Colonial Pipeline CEO tells Senate DarkSide hackers breached system using single 'compromised' password - as he defends decision to pay cybercriminals $4million ransom

 DarkSide hackers were able to breach Colonial Pipeline's computer system last month using a single compromised password, according to testimony from the company's top executive and revelations from a cybersecurity expert. 

Colonial Pipeline CEO Joseph Blount appeared before the Senate Homeland Security Committee on Tuesday to discuss the May 7 ransomware attack that caused widespread fuel shortages and panic buying. 

Blount assured the panel that Colonial, which is the nation's largest pipeline that supplies about half the fuel consumed on the East Coast, 'takes cybersecurity very seriously.' 

Still, he admitted the attack occurred using a legacy Virtual Private Network (VPN) system that did not have multifactor authentication in place, meaning it hinged on a single password.


Colonial Pipeline CEO Joseph Blount on Tuesday appeared before the Senate Homeland Security Committee, revealing that the May 7 cyberattack occurred using a legacy Virtual Private Network (VPN) system that hinged on a single password

Colonial Pipeline CEO Joseph Blount on Tuesday appeared before the Senate Homeland Security Committee, revealing that the May 7 cyberattack occurred using a legacy Virtual Private Network (VPN) system that hinged on a single password

Senator Gary Peters (D-MI) (R) speaks with Senator Rob Portman (R-OH) as Joseph Blount, President and Chief Executive Officer, Colonial Pipeline attends a hearing to examine threats to critical infrastructure, focusing on examining the Colonial Pipeline cyberattack

Senator Gary Peters (D-MI) (R) speaks with Senator Rob Portman (R-OH) as Joseph Blount, President and Chief Executive Officer, Colonial Pipeline attends a hearing to examine threats to critical infrastructure, focusing on examining the Colonial Pipeline cyberattack

A cybersecurity expert said the password for a VPN account used by the nation's largest fuel pipe had been previously leaked on the dark web, rendering it compromised

A cybersecurity expert said the password for a VPN account used by the nation's largest fuel pipe had been previously leaked on the dark web, rendering it compromised

Colonial Pipeline CEO 'deeply sorry' for pipeline cyber hack
Loaded: 0%
Progress: 0%
0:00
Previous
Play
Skip
Mute
Current Time0:00
/
Duration Time1:27
Fullscreen
Need Text

He said the system was protected with a complex password. 'It wasn't just Colonial123,' he said.

The VPN account, which allowed employees to remotely access the company's computer network, was not intended to be in use and has since been shut down, Blount said.  

Charles Carmakal, senior vice president at cybersecurity firm Mandiant, who responded to the cyberattack, said in an interview with Bloomberg last week that the password for the VPN account had been previously leaked on the dark web, rendering it compromised.

Carmakal noted that he was not sure that is how the DarkSide hackers obtained the password.

Security experts say two-factor authentication, which requires a secondary measure to confirm an individual password like a mobile text or hardware token, should be a basic and standard security precaution. 

Most major companies require two-factor across all internal applications. The use of a single factor login system, security experts say, is generally viewed as a sign of poor cybersecurity 'hygiene.'


Deputy Attorney General Lisa Monaco announced on Monday the recovery of millions of dollars worth of cryptocurrency from the Colonial Pipeline ransomware attacks in May

Deputy Attorney General Lisa Monaco announced on Monday the recovery of millions of dollars worth of cryptocurrency from the Colonial Pipeline ransomware attacks in May

in his testimony before the Senate on Tuesday, Blount defended his decision to pay the hackers a ransom totaling about $4.4million, even as federal authorities have discouraged such transactions.

'I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible,' Blount told Senators. 'It was the hardest decision I’ve made in my 39 years in the energy industry, and I know how critical our pipeline is to the country — and I put the interests of the country first.'

Asked how much worse it would have been if the company hadn’t paid to get its data back, Blount said, 'That’s an unknown we probably don’t want to know. And it may be an unknown we probably don’t want to play out in a public forum.'

Blount’s testimony, his first since the May 7 cyberattack that led the pipeline to halt operations, underscored the dilemma facing both the private industry and the federal government as ransomware attacks have proliferated in scale and sophistication.  

US authorities have cautioned against payments for fear of encouraging additional attacks, but Blount’s remarks made clear the enormous economic consequences if ransoms aren’t paid and critical infrastructure is shut down.

