Tik Tok: In 60 Seconds, 4 takeaways from the Colonial Pipeline Cyberattack that every company should know

On June 8, 2021, the CEO of the Colonial Pipeline Company, Joseph Blount, testified before the Senate Homeland Security and Governmental Affairs Committee about the ransomware cyberattack suffered by his company last month at the hands of the hacker group, the Dark Side. The attack caused the company to shut down its pipeline, which delivers approximately 45% of the East Coast's fuel supply. A lot of ink has been spilt about the attack already. However, here are four quick takeaways worth additional consideration:

1. MFA is a Basic, but Critical Defense. Complex passwords are not enough. Blount testified that the Dark Side infiltrated Colonial’s network through an old virtual private network (VPN) “that was not intended to be in use.” Blount also testified that a “complicated password” protected the VPN, and that the password “was not a 'colonial123'-type password.” He also admitted that the VPN did not employ MFA, or multi-factors authentication.

Company IT personnel employ VPNs to permit employees to access their corporate networks remotely. MFA is a process in which access to a network is not granted until a secondary proof of authentication is used, typically a token code forwarded to a cell phone or a FOB. The security measure tests something the user knows (password) and something the user has (token code on a cell phone). MFA is widely used; easily obtainable, and more and more laws arguably require it. For instance, in New York, the New York SHIELD Act requires businesses to implement reasonable security measures, which many organizations characterize MFA as such. The New York Department of Financial Services cybersecurity regulations explicitly require it.

Takeaway: Employ MFA if you have not already done so.

2. Colonial Conducted its OFAC Due Diligence. Last October, the Office of Foreign assets Control (OFAC) in the U.S. Department of the Treasury issued an advisory warning insurers, incident response firms, and businesses that paying a ransom from a ransomware attack to an organization designated by OFAC on its SDN List may be a violation of federal law, subjecting companies to strict liability. The advisory further warned that companies should have and employ a sanctions compliance program to protect against such unlawful payments.

Blount testified that that Colonial Pipeline conducted due diligence and confirmed that the Dark Side was not sanctioned by OFAC when the ransomware payment was made.

Takeaway: Understand and expect that OFAC due diligence is part of the incident response process. If OFAC has designated the threat actor, significant issues are implicated.

3. Threat Actors are Savvy, but Decryption Keys Not Always. Excuse my Borat. Threat actors who launch cyberattacks and exploit network vulnerabilities can be negotiated with, but ultimately, their price demands are based on two factors: (i) what they believe the victim can pay and (ii) what the victim would have to spend to rebuild its network. Even if a company pays a ransom, the decryption key received in return may not be great or even work. Reports are that Colonial used its backup media to rebuild its network even after receiving the decryption key in order to speed up the process because use of the decryption key was too slow.

Blount testified that the decryption key Colonial Pipeline received was "not a perfect tool.”

Takeaway: Ensure that you have robust backup processes in place, including media that is segregated adequately from the network.

4. Consider Involving Authorities Immediately. Blount testified that the company notified federal law enforcement hours after it discovered the attack, and “worked quickly to isolate and contain the hack.” These efforts helped law enforcement to a significant amount of the ransom payment made by the company by seizing the Bitcoin wallet being used.

Takeaway: A few years ago, most companies did not report ransomware attacks and did not involve law enforcement. Times have changed. For more information, visit the website for the Internet Crime Complaint Center (IC3).

* * *

Information for this article was obtained from Blount’s testimony, and stories published by The New York Times and Law360.