Testimony of Joseph Blount, President and Chief Executive Officer Colonial Pipeline Company

On June 8, 2021, Joseph Blount testified in a hearing before the United States Senate Committee on Homeland Security & Governmental Affairs about the May 7 cyber attack on Colonial Pipeline. Mr. Blount has been applauded by many in the cybersecurity community for his transparency regarding the hardest decision he’s made in his 39 years in the energy industry. As stated in a Security Week post, his testimony provided a rare window into the attack and the dilemma faced by the private sector amid a storm of ransomware attacks. Likewise, the testimony is a valuable tool to use as lessons learned, not only for crucial business decisions, but business decisions that decidedly impact American society. Highlights about the hearing can be found at Security Week. For Blount’s testimony, members are encouraged to access the attached report.

Updates - June 8, 2021

Stolen VPN Password from a Dormant Account Used to Breach Colonial Pipeline

On Friday, Bloomberg posted information that the Colonial Pipeline network was compromised on April 29 through the use of a stolen VPN password. According to the report, the account was dormant and did not employ multifactor authentication. The password has since been discovered as part of a batch of leaked passwords, but investigators are not sure how the attackers obtained the credential in the first place. In addition to implementing multifactor authentication, members are encouraged to regularly review accounts and disable/delete dormant accounts to reduce the risk from threat actors obtaining unauthorized access to any system via old/unused credentials. Likewise, staff should be reminded not to reuse credentials across different systems and to create unique passwords for each login. Read more at Bloomberg.

DoJ Seizes $2.3 Million in Bitcoin Proceeds Reportedly Paid to DarkSide by Colonial Pipeline

On Monday, the Department of Justice announced the seizure of $2.3 million in bitcoin proceeds reportedly paid to DarkSide by Colonial Pipeline. According to the press release, the FBI was able to follow the money by reviewing the Bitcoin public ledger to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the private key needed to access assets accessible from the specific Bitcoin address. Read the press release at DoJ.

If it Makes Headlines, it Will Likely Make Phishing Lines – Colonial Pipeline Themes Used in Phishing Attacks

This should really come as no surprise, as it was only a matter of time before threat actors would leverage Colonial Pipeline themes in phishing emails. This particular campaign is targeting Microsoft 365 customers with a “help desk” themed phish. Users were tricked with emails purporting to come from their help desk with instructions to download a “ransomware system update” so they wouldn’t suffer a similar incident as Colonial Pipeline. The download was actually Cobalt Strike – a legitimate tool also commonly used by threat actors. Members are encouraged to remind staff that newsworthy topics are often used for phishing bait. Read more at Infosecurity Magazine.