Tuebora IAM News

Colonial Pipeline Ransomware and Identity Management

Written by Ronan Mahony | Jun 15, 2021 1:22:00 PM

Analyzing the Colonial Pipeline Cyber Attack from An Identity Management Perspective

 

The cyber attack that hit Colonial Pipeline is one of the most severe instances of ransomware to hit critical American infrastructure in history. Resulting in operational disruption and the payment of a ransom, this incident will be talked about for years. Read on to get an overview of what happened, an identity management perspective on the attack, and some takeaway cybersecurity lessons. 

 

What Happened in the Colonial Pipeline Attack?

The Colonial Pipeline carries diesel, gas, and even jet fuel from Texas to the East Coast. Operating the pipeline is the Colonial Pipeline

targeted the IT system used to manage billing for the pipeline. An employee noted a message on their computer screen demanding a cryptocurrency payment. Within just over an hour, operators shut down the entire pipeline system for the first time in its history as a precaution. 

 

The perpetrators of the attack were a for-profit hacking group from Eastern Europe known as DarkSide. The group stole around 100 gigabytes worth of data and encrypted it. The payment demanded to return the stolen information was 75 bitcoins, which amounted to approximately $5 million at the time of the attack. 

 

The Biden-Harris administration noted the severity of this incident and launched a government response to protect critical energy supply chains. Operations at the pipeline only resumed after an enforced 5-day shutdown that causes fuel shortages and long queues to line up outside gas stations. 

Identity Management Blunders

The Colonial Pipeline attack occurred due to some surprising cybersecurity blunders around identity management. The DarkSide group gained access to the Colonial Pipeline IT environment remotely using a virtual private network (VPN) account. By logging into the account using stolen credentials, the hackers could access the network. 

 

A VPN creates a tunnel between an employee’s device and a network. Employees can use a VPN to retrieve files that were previously shared within a private network. The use of VPNs has become far more widespread with the rapid change to work-from-home arrangements enforced by the Covid pandemic. 

 

While some speculation remains about how the password for the VPN account was compromised, the same password appeared in a batch of stolen passwords from a separate password leak on the dark web. On this “underworld” part of the Internet, cybercriminals often engage in trading stolen credentials for cryptocurrency payments. 

 

From an identity management perspective, two key failures from the Colonial Pipeline incident immediately became obvious:

 

#1. Orphaned account

 

According to a Bloomberg report quoting Charles Carmakal of FireEye, the compromised account was, “no longer in use at the time of the attack but could still be used to access Colonial’s network.”

 

In the world of identity management, user accounts with no valid business owners are termed orphaned or ghost accounts. These accounts carry several security risks, including increasing the attack surface for hackers into a network and offering unfettered access to certain resources on a network. In the worst-case scenario, an orphaned account can have privileged access that enables a hacker to compromise the most sensitive information.

 

#2. No Multifactor Authentication

 

A tenet of modern secure identity management is that users should have to present more than one distinct type of information to gain access to a system. Otherwise known as multifactor authentication, this basic cybersecurity defense mechanism was not in place for the compromised VPN account on the Colonial Pipeline network.

 

If all an attacker needs is a set of username-password credentials to access a system, that system becomes far more susceptible to breaches. While it’s not known how DarkSide found the correct username, it’s not a stretch to assume that they determined it on their own using some simple guesswork.  

 

Such blunders are commonplace in small to medium-sized businesses, but at the scale of critical infrastructure, it’s somewhat disconcerting to see these basic cybersecurity mistakes. 

 

Takeaway Lessons from The Colonial Pipeline Ransomware Attack

 

As with any high-profile cybersecurity attack, there are several takeaway lessons to learn and implement at your own organization, such as: 



 

 

  • Regular Access Reviews—It’s crucial to perform regular reviews of user access privileges to ensure the right people have the right levels of access to IT resources. 
  • Least Privileges—Prudent access management ensures that employees only have the level of access strictly required to carry out their duties. 
  • Never Rely on Passwords Alone—Passwords do not provide sufficient hardening of your security defenses; always use multifactor authentication to protect systems and data.
  • Analytics-Powered Management—In an ideal world, behavioral analytics solutions can find user accounts with unused access and disable that access automatically before an attacker ever gets the chance to find orphaned accounts. 
  • Ransomware Is Not Going Away—As ransomware-as-a-service continues to proliferate on the dark web and successful attacks make media headlines continually, ransomware is not going away as a cybersecurity threat. 

 



 

How Tuebora Can Help

 

Whether you’re running an industrial pipeline or a commercial business, it’s crucial that you properly manage user identities and access to your network and the resources on that network. Tuebora’s IAM platform provides self-service workflows to give you visibility, SSO and MFA capabilities, and account behavioral analytics to proactively suggest accounts that should be deprovisioned based on lack of use.  These are only a few of the many capabilities of Tuebora's microservices covering the entire IAM lifecycle. Using our services platform puts you in control.

 

Contact us today for a demonstration