The head of Colonial Pipeline told US senators on Tuesday that hackers who launched last month's cyberattack on the company and disrupted fuel supplies to the southeastern US were able to break into the system by stealing a single password.
Colonial Pipeline Chief Executive Joseph Blount told a US Senate committee that the attack took place using an outdated Virtual Private Network (VPN) system that lacked multi-factor authentication. That means that access can be gained via a password without a second step, such as a text message, a common security measure in more recent software.
“In the case of this particular legacy VPN, it only had single-factor authentication,” Blount said. “It was a complicated password, I want to be clear about that. It was not a Colonial123 password.'
The panel was convened to investigate threats to critical U.S. infrastructure and the colonial attack, which closed key fuel supply lines from the Gulf Coast refineries to major East Coast markets. Cyber attacks also hit US meat processing plants owned by JBS, demonstrating the breadth of infrastructure facing cyber threats.
The Colonial Pipeline hack showed that much of the company's infrastructure remains highly vulnerable, and the government and businesses need to work harder to prevent future hacks, senators said at the hearing.
Security experts call using a single-factor login system a sign of poor cybersecurity "hygiene." They recommend two-factor authentication, which requires a secondary measure such as a mobile text or hardware token, and most large companies require it for all internal applications.
Senators questioned Blount about the company's preparations and the timeline for responding to the ransomware attack, which shut down the line for days and sparked a spike in gasoline prices, panic buying and local fuel shortages.
"I am alarmed that this breach ever occurred," said Senator Gary Peters, the committee's chairman. "Make no mistake, if we don't step up our cybersecurity preparedness, the consequences will be serious."
Consultation with the government
The FBI attributed the hack to a gang called DarkSide. Some senators suggested that Colonial had not consulted with the U.S. government sufficiently before paying the ransom according to federal guidelines.
Blount said he made the decision to pay the ransom and keep the payment as confidential as possible due to security concerns.
"We understood that it was only up to us to decide whether to pay the ransom," he said.
Blount said Colonial had no plan to prevent a ransomware attack, but did have a contingency plan. The company notified the FBI within hours.
Blount said Colonial has invested more than $200 million in its IT systems over the past five years. When pressed to answer how much Colonial spent to keep its pipeline cyber-secure, Blount reiterated that amount. A company spokesperson later clarified that the $200 million was for IT in general, including cybersecurity.
On Friday, US Deputy Attorney General Lisa Monaco urged companies to tell federal authorities if they paid ransom to cyber attackers, information that could help investigators.
Blount said that even after getting the key from the hackers, the company is still recovering from the attack and bringing back seven financial systems that have been offline since May 7.
On Monday, the Justice Department said it had recovered about $2.3 million in cryptocurrency ransom money paid by Colonial Pipeline.
Colonial Pipeline had previously said it paid the hackers nearly $5 million to regain access. The value of the cryptocurrency bitcoin has fallen below $35,000 in recent weeks, after hitting a high of $63,000 in April.
As a result, the government has recovered about 60 of the 75 bitcoins paid, but its value has fallen, below the total dollar amount Colonial paid.
Bitcoin seizures are rare, but authorities have stepped up their expertise in tracking the flow of digital money as ransomware has become a growing threat to national security and to relations between the United States and Russia, where many of them are. the gangs are established, further pressures.
(Reporting by Stephanie Kelly and Jessica Resnick-Ault, additional reporting from Christopher Bank Editing by Marguerita Choy and David Gregorio)
Interested in Cyber?
Receive automatic notifications for this topic.