NetworkTigers examines how the Ukraine Crisis echoes the Colonial Pipeline Hack.
This week one year ago a single compromised password took out the largest fuel pipeline in the United States. Gas shortages and panic ensued, while prices skyrocketed. In the aftermath, cybersecurity became one of the most important buzzwords for companies who previously hadn’t thought to take it seriously. Federal task forces on cybercrime and international cooperation were launched, refocusing hundreds of millions of dollars towards this top new priority.
Renewed urgency in field of cybersecurity due to war in Ukraine
On the one year anniversary of the Colonial Pipeline hack, the US still faces similar risks and concerns. This week, senior experts advised that the danger of foreign actors infiltrating and holding national interest hostage via cybercrime has in fact risen exponentially, due to Russia’s war on Ukraine. Peter Lund, chief technology officer at Industrial Defender, told The Hill that “the biggest escalator beyond Colonial last year has just been the war in Ukraine and the potential spillover into the U.S. and other developed parts of the world.”
Lund is not the only cyber expert to link the two events together in terms of urgency. According to Rep. Yvette Clark, who chairs the US House of Representatives Subcommittee on Cybersecurity, “Last year, Colonial Pipeline suffered a ransomware attack from a criminal hacking group, halting pipeline operations and crippling gas supply across the entire East Coast. This highly disruptive cyberattack and the related fuel shortages exposed glaring cybersecurity issues facing the nation.”
What happened with the Colonial Pipeline hack?
On April 29th, 2021, a leaked password allowed hackers access to Colonial Pipeline Co. On May 7th at 5 am, an employee received a ransom note from the cybercriminal group. By 6 am, the fuel pipeline was shut down by the company, until it could be fully physically inspected and a safe flow of gasoline could be guaranteed. The pipeline remained closed until it could be assured that hackers had not been able to tamper with critical operational systems that ensured safety across multiple states. Colonial Pipeline paid hackers, who were shown to have ties to Russian group DarkSide, a ransom of $4.4 million.
The Colonial Pipeline hack was one of the most significant hacks to happen in the recent past. The shutdown affected national interests and held hostage fuel production from the single largest pipeline in the United States. Later analysis revealed that the breach was the result of one out-of-date VPN, which was no longer in use for the company. The hackers’ way in was from one single compromised password of an employee.
According to the cybersecurity firm Mandiant which responded to the crisis, Colonial Pipeline Co. had set up a VPN (virtual private network) for employees to remotely access the company’s overall network. The VPN that was breached was not being used, but an old password was found for sale on the dark web. This compromised password allowed hackers access to the old VPN, which did not use multi-factor authentication as a security feature.
Analyzing the Colonial Pipeline cybersecurity breakdown
Multi-factor authentication is a fairly standard VPN tool, used to ensure that the person accessing the network is who and where they say they are. Oftentimes, a separate numeric or alphanumeric code will be sent to a secondary device, such as a phone or other laptop, in the most basic setup for multi-factor authentication. By confirming that the person attempting to access the network has access to this secondary device, they are both confirming their own identity as well as sometimes providing their physical location in the event of a breach.
The Colonial Pipeline Co. VPN was assessed to be exceptionally weak in the wake of the breach, due to this basic failing. This may have been why it was no longer in active use. However, as its access had not been deactivated, and the VPN had not been updated to include multi-factor authentication, it provided an easy source of entry to criminal activity. According to experts, there were no previous signs of phishing detected at the company prior to the April 29 breach that led to the total shutdown.
As for how the compromised password appeared on the dark web for sale in the first place, it has been theorized that perhaps the password was reused by the employee, weakening its potency. Reusing a password just once for multiple accounts, especially with different level cybersecurity strengths, can be a major security risk for businesses. Greater employee outreach and training can help reduce the likelihood of employee error that can lead to exceptionally costly data breaches.
Federal action following Colonial Pipeline hack
In the wake of the Colonial Pipeline hack, President Biden announced government cybersecurity measures that continue to have a significant impact today in efforts to prepare against the threat of invasion by international cybercriminals. Via both executive order and memorandum, the Biden Administration has announced:
- Updated standards and expectations for reporting data breaches
- A push to share security data for software developers contracting with the federal government
- The implementation of minimum standards for cybersecurity on software sold to the federal government
- The expansion of the False Claims Act, a powerful Department of Justice fiscal enforcement tool, into regulating contractors who fail to meet certain cybersecurity standards
Looking towards the Ukraine crisis
The government and private businesses, particularly those that are associated with national security concerns, have taken the past year and the Colonial breach as a wakeup call to refocus efforts to strengthen internal cybersecurity. As the crisis in Ukraine continues to unfold, it may have further international consequences, including those in the field of cybersecurity. Especially as Ukrainian cyber resistance efforts span the globe, including the United States, it makes sense to prepare for cooperative cybersecurity efforts to protect national interests. Updating cybersecurity has never been more pressing, nor more topical, than in today’s interconnected world.
Sources
- Colonial Pipeline was cyber wake-up call; Ukraine war is escalator | The Hill
- US officials believe Russia arrested hacker responsible for Colonial Pipeline attack
- Colonial Pipeline Cyber Attack: Hackers Used Compromised Password – Bloomberg
- Ukraine-Russia conflict prompts US firms to step up cyber programs
- FACT SHEET: President Biden Signs National Security Memorandum to Improve the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems | The White House
- DOJ Expands False Claims Act Reach into Cybersecurity | Bass, Berry & Sims PLC – JDSupra
- The Cyber Resistance To Russia’s Ukraine Invasion Is In LA, Too | LAist