In this case, the Justice Department announced on Monday it has been able to recover most of the ransom after seizing a virtual bitcoin wallet used to hide the proceeds.

Though officials said they may be able to achieve similar success in future ransomware attacks, that is hardly guaranteed.

Blount said the Georgia-based company began negotiating with the hackers on the evening of the May 7 attack and paid a ransom of 75 bitcoin — then valued at roughly $4.4million — the following day. The hack prompted the company to suspend operations before the ransomware could spread to its operating systems.

Colonial Pipeline CEO tells Senate cyber defenses were compromised
Loaded: 0%
Progress: 0%
0:00
Previous
Play
Skip
Mute
Current Time0:00
/
Duration Time2:49
Fullscreen
Need Text
A sign is seen as Exxon station is out of gas on May 15 after a cyberattack crippled the biggest fuel pipeline in the country

A sign is seen as Exxon station is out of gas on May 15 after a cyberattack crippled the biggest fuel pipeline in the country

The cyberattack caused panic buying in several states on the East Coast that were affected by the shutdown of the nation's largest fuel pipeline

The cyberattack caused panic buying in several states on the East Coast that were affected by the shutdown of the nation's largest fuel pipeline  

Though the FBI has historically discouraged ransomware payments for fear of encouraging cyberattacks, Colonial officials have said they saw the transaction as necessary to resume the vital fuel transport business as rapidly as possible.

'It was our understanding that the decision was solely ours to make about whether to pay the ransom,' Blount said. 

The encryption tool the hackers provided the company in exchange for the payment helped 'to some degree' but was not perfect, with Colonial still in the process of fully restoring its systems, Blount said.

'If you start to look at the fact that it took us from Friday all the way to Wednesday afternoon the following (to resume operations), and we already started to see pandemonium going on in the markets, people doing unsafe things like filling garbage bags full of gasoline or people fist-fighting in line at the fuel pump, the concern would be what would happen if it had stretched on beyond that amount of time,' Blount said.

'What would happen at the airports where we supply a lot of jet fuel, let alone what might happen at the gas pump,' he added.

The operation to seize cryptocurrency paid to the Russia-based hacker group is the first of its kind to be undertaken by a specialized ransomware task force created by the Biden administration Justice Department. 

It reflects a rare victory in the fight against ransomware as US officials scramble to confront a rapidly accelerating threat targeting critical industries around the world.

'By going after the entire ecosystem that fuels ransomware and digital extortion attacks — including criminal proceeds in the form of digital currency — we will continue to use all of our resources to increase the cost and consequences of ransomware and other cyber-based attacks,' Deputy Attorney General Lisa Monaco said Monday in announcing the operation.

The Bitcoin amount seized — 63.7, currently valued at $2.3million after the price of Bitcoin tumbled— amounted to 85 per cent of the total ransom paid, which is the exact amount that the cryptocurrency-tracking firm Elliptic says it believes was the take of the affiliate who carried out the attack. 

The ransomware software provider, DarkSide, would have gotten the other 15 per cent.

'The extortionists will never see this money,' said Stephanie Hinds, the acting U.S. attorney for the Northern District of California, where a judge earlier Monday authorized the seizure warrant.

Ransomware attacks — in which hackers encrypt a victim organization’s data and demand a hefty sum for returning the information — have flourished across the globe. Last year was the costliest on record for such attacks. Hackers have targeted vital industries, as well as hospitals and police departments.

Weeks after the Colonial Pipeline attack, a ransomware attack attributed to REvil, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months, disrupted production at Brazil’s JBS SA, the world’s largest meat processing company.

The ransomware business has evolved into a highly compartmentalized racket, with labor divided among the provider of the software that locks data, ransom negotiators, hackers who break into targeted networks, hackers skilled at moving undetected through those systems and exfiltrating sensitive data — and even call centers in India employed to threaten people whose data was stolen to pressure for extortion payments.

Colonial Pipeline CEO tells Senate DarkSide hackers breached system using single 'compromised' password - as he defends decision to pay cybercriminals $4million ransom Colonial Pipeline CEO tells Senate DarkSide hackers breached system using single 'compromised' password - as he defends decision to pay cybercriminals $4million ransom Reviewed by Your Destination on June 09, 2021 Rating: 5

No comments

TOP-LEFT ADS