The hacking, which sank the largest fuel pipeline in the United States and caused shortages in the East Coast, was the result of a broken password, according to a cyber security consultant who responded to the attack.
On April 29, hackers accessed Colonial Pipeline Co.’s networks through a virtual private network account that allowed employees to access the company’s computer network remotely. in an interview. The account was no longer in use at the time of the attack, but it could still be used to access the Colonial network, he said.
The account password was then found inside a bunch of passwords leaked on the dark web. This means that the employee of the colony can use the same password on another account that was previously hacked, he said. However, Karmakal said he was not convinced the hackers had obtained the password, adding that investigators may never know for sure how they obtained the credentials.
The VPN account, which was then deactivated, did not use multi-factor authentication, a key cyber security tool that allowed hackers to hack into the colonial network using simply the username և password. It is not known how the hackers got the correct username or whether they were able to determine it themselves.
“We studied the environment quite thoroughly to try to find out how they actually got those credentials,” Karmakal said. “We do not see any evidence of hunting for the employee whose certificates were used. “Before April 29, we did not see any other evidence of the attackers.”
A week later, on May 7, an employee of the Colonial control room saw a ransom appear on a computer before 5 a.m., demanding that the money be declassified. The employee informed the clerk, who immediately started the process of closing the pipeline. – said in an interview with the Chief Executive Officer of the colony Joseph Joseph Blount. 6 in the morning. By 10 a.m., the entire pipeline had been shut down, Blunt said.
For the first time in its 57-year history, Colountial shut down its entire gas pipeline system, says Blount. “We had no alternative at that time,” he said. “It simply came to our notice then. “At the time, we had no idea who was attacking us or what their motives were.”
The Colonial Pipeline made it available to Carmakal և Blount next week before the Congressional Committee և for an interview with Blount’s testimony, in which he is expected to provide further details on the scope of the compromise և to refer to the company’s decision to pay ransom to the attackers.
It was not long before news of the colony’s termination spread. The company’s system transports approximately 2.5 million barrels of fuel from the Persian Gulf coast to the East Sea coast. The shutdown led to long queues at gas stations, many of which ran out, and fuel prices rose. The colony resumed service on May 12.
Immediately after the attack, the colonist began a thorough inspection of the pipeline, traversing 29,000 miles of ground and air for visible damage. In the end, the company decided that the pipeline was not damaged.
At the same time, Mandiant was clearing the network to understand how much the hackers had been investigated by installing new detection tools that would alert the colonist to any further attacks that were not infrequent after a significant breach, Karmakal said. Investigators found no evidence that the same hacker group was trying to gain access.
“The last thing we wanted was for the threat player to have active access to a network where it is possible to put the pipeline at risk. “It was in the spotlight before we turned it on,” Karmakal said.
Mandiant also tracked the hackers’ movements to find out how close they were to systems adjacent to Colonial’s operational technology network, a computer system that monitors the actual flow of gasoline. Although the hackers were moving within the company’s IT network, there was no indication that they were capable of disrupting the most powerful operating technology systems.
It was only after Mandiant և Colonial was able to finally find out that the attack was contained that they thought about restarting their pipeline, Blount said.
Colonial paid $ 4.4 million in ransom to the hackers, a subsidiary of the Russian-linked cybercrime group DarkSide. The hackers also stole nearly 100 gigabytes of data from the colonial pipeline and threatened to leak it if the ransom was not paid, Bloomberg News reported last month.
Colonial has hired Rob Lee, founder of Dragos Inc., founder and CEO of cybersecurity company focused on industrial management systems, and Ston Strand, owner of Black Hills Information Security, a security analyst, to consult his cyber defense և to focus on future attacks on prevention.
In the wake of the attack on his company, Blount said he would like the US government to crack down on hackers who have found safe haven in Russia. “Ultimately, the government should focus on the actors. “As a private company, we do not have the political capacity to close the host countries that have these bad players.”