One of the largest cybersecurity attacks in recent times, this hack took down the biggest fuel pipeline in the U.S.A which led to shortages on the East Coast. Preliminary police work suggests that the whole operation could take place because of a single compromised password.

The hackers got access to Colonial Pipeline Co.’s internal networks on the 29th of April through a private account. These accounts let the employees of the company have access to the company’s computer network while they are not on site.

Security Lapse

Cyber Security expert and vice president of Mandiant, Charles Carmakal says this was how the hackers gained access to the pipeline’s network. The account that was used was not active for some time but still had all the security clearances.

On further research, it was noted that the password was a part of a batch of passwords that were leaked on the dark web. This means that Colonial’s employees must have used the same password that must have been hacked in the past. This is just a theory as to how the hackers might have got the password. But it is not possible to ascertain how they got it or how the credential was procured by them.

The deactivated VPN account did not use multi-factor authentication, which should be a must in today’s world. This gave the hackers access to breach the network and gain control just through a username and an old password. 

The Ransom Note

Early in the morning on the 7th of May, an employee saw the ransom note which demanded payment in the form of cryptocurrency. The employee informed the operations supervisor who then immediately shut down the pipeline. Joseph Blount, CEO of Colonial told the media that the pipeline had been completely shut down by 6:10 am.

In the 57 years that Colonial Pipeline Co. has existed, this is the first time that they had to shut down their gasoline pipeline system. Their CEO says this was done because they had no choice. They had no idea who was attacking them or what was the reason behind the attack. To minimize the damage they shut off the pipeline itself. 

Mandiant’sCarmakal and Joseph Blunt will be questioned by Congressional committees in a few week’s time. They are expected to provide a detailed account of the incident and what all had to be compromised to save the pipeline. They will also be questioned on the company’s decision to pay off the ransom to their attackers. The USA has a very strict policy on ransoms and this was against what the country suggests. 

That pipeline transports 2.5 million barrels worth of fuel on a daily basis from the Gulf Coast to the East Coast. Due to the pipeline being shut down there were hordes of people trying to fill up their tanks at the gas stations. This also led to the price of fuel being hiked to counteract the fall in supply. Colonial restored the pipeline’s services on the 12th of May.

Finding the Culprit

Mandiant has been working tirelessly since the attack to bring the perpetrators to justice. They have been employing countermeasures to prevent any such incident in the future. 

They also traced the hackers and how far they were able to reach inside the Colonial Pipeline’s infrastructure. Mandiant claims that while the hackers gained access to a lot of stuff, operational technology systems remained unharmed.  

Foreign attack?

Only after Mandiant declared that the attack had been contained did the company resume operations on May 12. Colonial paid the Russia-linked cybercrime group “DarkSide” $4.4 million in ransom. A 100GB of data was also stolen from the company’s database and were threatened that if the ransom is not paid it will be leaked. 

Joseph Blount has urged the Government to go after the hackers as they as a private company do not have the political influence.