Colonial Pipeline data breach

‘It was a complicated password’…lessons learned from the Colonial Pipeline breach

The repercussions from the Colonial Pipeline breach continue to reverberate across the US as the embattled company’s CEO stood in front of a Senate hearing on Tuesday.

The ransomware attack was carried out by a Russian criminal group, known as DarkSide and led to fuel access being cut off to much of the Eastern Seaboard. The economic impact was huge and the pressure to regain control of their infrastructure led Colonial Pipeline to controversially pay the ransomware demand of 75 bitcoin (at the time worth $4.3m) to the criminal group.

How did DarkSide get the password and action the Colonial ransomware attack?

An incident report shows that the typical phishing and social engineering tactics employed by threat actors to gain access to passwords was not used in the Colonial breach.

It has been highlighted that since the attack, the password associated with the Colonial breach has been circulating on the Dark Web. There is speculation as to whether this password was circulating long before the breach occurred.

DarkSide may have looked to take advantage of the password via the DarkWeb, or they may have equally used other methods to identify the password, such as using cracking dictionaries listing easy-to-guess passwords. With their password list, DarkSide will likely have used brute-force or a password spray attack. Alternatively, a more methodical approach may have been taken by associating compromised passwords with users in Active Directory.

What we do know in the Colonial case is that the hacked account belonged to a disabled user, associated with a VPN account. Disabled accounts are seen as prime targets for threat actors as these types of accounts often have minimum protection.

Universal multi-factor authentication is essential

A key learning from the Colonial attack is that multi-factor authentication (MFA) across some users is not enough. If there is a chink in the armour threat actors will find it and capitalise on it. Fundamentally, it is time for enterprises to move on from passwords. Last year in the US username/password breaches increased by +450%, according to ForgeRock’s Identity Breach Report 2021. To mitigate against the threat of phishing, social engineering, brute force and password spraying attacks, organisations need to evolve their workforce authentication into a more secure and simpler to use method of authentication.

With credential management systems such as MyID enabling organisations large and small to deploy universal strong authentication across their workforce, cost, complexity, usability, and manageability no longer need to be barriers to adoption. With mobile devices, security keys and virtual smart card enabled technology, organisations have a great deal of choice with how they enable their users to access corporate systems and networks using passwordless MFA.

Fundamentally, a password, no matter how many words, characters and numbers within it, is not secure. Now is the time for organisations to bin the password and secure their systems and networks with more secure and user-friendly methods of authentication.

If you are interested in discovering more about how to deploy universal passwordless authentication across your workforce, contact us today.

Trusted by Governments and Enterprises Worldwide

Where protecting systems and information really matters, you will find Intercede.  Whether its citizen data, aerospace and defence systems, high-value financial transactions, intellectual property or air traffic control, we are proud that many leading organisations around the world choose Intercede solutions to protect themselves against data breach, comply with regulations and ensure business continuity.