Colonial Pipeline Hacked Via Inactive Account Without MFA

The Darkside ransomware gang broke into Colonial Pipeline through an inactive account that didn’t use multifactor authentication, according to a consultant who investigated the attack.

ARTICLE TITLE HERE

The Darkside ransomware gang broke into Colonial Pipeline through an inactive account that didn’t use multifactor authentication, according to a consultant who investigated the attack.

The ransomware group took advantage of a compromised password for a virtual private network (VPN) account April 29 to get into the network of the Alpharetta, Ga.-based pipeline giant, said Charles Carmakal, SVP and CTO of FireEye’s Mandiant division. The VPN account was no longer in use at the time of the attack but still provided hackers with access to Colonial’s network, according to Carmakal.

Carmakal and Colonial Pipeline CEO Joseph Blount spoke with Bloomberg Friday afternoon, and their comments were subsequently confirmed to CRN by spokespeople for FireEye and Colonial. The ransomware attack promoted Colonial to shut down its 5,500-mile natural gas pipeline for five days, resulting in more than 10,000 gas stations across the Southeastern United States being out of fuel.

id
unit-1659132512259
type
Sponsored post

[Related: Colonial Pipeline Paid $5M To Darkside Hours After Attack: Report]

The password for Colonial’s compromised VPN account has since been discovered inside a batch of leaked passwords on the dark web, according to Carmakal. That means a Colonial employee might have used the same password on another account that was previously hacked, Carmakal said.

The VPN account in question didn’t use multifactor authentication, Carmakal said, meaning the Darkside hackers needed only a compromised username and password to breach the company’s network. It’s not known how the hackers obtained the correct username for the account or if managed to determine it on their own, Carmakal said. The compromised VPN account has since been deactivated, Carmakal said.

“We did a pretty extensive search of the environment to try and determine how they actually got those credentials,” Carmakal told Bloomberg. “We don’t see any evidence of phishing for the employee whose credentials were used. We have not seen any other evidence of attacker activity before April 29.”

Shortly before 5 a.m. on May 7, an employee in Colonial’s control room saw a ransom note demanding cryptocurrency, prompting a shutdown of the pipeline that 45 percent of the East Coast relies on for fuel supplies, Blount said. He is slated to testify next week before the Homeland Security Committees for the U.S. Senate and House of Representatives, while Carmakal will testify in front of the House’s committee.

Many of the questions are likely to center around Colonial’s controversial decision to pay Darkside a $4.4 million ransom in Bitcoin to receive a decryption tool. “Our job and our duty is to the American public,” Blount told NPR. “And if owning that de-encryption tool gets you there quicker, then it‘s the decision that had to be made … It was the right decision to make for the country.”

After learning of the compromise, Colonial promptly brought in Mandiant to investigate how far hackers had probed and install new detection tools that would alert the company to any follow-up attacks, Carmakal said. Investigators haven’t found any evidence the Darkside affiliate tried to regain access, according to Carmakal.

Mandiant also tracked the hackers’ network movements to determine how close Darkside was getting to compromising systems adjacent to the company’s operational technology network, Carmakal said. While the hackers did move around within Colonial’s information technology network, Carmakal said there wasn’t any indication they breached the company’s more critical operational technology systems.

“The last thing we wanted was for a threat actor to have active access to a network where there is any possible risk to a pipeline,” Carmakal told Bloomberg.

Blount said Colonial has hired Black Hills Information Security Owner John Strand and Dragos Founder and CEO Rob Lee to consult on cyber defense and ward off future attacks. “I can confirm that they have retained myself and Dragos Inc. to help them on OT/ICS cybersecurity,” Lee wrote on Twitter. “I don’t have further comments, but will note they are an excellent team and their proactive work is laudable.”