How Did the Colonial Pipeline Get Hacked and Who’s Next?

Legal Assistant Administrative Law, Criminal Law, International Law, Regulatory Law

On April 29, 2021, hackers gained access to the Colonial Pipeline Co. IT network. The security breach, which took down the country’s largest fuel pipeline, caused widespread gas shortages across the East Coast.

The cause: a single compromised password.

How did the Colonial pipeline get hacked, and could it happen again? Here’s everything you need to know.

Who Owns Colonial Pipeline

Before we delve into the facts surrounding the largest publicly disclosed cyber attack on a major US infrastructure, one thing is for certain. If Colonial Pipeline Co. was a publicly-traded company, its stock would have undoubtedly plummeted moments after its shut down.

The Colonial is a privately held firm founded in 1961. It was first established as a joint venture between nine oil companies. Today, the $8 billion firm’s ownership is shared among five companies in five countries that sit on four different continents.

Aside from Shell, the other four companies that own the Colonial are pension funds and privately held companies. The other major oil firms that initially had a stake in the firm pulled out for various reasons and, in some cases, at the demand of regulators.

ExxonMobile (XOM), for instance, sold its stake in 1999 following the merger of Exxon and Mobil. The company opted to retain its shares in Colonial’s competitor – Plantation Pipeline. Colonial repurchased XOM’s shares, distributing them proportionately among the firm’s remaining owners.

Fast-forward to 2002 when Marathon Petroleum Corporation (MPC) and BP each sold their stakes in Colonial to a subsidiary of Koch Industries. The conglomerate, which has significant oil interests, is the largest shareholder of Colonial Pipeline Co., with a 28.1 percent stake.

What Happened to the Colonial Pipeline

When the news of hackers gaining access to the pipeline broke, the question on most people’s minds beyond – who hacked the colonial pipeline – was, how can a pipeline be hacked in the first place?

If you’re like most people, the image that comes to mind when you think of the oil industry is likely greasy black fluids, pipes, and pumps. While this may be true to some extent, the reality is – the modern-day operation of gas pipelines is extremely high-tech and digital.

An intricate network of thermostats, pressure sensors, pumps, and valves all work in harmony to control the flow of gas, jet fuel, and diesel across several hundred miles of piping. The Colonial even has a sophisticated smart “pig” – short for pipeline inspection gauge – a high-tech robot that barrels through its pipes, analyzing them for any anomalies.

At the heart of this state-of-the-art operational technology is a centralized system that controls everything, and anywhere you have a network of connectivity controlled by computers means there’s always the risk of a cyber attack.

Why Did the Colonial Pipeline Shut Down

The cyberattack against Colonial Pipeline targeted the company’s IT systems. The operational infrastructure the company uses to transport oil was not directly compromised during the breach.

A hacker group that identified themselves as DarkSide gained access to the company’s network and stole approximately 100 gigabytes of data within a two-hour duration. The hackers then proceeded to infect the company’s IT network with ransomware that affected several of the firm’s systems, including accounting and billing.

To curb the spread of the malware, Colonial shut down the pipeline for several days. Investigations following the incident reveal that the cybercriminals gained access to the company’s system through a Virtual Private Network (VPN) account that allowed employees to remotely access the firm’s network.

According to cybersecurity experts, although the account in question was no longer in use at the time of the attack, the login credentials could still be used to access Colonial’s system. The VPN password was later discovered on the dark web among a batch of previously leaked access credentials.

It is entirely likely that the Colonial employee in question may have used the same password on another account that had previously been hacked. Hackers then used it to gain entry into the pipeline’s IT network.

Further investigations into the incident revealed that the VPN account did not use multifactor authentication. The hackers exploited this loophole to breach the firm’s network. All they had to do was input the employee’s username and password to access Colonial’s systems.

Ransom Demand

On May 7, 2021, a little over a week after the initial breach, an employee in the control room saw a ransom note appear on the computer screen at around 5 a.m. The DarkSide hackers demanded 75 Bitcoin, which was equivalent to about $4.4 million at the time.

Did Colonial Pipeline pay the ransom? Yes, it did.

In a Congressional hearing, Joseph Blount, the Colonial Pipeline CEO, explained the reason behind the company’s decision to yield to the attackers’ demands. According to him, the exact scope of the intrusion was not clear, and it was impossible to determine how long it would take to bring the systems back up again.

Blount made the call to pay the ransom in the hopes that it would speed up recovery time and give them back control of their systems.

As for the 100 gigabytes of stolen data, the Colonial CEO further stated that while the company did have backups, they were not sure whether the data had been compromised or if it was safe to use. The decision to pay for the decryption key was driven in part by this uncertainty.

Threat actors in a ransomware attack usually demand payment in cryptocurrencies like Bitcoin. The reason for this is their (mistaken) belief that government authorities cannot trace it to the recipients, therefore, allowing them to get away with the crime.

The Ransomware and Digital Extortion Task Force of the US Department of Justice were able to uncover the digital address of the crypto wallet the hackers used. Agents of the task force then obtained a court order to seize the crypto assets and were able to recover 64 Bitcoin out of the 75 paid as ransom. Owing to the volatile nature of cryptocurrency, the market value of the 64 Bitcoin recovered was roughly $2.4 million.

