According to a cybersecurity consultant who responded to the attack, the hacking that caused the largest fuel pipeline disruption in the United States and caused shortages across the East Coast was the result of a password leak.

Charles Carmakal, senior vice president of Mandiant, a network security company under FireEye Inc., said that hackers entered the Colonial Pipeline Co. network on April 29 through a virtual private network account that allows employees to remotely access the company’s computer network. In an interview. He said that the account was no longer in use at the time of the attack, but it could still be used to access Colonial’s network.

Since then, the password for the account was discovered in a batch of leaked passwords on the dark web. He said this means that the colony employee may have used the same password on another account that was previously hacked. However, Carmakal said he was not sure how the hacker obtained the password, and he said investigators may never be able to determine how the credentials were obtained.

The VPN account has been disabled and multi-factor authentication is not used. This is a basic network security tool that allows hackers to use only leaked usernames and passwords to disrupt Colonial’s network. It is not clear how the hackers obtained the correct username, or whether they can determine for themselves.

“We conducted a very detailed search of the environment to try to determine how they actually obtained these credentials,” Carmakal said. “For employees who used credentials, we did not see any evidence of phishing. Before April 29, we had not seen any evidence of other attackers’ activities.”

Soon after the hacking, Colonial paid a ransom of US$4.4 million to the hacker, an affiliate of DarkSide, a cybercriminal organization associated with Russia [File: Samuel Corum/Bloomberg]

Ransom record

More than a week later, on May 7, an employee in the Colonial control room saw a ransom note demanding cryptocurrency appear on the computer before 5 AM. The employee notified an operations supervisor, who immediately started shutting down The pipeline process, Colonial CEO Joseph Blount (Joseph Blount) said in an interview. Blunt said that by 6:10 in the morning, the entire pipeline had been closed.

Blount said this is the first time Colonial has closed its entire gasoline pipeline system in its 57-year history. “At the time we had no choice,” he said. “This is definitely the right approach. At the time, we didn’t know who was attacking us or what their motives were.”

Colonial Pipeline asked Carmakal and Blount to be interviewed before Blount testified before a congressional committee next week. He is expected to provide more details about the scope of the compromise and resolve the company’s decision to pay the attacker.

It didn’t take long for the news of Colonial’s closure to spread. The company’s system transports approximately 2.5 million barrels of fuel daily from the Gulf Coast to the East Coast. The power outage has caused long queues at gas stations, many of which have been used up, and fuel prices have risen. Colonial resumed service on May 12.

Soon after the attack, Colonial began a thorough inspection of the pipeline, tracking 29,000 miles on the ground and in the air, looking for visible damage. The company finally determined that the pipeline was not damaged.

Scan the net

At the same time, Carmakal said, Mandiant is scanning the network to understand how far the hackers have probed when installing new detection tools, which will alert Colonial of any subsequent attacks — which is not uncommon after severe damage. Investigators found no evidence that the same group of hackers tried to regain access.

“The last thing we want is to allow threat actors to actively access the network, where there are any possible risks in the pipeline. This is the biggest concern before restarting,” Carmakal said.

Mandiant also tracked the hackers’ activities on the network to determine how close they were to the systems adjacent to the Colonial operating technology network (the computer system that controls the actual flow of gasoline). He said that although hackers do move around the company’s information technology network, there is no indication that they can disrupt more critical operating technology systems.

Blunt said that only after Mandiant and Colonial were able to finally determine that the attack was under control would they consider reopening their channels.

Soon after the hacking, Colonial paid a ransom of US$4.4 million to the hacker, an affiliate of DarkSide, a cybercriminal organization associated with Russia. According to a report by Bloomberg News last month, hackers also stole nearly 100 GB of data from the Colonial Pipeline and threatened to leak it if they did not pay the ransom.

Colonial hired Rob Lee, founder and CEO of Dragos Inc., a cyber security company focused on industrial control systems, and John Strand, owner and security analyst of Black Hills Information Security, to advise on its cyber defense and focus on defending the future s attack.

After his company was attacked, Blunt said he hoped that the US government would hunt down hackers who found a safe haven in Russia. “Ultimately, the government needs to pay attention to the participants themselves. As a private company, we do not have the political ability to shut down the host country with these bad actors.”