June 21, 2021


Connecting People

Compromised Colonial Pipeline password was reused

The VPN password that was compromised in the Colonial Pipeline ransomware attack was used on a further web-site, in accordance to a Mandiant executive at a House Committee on Homeland Stability hearing Tuesday.

The hearing, titled, “Cyber Threats in the Pipeline: Working with Lessons from the Colonial Ransomware Attack to Defend Essential Infrastructure,” was led by Rep. Bennie Thompson (D-Miss out on.). The session was dedicated to discussing the Colonial Pipeline ransomware attack, which happened in early May and shut down a 5,five hundred-mile oil pipeline for times, top to gasoline shortages in parts of the U.S.. Customers of the committee questioned witnesses Charles Carmakal, senior vice president and CTO at cybersecurity firm Mandiant, and Joseph Blount, CEO at Colonial Pipeline, about how the attack happened, as very well as how they cooperated with the U.S. federal government.

A great deal of the details coming out of the hearing was beforehand recognised thanks to a different Senate hearing Tuesday and push convention Monday that alongside one another contained various significant revelations, together with the announcement that the $four.four million ransom Colonial paid to ransomware gang DarkSide was partly recovered thanks to an FBI operation. However, a few insights from the hearing additional new context to the large-profile attack.

Charles Carmakal, senior vice president and CTO at Mandiant, discusses past month’s ransomware attack at Tuesday’s House Committee on Homeland Stability hearing.

Carmakal said close to the commencing of the hearing that the VPN login, which remains the earliest recognised compromise in the attack, was an employee login that was not considered to however be active. He additional that the employee “may well have used” the password on a further web-site that was compromised prior.

Immediately after Thompson questioned for clarification, Carmakal said the password “experienced been used on a various web-site at some issue in time” and was a “comparatively advanced password in terms of length, particular characters and scenario set.” It is not at the moment recognised how the VPN username was obtained.

Carmakal additional that the credentials have been eliminated and multi-issue authentication has been implemented as portion of the restoration. Mandiant was termed in May 7 (the working day of the attack) to examine and answer to the Colonial Pipeline attack.

Two other noteworthy pieces of details included the situation of the payment and why that payment was produced.

Blount informed committee vice president Rep. Ritchie Torres (D.-N.Y.) towards the conclude of the hearing that the ransom payment was produced on Colonial’s behalf by a 3rd-party negotiator.

As for why that payment was produced, Blount said that though Colonial did have backups and did in the end use them, the enterprise paid for the decryption vital mainly because of the uncertainty surrounding whether the backups had been corrupted, compromised or safe and sound to use. Colonial and Mandiant did identify that the backups had been safe and sound, but the payment was produced so the pipeline could get again on the net as soon as doable.

Alexander Culafi is a author, journalist and podcaster dependent in Boston.