The complex made simple

Want to Know How the Largest Fuel Pipeline in the USA was Hacked?

USA fuel pipeline (1)
Cyber Security

Want to Know How the Largest Fuel Pipeline in the USA was Hacked?

It must have been something complex and taken a lot of hard work to get access into that kind of infrastructure, right?

Wrong!

Turns out that the hackers had access to the password for a VPN account which allowed them access to key sections within the company.

US Website Bloomberg.com reported that on April 29th hackers were able to get access to the networks of Colonial Pipeline company through a VPN (What’s a VPN? – Check out our jargon buster below) account.

The VPN solution was setup to allowed employees to access systems and data remotely. It transpires that the account was active, but not being used. It had access assigned to it and once the hackers logged in with the details, they then had access to all the areas within the business that was granted to this account.

No alt text provided for this image

Image by Dan Nelson

So how did the hackers get the password?

The password for the VPN account was discovered to have been leaked as part of a batch of passwords that appeared on the Dark web.

The likelihood here is that an employee of Colonial may have used the same password on another account that was previously hacked.

It remains unclear exactly how the hackers got hold of the password, the team of skilled investigators said they may never know the finer details of how the password was obtained by the hackers.

Here are the details that have come to light about the VPN account

  • It didn’t use 2FA – 2 factor / multifactor authentication (What is 2FA? – check out our jargon buster below)
  • The hackers then used basic Cybersecurity tool to breach the network using the compromised users details

“We did a pretty exhaustive search of the environment to try and determine how they actually got those credentials,” Carmakal said. “We don’t see any evidence of phishing for the employee whose credentials were used. We have not seen any other evidence of attacker activity before April 29.”

The above statement was made by the investors said about the hack.

How did they know there was a problem?

A week later on May 7th an employee of the pipeline saw a ransom note appear on a computer in the control room just before 5am. That employee then notified the operations supervisor who began the process of shutting down the pipeline.

Overview of interesting facts here

  • First time that Colonial has had to shut down its entire gasoline pipeline system in its 57-year history
  • At the time of the shutdown they were unaware who or what was behind the attack
  • They were also unaware of the motives for the attack
  • This hack forced the pipeline which covers 5,500 miles to be shut for 5 days. This led to a temporary fuel shortage along the East cost of the USA

Valuable take home advice for businesses here

  • Follow a cyber security framework like Cyber Essentials & Essentials+ as a starting point.
  • Remove accounts that are not in use. If this is not possible then remove what the access and set them to “disabled”.
  •  Don’t use blanket accounts – ensure that each account is for a person or dedicated purpose. Document and track these accounts.
  •  Track who is using accounts that are not linked directly to a person. Document and manage this process.
  • Setup 2FA on accounts.
  • Don’t use the same password more than once.
  • Change the passwords regularly.
  • How long can your business be without its data for?
  • Do you have a BC/DR plan? (What is BC/DR? – check out our jargon buster below)
  • Have you tested it?

Don’t despair

All this can seem overwhelming, let us help you.

18iT can work with you to protect what is important to you. We listen to your business needs and then take action to migrate the risks and threats. Giving you visibility and peace of mind through a unique blend of process, policy, software and training around culture.

Get in touch today email info@18it.uk or call me on 0117 3258418. We are here to help protect you and your clients / suppliers data.

Paul Croker of 18iT - Here to listen to your business

Jargon Buster

What is a VPN?

A virtual private network (or VPN) is a secure connection between your device and another computer over the internet.

VPN services are useful for securely accessing your work computer systems while you are away from the office.

But they are also commonly used to circumvent government censorship, or location blocking on movie streaming websites.

What is the Dark web?

The Dark Web Is the part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable

What is 2FA / Multifactor authentication?

Two-factor authentication (often shortened to 2FA) provides a way of ‘double checking’ that you really are the person you are claiming to be when you’re using online services, such as banking, email or social media. It is available on most of the major online services.

When setting up 2FA, the service will ask you to provide a ‘second factor’, which is something that you (and only you) can access. This could be a code that’s sent to you by text message, or that’s created by an app.

What is BC/DR?

Business Continuity (BC) and Disaster Recovery (DR) planning is a practice that prepares us to minimise the effects of significant service-impacting events.

BC/DR is divided into two different phases/components:

  1. Business Continuity (BC): BC focuses on the business operations side of BC/DR. It involves designing and creating policies and procedures that ensure that essential business functions and processes are available during and after a disaster. BC can include the replacement of staff, service availability issues, business impact analysis, and change management.
  2. Disaster Recovery (DR): DR is primarily focused on the IT side of BC/DR. It defines how an organization’s IT department will recover from a natural or manmade disaster. The processes within this phase can include server and network restoration, copying backup data, and provisioning backup systems.