Coast
A person fills a fuel container at a Shell gas station, after a cyberattack crippled the biggest fuel pipeline in the country, run by Colonial Pipeline, in Washington, D.C. on May 15
Cars line up to get gas at one of the few stations remaining open at a 7 Eleven station in Woodbridge, Virginia on May 19
FireEye Inc. declined requests to comment on if there are fears that data could still be leaked, and what the data is said to include.
The hackers are reportedly affiliated with DarkSide, a cybercrime group linked to Russia.
According to FireEye’s blog, DarkSide first surfaced in August 2020 and have since launched ‘a global crime spree affecting organizations in more than 15 countries and multiple industry verticals.’
‘Like many of their peers, these actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims,’ FireEye wrote.
The company noted that, in multiple cases, it has observed ‘suspicious authentication attempts’ against corporate VPN infrastructure immediately before intrusion operations.
‘In cases where evidence was available, the threat actor appeared to obtain initial access through corporate VPN infrastructure using legitimate credentials,’ the company noted.
Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, tweeted that the news shows officials are taking the threats seriously
The Colonial Pipeline hack caused a shutdown lasting several days, led to a spike in gas prices, panic buying and localized fuel shortages in the southeast.
This week, the U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of the Colonial Pipeline hack, a senior department official told Reuters.
Internal guidance sent on Thursday to U.S. attorney’s offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.
The letter was sent by Deputy Attorney General Lisa Monaco and was titled ‘Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion,’ according to Cyber Scoop News which obtained a copy of the letter.
John Carlin, acting deputy attorney general at the Justice Department, told Reuters that the guidelines are ‘a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain.’
Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, tweeted about the news on Thursday.
‘This is a positive indication that we’re getting serious about stopping ransomware. Much more needs to be done, but directional shifts are a good thing,’ he tweeted.
Krebs explained how the ransomware situation in the United States has worsened, calling the attacks ‘a profitable business model with low barriers to entry’ and noting that there have been ‘no meaningful consequences against the criminals or their hosts to date.’
He also asserted that the security posture of businesses makes it ‘too easy for the bad guys’ while speculating that the Russian government allows ransomware groups to flourish because it ‘builds a cyber workforce they can call on later’ and ‘creates well-paying jobs’ keeping the country’s residents ‘off the streets.’
Krebs noted that the ransomware attacks also ‘undermines confidence in western citizenry’ of their government’s ability to defend them.