The recent ransomware attack that ultimately disrupted gasoline supply in parts of the Southeast last month started with the attackers somehow getting the password to an old VPN account, said the president and CEO of Colonial Pipeline in testimony today to the Senate Committee on Homeland Security and Governmental Affairs.
"In the case of this particular legacy VPN, it only had single-factor authentication," Joe Blount told the committee. "It was a complicated password — I want to be clear on that. It was not a Colonial123-type password."
He confirmed that the VPN was not protected with multifactor authentication and that the company still does not know how the attackers were able to access the account.
"Although the investigation is ongoing, we believe the attacker exploited a legacy virtual private network (VPN) profile that was not intended to be in use. We are still trying to determine how the attackers gained the needed credentials to exploit it. We have worked with our third-party experts to resolve and remediate this issue; we have shut down the legacy VPN profile, and we have implemented additional layers of protection across our enterprise," Blount said in his testimony.
The company first discovered a ransom note on its IT network at 5:00 a.m. Eastern time on May 7, which led to the decision to shut down pipeline operations to isolate the malware from hitting the industrial network, he said.
In a surprising turn of events, the Department of Justice yesterday said it had seized 63.7 bitcoins — valued at $2.3 million — of the total ransom the gas company paid to the so-called DarkSide gang behind the ransomware attack to decrypt the locked IT systems.
Read more here.