According to Carmakal’s testimony, a Colonial Pipeline employee apparently shared a VPN password with another account that was somehow exposed in another data breach. Using the same password for multiple accounts is a mistake many people make.
Also at the hearing, Colonial Pipeline CEO Joseph Blount explained why he decided to pay the ransom. At the time of the attack, he did not know the extent of the infection or how long it would take to restore the system. Therefore, he made the decision in the hope of speeding up recovery time.
The US Department of Justice, after tracing the payment, discovered the digital address of the wallet used by the attacker and obtained a court order to confiscate the Bitcoin. As a result, the campaign recovered 64/75 Bitcoins worth about 2.4 million USD.
“Legacy” from the Colonial Pipeline attack
For the first time, the United States turned its attention to ransomware, forcing Congress to pass new laws and prompting many federal agencies to introduce new cybersecurity requirements. Ransomware attacks are not new, they have destroyed many governments, medical facilities and schools before Colonial Pipeline became a victim. However, the difference is in the regional impact, according to Ben Miller – Vice President of services at Dragos infrastructure security firm.
Charles Carmakal – Senior Vice President at security firm Mandiant, the unit that supported the investigation of the Colonial incident – commented: “Later, I learned that there is a certain level of attention when something happens that really impacts people’s lives. When it comes to gas and meat, people will really care.”
Due to the incident at Colonial Pipeline, many airlines were short of fuel, and some airports were restricted from operating. Concerns about gasoline shortages caused people to panic, lining up at gas stations in many states. In addition, average prices at pumping stations also skyrocketed due to pipeline shutdowns. In some states, people even pour gasoline into plastic bags, forcing the US Consumer Product Safety Commission to issue a warning to only use specialized containers to store gasoline.
The Colonial Pipeline attack forced everyone to take security risks seriously and adopt policies that were once overlooked. According to Mike Hamilton, former Chief Information Security Officer of Seattle, previously, getting the federal government to prioritize critical infrastructure security requirements was a difficult task.
Subsequent cases in late 2021 – which targeted meat producer JBS Foods – put further pressure on policymakers, regulators and executives. They are a catalyst for management to reconsider their own ransomware response plans. According to Miller, the level of attention to response planning has become much more detailed.
Even so, regulation and the industry still need to change. Wendi Whitmore, Senior Vice President of Unit 42 threat intelligence at Palo Alto Networks, believes there should be multilateral agreements between countries to suppress ransomware.
(Theo Axios, Tech Target)