Hackers Only Needed a Single Password to Disrupt Colonial Pipeline, CEO Testifies

Hackers Only Needed a Single Password to Disrupt Colonial Pipeline, CEO Testifies

2021-06-09 05:00:02

The head of Colonial Pipeline told US senators on Tuesday that hackers who launched last month's cyberattack on the company and disrupted fuel supplies to the southeastern US were able to break into the system by stealing a single password.

Colonial Pipeline Chief Executive Joseph Blount told a US Senate committee that the attack took place using an outdated Virtual Private Network (VPN) system that lacked multi-factor authentication. That means that access can be gained via a password without a second step, such as a text message, a common security measure in more recent software.

“In the case of this particular legacy VPN, it only had single-factor authentication,” Blount said. “It was a complicated password, I want to be clear about that. It was not a Colonial123 password.'

Forgotten Password? They may soon be completely lost – with the help of insurers

Passwords are the Achilles heel of many companies' cybersecurity, with 80% of cyber breaches being the direct result of stolen or hacked passwords. Cyber ​​insurers can be an incentive to get rid of them as they increasingly push to control the exposure of lax protocols, systems and passwords, using the latest technological innovations.

The panel was convened to investigate threats to critical U.S. infrastructure and the colonial attack, which closed key fuel supply lines from the Gulf Coast refineries to major East Coast markets. Cyber ​​attacks also hit US meat processing plants owned by JBS, demonstrating the breadth of infrastructure facing cyber threats.

The Colonial Pipeline hack showed that much of the company's infrastructure remains highly vulnerable, and the government and businesses need to work harder to prevent future hacks, senators said at the hearing.

Security experts call using a single-factor login system a sign of poor cybersecurity "hygiene." They recommend two-factor authentication, which requires a secondary measure such as a mobile text or hardware token, and most large companies require it for all internal applications.

Senators questioned Blount about the company's preparations and the timeline for responding to the ransomware attack, which shut down the line for days and sparked a spike in gasoline prices, panic buying and local fuel shortages.

"I am alarmed that this breach ever occurred," said Senator Gary Peters, the committee's chairman. "Make no mistake, if we don't step up our cybersecurity preparedness, the consequences will be serious."

Consultation with the government

The FBI attributed the hack to a gang called DarkSide. Some senators suggested that Colonial had not consulted with the U.S. government sufficiently before paying the ransom according to federal guidelines.

Blount said he made the decision to pay the ransom and keep the payment as confidential as possible due to security concerns.

"We understood that it was only up to us to decide whether to pay the ransom," he said.

Blount said Colonial had no plan to prevent a ransomware attack, but did have a contingency plan. The company notified the FBI within hours.

Blount said Colonial has invested more than $200 million in its IT systems over the past five years. When pressed to answer how much Colonial spent to keep its pipeline cyber-secure, Blount reiterated that amount. A company spokesperson later clarified that the $200 million was for IT in general, including cybersecurity.

Experts call colonial pipeline attack a wake-up call, say bigger attacks could happen

"This is every day, every business, every nonprofit, every community," said Catherine Lyle, Coalition's head of claims, in this week's episode of the Cyber ​​Podcast Insurance. "If you're in business, or you use the Internet, or you have security and you use a computer, you're one of them."

Megan North, vice president at Amwins, says cybercriminals are looking for the lowest hanging fruit. “Even if the company has the absolute best controls, the reality is that their cybersecurity needs to be in place 100% of the time to be fully protected,” she says.

On Friday, US Deputy Attorney General Lisa Monaco urged companies to tell federal authorities if they paid ransom to cyber attackers, information that could help investigators.

Blount said that even after getting the key from the hackers, the company is still recovering from the attack and bringing back seven financial systems that have been offline since May 7.

Ransom Recovery

On Monday, the Justice Department said it had recovered about $2.3 million in cryptocurrency ransom money paid by Colonial Pipeline.

Colonial Pipeline had previously said it paid the hackers nearly $5 million to regain access. The value of the cryptocurrency bitcoin has fallen below $35,000 in recent weeks, after hitting a high of $63,000 in April.

As a result, the government has recovered about 60 of the 75 bitcoins paid, but its value has fallen, below the total dollar amount Colonial paid.

Bitcoin seizures are rare, but authorities have stepped up their expertise in tracking the flow of digital money as ransomware has become a growing threat to national security and to relations between the United States and Russia, where many of them are. the gangs are established, further pressures.

(Reporting by Stephanie Kelly and Jessica Resnick-Ault, additional reporting from Christopher Bank Editing by Marguerita Choy and David Gregorio)


Interested in Cyber?

Receive automatic notifications for this topic.


Leave a Reply

Your email address will not be published. Required fields are marked *