The recently hacked pipeline operator Colonial comments on the actions of the ransomware group Darkside. The pipeline operator Colonial was hacked using compromised access data. According to a report by Bloomberg magazine, the attacker group gained access to Colonial’s internal network on April 29, 2021. To do this, they used a VPN account, which enables employees to access Colonial’s network remotely.
The account was at the time of the attack no longer in use, but was still active, said Charles Carmakal, senior vice president at security firm Mandiant, which belongs to FireEye to Bloomberg. The password for the VPN has meanwhile been discovered in a collection of leaked passwords on the Darknet.
However, it is unclear whether the attacker group got the password this way, said Carmakal. In addition, it is unknown how the attackers got the correct username. “We did a pretty thorough search to find out how they got those credentials,” said Carmakal.
“We see no evidence of phishing on the employee whose credentials were used. We also saw no other evidence of attacker activity prior to April 29th.”
Colonial and Mandiant comment on the process of the hack
On May 7, 2021 at 5 a.m., around a week after the initial attack, an employee in the Colonial control room saw a ransom note on one of the screens. The employee immediately notified the operations manager, who immediately began shutting down the pipeline, explains Colonial CEO Joseph Blount. Around an hour after the ransom note popped up, the pipeline and thus the main source of gasoline, diesel and heating oil for the east coast of the USA was shut down for the first time in the 57-year history of the pipeline.
“We had no other choice at the time,” said Blount. “It was absolutely the right thing to do. At that point, we had no idea who was attacking us or what their motives were.” The security company Mandiant then investigated the incident. “The last thing we wanted was for a threat actor to have active access to a network that was potentially at risk to a pipeline. That was the biggest focus until it was turned back on,” said Carmakal.
When the system was examined, no evidence was found that the attacker group could also gain access to the operational network and the computers that control the gasoline flow in the pipeline. However, the intruders were able to encrypt computers in other parts of the company network and copy a total of around 100 GB of company data, which they threatened to publish.
$ 4.4 million ransom paid
Despite the backups in place, Colonial ultimately paid the ransomware group $ 4.4 million in ransom. The so-called Darkside group apologized for the social consequences of the attack. They wanted to earn money and not cause any social problems, wrote the blackmailers after gasoline hamster purchases at gas stations. It is difficult to gauge what the real motivation behind the apology was.
About a week after the attack became known, Darkside itself allegedly announced that the group had lost access to their stolen Bitcoins and their blog infrastructure.
The pipeline was put back into operation on May 12, 2021. As a result of the pipeline hack, the US Department of Justice instructed prosecutors to take coordinated action against ransomware attacks and to treat them with a priority similar to terrorism.