This is a follow up to a previous Security Advisory. For the initial timeline please visit Colonial Pipeline Timeline of Events.
Since the last Colonial Pipeline Security Advisory, there have been several updates related to the breach. Details were released on how the attackers gained initial access to Colonial’s internal network, the FBI was able to recover much of the bitcoin paid to the ransomware group (Darkside), and the Senate Homeland Security Committee held a hearing on the breach.
In the beginning of June, Bloomberg reported that the initial access gained by DarkSide was through a Virtual Private Network (VPN) account, which is used to gain remote access to private networks. The target account was no longer in use but remained active. The password associated with the account was discovered in a database of leaked passwords that are available on the dark web. Additionally, the VPN account did not utilize multi-factor authentication (MFA), which made gaining access much easier. The breach investigation stated that it is not known exactly how the password and username combination was compromised and likely they will never know. Only a week after the initial access was gained, ransomware was deployed resulting in the catastrophic damage to Colonial Pipeline and their supply chain.
On Monday June 7th, the Department of Justice (DOJ) announced it had successfully recovered 63.7 Bitcoins worth approximately $2.3 million from DarkSide. The FBI was able to discover the address of the virtual wallet used through blockchain’s public ledger. The FBI had the private key, which is like a password, used to access the wallet and seize the bitcoins. The FBI has not stated how they obtained the private key, but this shows that criminals who use bitcoin and other cryptocurrency in their activity are not as immune to law enforcement as once believed.
On June 8th, the Senate Homeland Security Committee held a hearing with the CEO of Colonial Pipeline, Joseph Blount. When discussing paying the ransom Joseph said, “It was one of the toughest decisions I have had to make in my life. At the time, I kept this information close hold [sic] because we were concerned about operational security and minimizing publicity for the threat actor. But I believe that restoring critical infrastructure as quickly as possible, in this situation, was the right thing to do for the country.” The hearing covered Colonial Pipeline’s security readiness and response to the event while putting a bigger spotlight on the gaps in security within the U.S energy infrastructure and country as a whole.
What Can Your Organization Do?
Cybersecurity cannot continue to be a reactive process. Security needs to be a priority from the ground up with infrastructure built around security. Discovering gaps in your organization’s security landscape can be simplified with an nGuard Strategic Security Assessment. Utilizing the Center for Internet Security Controls Version 8, nGuard can help you find ways to create a more mature security organization. If your organization does fall victim to a ransomware attack like Colonial Pipeline, bring in our experts to conduct a Cybersecurity Incident Response.