What Happens in a Cyber Attack

Stages of a Cyber Attack
Image Source: Unsplash

Cyber attacks take many forms and are often perpetrated in various stages. There are generally two types of cyberattacks.

1. Untargeted Attacks

In an untargeted cyberattack, a hacker indiscriminately targets as many devices, users, or services as possible. They don’t focus on any particular victim. Instead, their mission is to gain access to vulnerable systems using a wide range of different techniques. Some of these include:

  • Phishing – The attacker sends out emails to a large group of people directing them to visit a fake website and prompting them to offer up sensitive information.
  • Ransomware – The hacker disseminates disk encrypting malware that locks users out of the system until they pay a ransom amount for a decryption key.
  • Scanning – Attackers scan devices to gather port, network, or vulnerability information on these systems before launching a sophisticated attack that undermines their security.
  • Water holing – The attacker sets up a fake website or compromises an existing one to exploit site visitors.

2. Targeted Attacks

In targeted cyberattacks, hackers single out a particular organization due to a specific interest they may have in it or if they have been paid to target the business in question. They typically take several months to lay out the groundwork before finally launching an attack. Some of the techniques used to mount a targeted cyberattack on an organization include:

  • Spear phishing – The attacker sends out an email targeting an individual in an organization. The email may contain an attachment with malware or a link that downloads malware to their device, which then infects the company’s network.
  • Botnet deployment – This delivers a Distributed Denial of Service (DDOS) attack.
  • Supply chain subversion – This type of attack targets software or equipment that is being delivered to an organization.

Stages of a Cyber Attack

Regardless of the type of cyberattack a hacker employs, they all consist of the same number of recurring phases. Here’s a brief overview of each.

  • Surveillance – The hacker first investigates and analyzes all the available information about their target to identify exploitable vulnerabilities in the system.
  • Delivery – They then deploy the most suitable technique to exploit the vulnerabilities they uncovered in the surveillance stage.
  • Breach – Once they obtain the usernames and passwords of the system, they test them against VPN connections or web-based email systems. If they had sent malware-laced links or attachments, the attacker tries to access the system remotely.
  • Execute – Once they have total command and control of the target system, they can then carry out their overall objective.

Who’s Next on the List of Targeted Cyber Attacks

A cyber attack on pipeline companies is not new to the energy sector, given the recent attack on Colonial Pipeline to the 2017 NotPetya attack that led to the shutdown of a major part of the Ukrainian power grid.

Cyber attacks don’t just target the energy sector, though. Nearly every area of the global economy has been the subject of a targeted attack. Case in point – the 2020 SolarWinds Cyber Attack.

Russian hackers infiltrated the systems of SolarWinds, a top US Texas-based IT firm. The attack, which went undetected for months, allowed the hackers to spy on the US Treasury Department, Department of Homeland Security, elite cybersecurity firms like FireEye, and several other private companies.

Healthcare cyber attacks are also on the rise. According to a recent article in the Wall Street Journal, the US Department reported that nearly 1 million people every month were affected by data breaches at health care facilities in 2020. Hospitals hacked for ransom 2018 to 2020 cost the healthcare sector hundreds of millions of dollars, with a whopping $203 million reported in 2020 alone.

The prevalence of these security breaches is much higher than the reported cyber attacks on oil and gas companies.

The Cybersecurity and Infrastructure Security Agency Act of 2018

System Security Specialist Working at System Control Center
Image Source: Shutterstock

In November 2018, President Trump signed the Cybersecurity and Infrastructure Security Agency (CISA) Act into law. According to the provisions of the new legislation, the agency was established to protect the country’s critical infrastructure against cyber threats and physical risks alike. CISA also expands the scope of responsibility of the National Protection and Programs Directorate (NPPD) – a critical component of the Department of Homeland Security (DHS).

The cybersecurity law created two main centers within the agency to support its mission:

  • The National Cybersecurity and Communications Integration Center (NCIC)
  • The National Risk Management Center (NRMC)

The NCIC is charged with providing cyber-situational awareness, cyber-defense support, incident response, and analysis to territorial, tribal, local, state, and federal governments.

The NRMC’s role is to plan, analyze, and collaborate with government agencies and private entities in the identification and eradication of the critical risks – cyber and otherwise – to the country’s critical infrastructure.

Cybersecurity Executive Order

In May 2021, President Biden signed an executive order to support and improve upon the existing cybersecurity legislation.

First, it proposes the enhancement of federal government systems to make them safer and harder to break into. One of the many measures it pushes for is the modernization of cybersecurity infrastructure by employing zero trust architecture.

Additionally, the new executive order also sets specific, measurable goals for more agile and effective responses to cyber threats targeting the federal government. IT providers are now required to report all cyber incidents that occur regardless of the degree of severity, without any of the contractual barriers that previously barred them from sharing this information with government entities.

The Future of Cybersecurity

All things considered and assessing how cyber attacks affect individuals, companies, and government agencies with regards to losses, the future of cybersecurity is difficult to predict. The industry is constantly evolving in response to the ever-changing behavior of cybercriminals, and new software is always being developed to counter these threats.

One thing is for certain, though. Artificial Intelligence and machine learning will play an integral role in all cybersecurity systems. Unfortunately, it also means that these systems will give hackers new ways to target organizations.

Cybercrime isn’t a problem that’s likely to go away any time soon.

Do you have any legal questions for us? Chat online with a Laws101 attorney right now.