Major U.S. pipeline system shut down after cyber attack

Colonial Pipeline's management structure should be disbanded and the direct management handed over to the appropriate federal agencies. The personnel involved should be fired and their pensions and perks taken away.

Such bumbling, possibly criminal ineptitude and evasiveness--yet another high-profile ransomware attack somewhere else in the US in the coming days seems almost inevitable.

Good.

 

"Colonial hack exposed government’s light-touch oversight of pipeline cybersecurity

Three times over the last year, Colonial Pipeline and the Transportation Security Administration discussed scheduling a voluntary, in-depth cybersecurity review — an assessment the federal agency began doing in late 2018 to strengthen the digital defenses of oil and natural gas pipeline companies, according to a company official and an industry official familiar with the matter.

But no such review of Colonial’s systems has occurred, according to a Colonial spokesman. And the pipeline company has previously told federal officials it wants to first complete a headquarters move to a new building — probably in November — though the spokesman, Kevin Feeney, said on Friday that it may allow a review sooner...

But a range of current and former officials and cybersecurity experts say the company’s ability to avoid a government review underscores how a voluntary, arms-length approach by federal officials over nearly two decades has left key elements of the nation’s critical infrastructure at risk...

...a review of the TSA’s history since it was handed oversight of pipeline security in 2001 shows a government culture of closely partnering with energy giants and industry trade groups in setting guidelines that were voluntary. No penalty resulted for a failure to obey them..."

https://www.washingtonpost.com/business/2021/05/30/colonial-pipeline-tsa-regulation/

 

"Hackers breached Colonial Pipeline using compromised password

The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack.

Hackers gained entry into the networks of Colonial Pipeline Co. on April 29 through a virtual private network account, which allowed employees to remotely access the company’s computer network...

The VPN account, which has since been deactivated, didn’t use multifactor authentication..."

https://www.bnnbloomberg.ca/hackers-breached-colonial-pipeline-using-compromised-password-1.1612851

 

"US recovers millions in cryptocurrency paid to Colonial Pipeline ransomware hackers

US investigators have recovered millions of dollars in cryptocurrency paid in ransom to hackers whose attack prompted the shutdown of the key East Coast pipeline last month, according to people briefed on the matter.

The Justice Department on Monday is expected to announce details of the operation led by the FBI with the cooperation of the Colonial Pipeline operator, the people briefed on the matter said..."

https://us.cnn.com/2021/06/07/politics/colonial-pipeline-ransomware-recovered/index.html

 

WATCH LIVE: Department of Justice officials discuss Colonial Pipeline ransomware attack (Starting soon)

https://www.c-span.org/video/?512380-1/justice-department-news-conference&live

(Video will also be available at above link after the press conference.)

 

"...Investigators seized nearly 64 bitcoin, valued at roughly $2.3 million, that were allegedly the proceeds from the ransom hack on Colonial Pipeline, the Justice Department said..."

[Colonial paid $4.4 mil in ransom]

https://www.wsj.com/articles/u-s-retrieves-millions-paid-to-colonial-pipeline-hackers-11623094399

 

NBC is reporting that the FBI had the password to the hackers' Bitcoin account.

https://twitter.com/GeoffRBennett/status/1401982282815115269

 

"U.S. law enforcement seized almost all of the Bitcoin paid to hackers In the Colonial Pipeline attack, but because the value of Bitcoin crashed so much in past weeks, it now only represents about half what the company originally paid for it"

https://twitter.com/mims/status/1401990400668094465

 

LOL, this is pretty cool. And it made a lot of people nervous in the Bitcoin industry, I hope it will soon go away, it's nonsense.

 

"New cybersecurity order issued for US pipeline operators...

In a statement, DHS said it would require operators of federally designated critical pipelines to implement 'specific mitigation measures' to prevent ransomware attacks and other cyber intrusions. Operators must also implement contingency plans and conduct what the department calls a 'cybersecurity architecture design review.'...

DHS did not immediately release further details about the guidance..."

https://www.theolympian.com/entertainment/celebrities/article252895358.html#storylink=mainstage

 

https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/

Excerpt:

Encryption algorithms found in a decryptor show that the notorious DarkSide ransomware gang has rebranded as a new BlackMatter ransomware operation and is actively performing attacks on corporate entities.

After conducting an attack on Colonial Pipeline, the US's largest fuel pipeline, and causing fuel shortages in the southeast of the USA, the DarkSide ransomware group faced increased scrutiny by international law enforcement and the US government.

In May, the DarkSide ransomware operation suddenly shut down after losing access to their servers and cryptocurrency was seized by an unknown third-party.

It was later learned that the FBI recovered 63.7 Bitcoins of the approximately 75 Bitcoin ($4 million) ransom payment made by Colonial Pipeline.

Edit to add:

https://twitter.com/fwosar/status/1421504819890634754
...

 

Colonial Pipeline reports data breach after May ransomware attack
August 16, 2021
https://www.bleepingcomputer.com/ne...orts-data-breach-after-may-ransomware-attack/

 

Seems whatever transpired behind the scenes after the ransomware hit is working pretty good.

A compelling lull of additional similar hits have gone silent. Looks like in house local breaches have took their place awhile.