Single Password Leak Leads to Colonial Pipeline Breach
The CEO of Colonial Pipeline, Joseph Blount, testified to a Senate committee that hackers had infiltrated their network using a single leaked password to gain access to a legacy VPN system. The hack resulted in a five day shutdown of the entire pipeline resulting in critical fuel shortages in the Southeast and a $4.4 million payment to the hackers. While the pipeline operation resumed, some financial systems were still down weeks later.
Despite a $200m investment over the last five years in upgrading their IT infrastructure, the Virtual Private Network (VPN) that provided outside access to the company's internal network had not been upgraded. With no two factor authentication in place, the compromised password was all that was needed to gain access. The password was confirmed to have been within a group of stolen passwords found on the dark web - although it was more likely an employee used the password on another account that ultimately was stolen. In addition, the VPN account was no longer used, but had not been deactivated.
While many ransomware attacks start through a phishing scheme where employees unwittingly invite hackers in through downloaded files or links to malware, this case represents both a failure by the company's IT team in properly protecting its network and what is likely evidence of social media's role in a new era of social engineering.
Having been the head of large IT departments, I understand that hardening an organization's systems is typically disruptive to the entire company and can result in a lot of pushback by the employees and even management. It can lead to a de-prioritization and delay of security projects while you try and find a "good time" to deploy the new system(s). The reality is, however, that a breach will be catastrophic to the company and delaying any system fortification is just asking for trouble.
Colonial Pipeline Company has $3.1 billion of assets with a net income of $420 million last year alone. Given its role in supporting the infrastructure in the Southeast United States and its wealth, they have a lot to lose. Their failure to replace an aging VPN system, along with systems that apparently didn't identify a breach nor the change in files, created the perfect storm.
Two-factor authentication uses a conventional password in combination with a single use token or pin sent through text, email, or security token device. If it was in place at Colonial, the failure to provide the second single use key would have prevented access. Further, it likely would have tipped off the employee that someone was trying to use his/her account to access the VPN.
I also alluded to a social engineering aspect of this particular breach. The security company that is working with Colonial claims the leaked password did not originate from Colonial. Typically the passwords are part of a larger dataset stolen from another company or website and include enough information on the user to leverage for more sophisticated hacks. Perhaps the employee used his/her Colonial email address on the other (leaked) email account. However, consider the free flow of information we willingly participate in through reputable business network sites such as LinkedIn.
Whereas hackers of old would use social engineering to learn intimate details of their intended victims and even dumpster dive if need be to retrieve key details, today's cyber villains can leverage our leaked/hacked personal information with the vast amount we eagerly share through LinkedIn and Facebook. As more and more information collects on the dark web, profiles are created so that when passwords are exposed, hackers will use every resource to see what doors those will open.
Therefore, it is imperative that not only the company's IT team, but management in general, needs to be highly proactive on all matters of security. If your organization needs help in this area, I served as Director of IT and Chief Information Security Officer for a $3.5B company and can consult on security strategies and education. For more information, contact us at Traversi Media.