According to a cybersecurity specialist who responded to the attack, the hack that brought down the country’s major fuel pipeline and caused shortages across the East Coast was the consequence of a single hacked password.

On April 29, hackers acquired access to Colonial Pipeline Co.’s networks using a virtual private network account that allowed employees to remotely access the company’s computer network, according to Charles Carmakal, senior vice president at cybersecurity firm Mandiant, a subsidiary of FireEye Inc. Although the account was inactive at the time of the attack, he said it could still be used to access Colonial’s network.

The password for the account was later discovered in a batch of hacked credentials on the dark web. This suggests that a Colonial employee may have used the same password on another compromised account, he said. Carmakal, however, stated that he is not confident that is how hackers gained the password, and that investigators may never know for certain.

As Gas Pumps Become Unusable, Colonial Pipeline Storage Tanks

Colonial Pipeline Inc. storage tanks in Avenel, New Jersey

Mark Kauzlarich/Bloomberg

The VPN account, which has since been terminated, lacked multifactor authentication, a basic protection measure that would have allowed hackers to enter Colonial’s network with only a compromised username and password. The hackers’ method of obtaining the proper username is unknown, nor is it known if they were able to determine it on their own.

“We conducted a really comprehensive examination of the environment to determine how they obtained those credentials,” Carmakal explained. “There is no evidence of phishing against the employee whose credentials were exploited. We have discovered no additional evidence of attacker activity prior to April 29.”

Note of Ransom

On May 7, just before 5 a.m., an employee in Colonial’s control room noticed a ransom note demanding cryptocurrency on a computer. Colonial Chief Executive Officer Joseph Blount said in an interview that the employee promptly alerted an operations supervisor, who promptly began the process of shutting down the pipeline. By 6:10 a.m., Blount added, the entire pipeline had been shut off.

Blount said it was the first time in Colonial’s 57-year history that the company had shut down the majority of its gasoline pipeline system. “At that moment, we had no choice,” he explained. “It was unquestionably the correct thing of action. We had no idea who was assaulting us or what their motivations were at the time.”

Colonial Pipeline made Carmakal and Blount accessible for an interview in advance of Blount’s Congressional committee appearance next week, during which he is anticipated to reveal additional detail about the scale of the intrusion and discuss the company’s choice to pay the attackers’ ransom.

It was not long before word of Colonial’s closure spread. Daily, the company’s system transfers approximately 2.5 million barrels of petroleum from the Gulf Coast to the East Coast. The interruption resulted in long queues at petrol stations, with many running out of fuel, and increased fuel costs. Colonial reopened its doors on May 12.

Colonial began a comprehensive assessment of the pipeline shortly after the attack, tracking 29,000 kilometers on the ground and in the air to search for visible damage. The company finally decided that there was no harm to the pipeline.

Enormous Network

Meanwhile, Mandiant was scouring the network to determine the extent of the hackers’ probes and installing additional detection systems to alert Colonial to any follow-on assaults — which are not unusual following a significant breach, Carmakal explained. There is no evidence that the same gang of hackers attempted to reclaim access.

“The last thing we wanted was a threat actor to have active access to a network where a pipeline would be at risk. That was the primary focus until it was reactivated,” Carmakal explained.

Mandiant also tracked the hackers’ activities through the network to determine how close they came to compromising systems adjacent to Colonial’s operational technology network — the computer system that controls the actual flow of gasoline. While the hackers did move around within the company’s information technology network, there was no evidence they were able to compromise the company’s more vital operational technology systems, he said.

Mandiant and Colonial discussed reopening their pipeline only after decisively determining that the attack had been confined, according to Blount.

Colonial paid a $4.4 million ransom to the hackers, who were affiliated with a Russia-linked cybercrime outfit known as DarkSide, shortly after the hack. Additionally, Bloomberg News reported last month that the hackers seized roughly 100 gigabytes of data from Colonial Pipeline and threatened to disclose it if the ransom was not paid.

Colonial has retained Rob Lee, founder and CEO of Dragos Inc., a cybersecurity business specializing in industrial control systems, and John Strand, owner and security analyst at Black Hills Information Security, to advise on the company’s cyber defenses and to focus on preventing future assaults.

Blount stated in the aftermath of his company’s attack that he would prefer the US government to pursue hackers who have sought refuge in Russia. “Ultimately, the government’s focus should be on the actors. As a private company, we lack the political clout necessary to shut down host countries shutting these terrible actors.”