Skip to main content
close search
site logo
Dive Brief

Colonial CEO says ransomware hackers exploited legacy VPN

Published June 9, 2021
David Jones's headshot
Reporter
Colonial Pipeline CEO Joe Blount testifies June 8 before the Senate Committee on Homeland Security and Governmental Affair
Retrieved from U.S. Senate Committee on Homeland Security and Governmental Affair.

Dive Brief: 

  • Colonial Pipeline President and CEO Joseph Blount defended the company's response to the cyberattack, which resulted in the company paying a $4.4 million ransom in Bitcoin and temporarily shut down fuel delivery for most of the East Coast and southern U.S. In testimony before the Senate Homeland Security & Government Affairs Committee, Blount apologized for authorizing the payment and withholding the information from the public, but said it was in the best interest of the country. 
  • "I made the decision to pay and I made the decision to keep the information about the payment as confidential as possible," he said, citing concerns about operational safety and security. Colonial Pipeline has rebuilt and restored its critical IT systems, but Blount said additional work needs to be done.
  • The hackers exploited a legacy virtual private network profile the company no longer used, Blount said. Investigators are still trying to figure out how the attackers got the credentials used to exploit the profile.

Dive Insight:

The attack, which FBI officials attributed to the DarkSide ransomware gang, set off alarm bells across the nation about the vulnerability of the nation's critical infrastructure. The Georgia-based company is the largest refined products supplier in the U.S., providing 45% of the fuel supply to the East Coast. 

The May 7 attack caused gasoline prices to soar and led panicked car owners to hoard gasoline before numerous stations temporarily shut down after running out of supply. 

Security researchers and experts on industrial control say the Colonial Pipeline attack has exposed major gaps in the nation's cyber defense system that leave it vulnerable to additional attacks that could do significant damage to national security. 

"Threat actors know that critical infrastructure systems are old and vulnerable, and they will leverage the success of the Colonial ransomware attack to up their game and hit more networks with even bigger ransom demands," Sam Curry, CSO at Cybereason said, via email.

During the hearing, Blount said legacy VPN profile did not offer the protection of multifactor authentication, making it relatively easy for a sophisticated attacker to breach the system once they gained access to user credentials. VPNs have been under attack by nation-state threat actors in recent months, subject to prior warnings by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). Cybersecurity Dive reached out to CISA regarding the concurrence of the federal government's warnings and the Colonial VPN breach, but the agency had no further comment at the time of publication. 

In a nod to the SolarWinds password hygiene controversy, Blount said the password used was not a "Colonial 123" type of password, but a complicated one. SolarWinds faced blowback during Congressional hearings in February when it was disclosed they had previously used "solarwinds 123" as a password that was leaked by an intern. 

"The ransom gang targeted Colonial Pipeline simply because they identified obvious vulnerabilities that they could easily exploit," Anthony Grenga, vice president, cyber operations at IronNet Cybersecurity. 

One lesson learned from the attack is companies do not just bounce back to normal operations immediately after paying a ransom. Colonial Pipeline officials conducted air surveillance and drove more than 29,000 miles to conduct manual inspection of its fuel pipeline, which runs from Texas up to New Jersey and has 260 delivery points along the way across 13 states and Washington D.C., according to Blount.

After paying the ransom and getting the decryption keys from the attackers, Blount said the company initially focused on restoring critical systems on the IT side that would allow the company to resume pipeline operations. But this week, Colonial Pipeline was working to restore seven financial systems that have been down since the week of May 7, Blount said.

"The keys are helpful, and we have used the keys, so they have been advantageous to us, but they are not perfect," Blount said. 

Mandiant is leading the forensic investigation, however Colonial has also retained Rob Lee, CEO of Dragos, a specialist in industrial cybersecurity, to help with the probe as well as John Strand, owner of Black Hills Information Security. 

Colonial Pipeline and Mandiant have worked very closely with federal authorities in their investigation of the attack. As part of a more aggressive response to ransomware and other malicious cyber activity, the FBI was able take back more than half of the Colonial Pipeline ransomware payment from DarkSide, federal officials announced this week. 

The FBI seized 63.7 Bitcoin, the equivalent of $2.3 million, from the attackers by tracking multiple transfers of funds following a search warrant authorized by a federal magistrate judge in Northern California. 

Deputy Attorney General Lisa Monaco said at a Monday press conference federal authorities were able to recover more than half the ransomware payments through the Department of Justice's Ransomware and Digital Extortion Task Force.

Filed Under: Policy & Regulation

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Policy & Regulation
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell