By Gregory Hale
Attackers were able to get into Colonial Pipeline, JBS Foods and CNA Financial Corp.’s systems as a result of “small failures” within their individual security protocols and hold up those companies for millions of dollars in ransom payments.

Colonial’s chief executive officer explained the attack on the company’s systems started with a single stolen password linked to an old user profile. With JBS, attackers gained access to an old network administrator account that had not been deactivated and was protected only by a weak password. CNA’s attackers convinced a single employee to accept a fake web browser update from a commercial website, according to a memo from the U.S. House Committee on Oversight and Reform.


“This is exactly the problem facing the majority of enterprises today,” said Joel Langill, founder and managing member of the Industrial Control System Cyber Security Institute LLC. “It is the failure of people to create concise, focused, relevant security recommendations.”

Langill said it all comes down to protecting active directory.

“That is the most important asset an adversary wants. If they get access to it, they have gold.”

Tool from 2008
He talked about how a Microsoft Server Security Resource kit created in 2008 “provided PowerShell scripts designed to do what Colonial and JBS did not do and that is regularly search for stale accounts and then remove them. I have walked into facilities that I have been involved in designing and I can still go in there and find my credentials scattered on assets. This is exactly what you want as an attacker. If you can find credentials you don’t need vulnerabilities. If you can get credentials you can move around, and you don’t need vulnerabilities.

“The fact the credentials still work, we are talking security 101. There should be tight controls over credentials that possess elevated authorization,” Langill said.

“The small failures that lead to big problems are indicators on how difficult it is to protect ourselves from cyberattacks,” said Mark Carrigan, senior vice president at Hexagon PPM. “One click on the wrong email (out of hundreds of thousands), one weak password, or the failure to delete one account, can lead to disaster. All of this says we cannot protect our way out of this problem – it is a matter of when, not if, you will be successfully attacked. Operators of OT systems need to focus more effort on minimizing the impact of an attack, and have the means to recover within an acceptable period of time.”

In March this year, CNA Financial Corporation, one of the country’s largest insurance companies, reportedly paid $40 million in Bitcoin after it suffered a ransomware attack from a cybercriminal group called Phoenix.

Colonial Payout
In May, Colonial Pipeline Company operators of the pipeline that provides nearly half of the East Coast’s fuel supply, paid DarkSide, a ransomware gang believed to operate out of Russia, $4.4 million in Bitcoin.

Shortly thereafter, in June, JBS Foods USA, whose plants process approximately one-fifth of the United States’ meat supply, paid $11 million in Bitcoin after it suffered a ransomware attack attributed to the criminal ransomware gang REvil (also known as Sodinokibi).

The revelations from the memo just go to show manufacturers big and small need to remain focused on all the details to remain as resilient to attack as possible. Plus, they have to focus on the fundamentals and continue growing the program from those basics. In addition, communication and training need to remain at the forefront of every company’s list for security.

Working on getting the basics down and right is not as easy as it sounds, but once you lay that foundation, it becomes easier to keep building upon it. With companies facing on average 270 attacks per company per year, according to an Accenture report, that boils down to one attack every 1.3 days.

While that may seem daunting, there are some basic steps to build upon:

  • Create a plan
  • Understand what devices you have and who and what they are talking to
  • Prioritize assets
  • Understand what normal network traffic looks like
  • Visibility is key
  • Understand people can be a strength – and a weakness
  • Segmentation
  • Know who is in charge of an attack
  • Know who is your law enforcement contact
  • Run tests

Governmental Push
After those three high-profile attacks hit the industry and dumbfounded politicians on the effect they could have on constituents, legislators promised to get to the bottom of the attacks and bring the guilty parties to justice.

The House of Representatives Committee on Oversight and Reform’s investigation into these three ransomware attacks provided some insights the attacks. The Committee found:

Small lapses led to major breaches. Ransomware attackers took advantage of relatively minor security lapses, such as a single user account controlled by a weak password, to launch enormously costly attacks. Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack.

Some companies lacked clear initial points of contact with the federal government. Depending on their industry, companies faced a patchwork of federal agencies to engage regarding the attacks they faced. For example, two companies’ initial requests for assistance were forwarded around to different FBI offices and personnel before reaching the correct team. Companies also received different responses on which agencies could answer questions as to whether the attackers were sanctioned entities. These examples highlight the importance of clearly established federal points of contact.

Companies faced pressure to quickly pay the ransom. Given the uncertainty over how quickly systems could be restored using backups and whether any sensitive data was stolen, the companies appeared to have strong incentives to quickly pay the ransom. This pressure was compounded by attackers’ assurances that payment of the ransom would resolve the situation and avoid negative publicity for the company.

In the attacks against CNA and JBS, the breaches were not immediately detected. The attackers’ presence on CNA’s network went undetected for over two weeks before the ransomware was activated.

Crippled Systems
However, once the ransomware was deployed by the attackers, it quickly crippled companies’ IT systems.

On May 7, after a Colonial employee discovered a ransom note, Colonial shut down its entire pipeline operations out of concern the malicious software might allow the attackers to gain physical control of the pipeline, according to the memo. It remained offline for five days before gradually reopening. In the meantime, there was a run on gas stations where consumers panicked and started to horde gasoline in some states along the East Coast.

The attack on JBS caused the company’s plants to temporarily shut down.

In the case of CNA, cybercriminals encrypted its computer systems and stole substantial amounts of company data, including personal information.

The Committee’s investigation also underscored the logistical challenges of the companies’ response to these attacks, which differed in part based on the company’s industry.

Each company provided notice to a variety of different federal agencies, including federal law enforcement. For example, Colonial was in contact with at least seven federal agencies or offices. CNA was initially referred to one FBI field office before a different field office was designated as the primary point of contact. When a senior JBS official first emailed an FBI field office, the agent they emailed was not the correct point of contact, so their inquiry was passed on to different case agents at the same field office, leading to a several-hour delay between the JBS official’s initial email and the FBI’s first substantive email response.

Who is in Charge?
In one instance, a company was referred to the Treasury Department for questions regarding sanctions, while another company was provided a substantive answer on this topic by the FBI. These logistical hurdles point to the need for clearly established federal points of contact in response to ransomware attacks.

When it comes to whether companies should pay a ransom, Security professionals, law enforcement and government officials always say, don’t pay the attackers because it only emboldens them to keep on attacking.

However, if you are a business that needs to stay up and running, and your security is not that great to begin with, maybe negotiating the ransom down to $11 million from $22 million would be the most prudent way to go.

Trusting Attackers
That is where trusting the bad guys becomes part of the deal. In keeping with the idea the victims can trust the attackers, the criminals attempt to turn things around and want to lend a helping hand.

Despite launching cyberattacks on the companies, the attackers quickly turn things around and try to cast themselves as business partners with, or even consultants to, the companies, the memo said.

REvil told JBS, “don’t panic! We are in business, not in war,” and offered the company a host of supposed benefits along with the decryption tool, saying, “in this case, you also get a security report, a complete tree of compromised data files, permanently deleting downloaded data, [and] support with tips on unlocking and protecting,” the memo said.

The REvil attackers even provided recommendations of exchanges where the company could buy cryptocurrency, highlighting that one exchange had “no need for verification.”

In the case of Colonial, DarkSide warned there was one data recovery company they refused to work with but offered to recommend others. During the attack on Colonial, DarkSide said: “We have helped more than 100 companies. And we will help you after payment.”

In the case of JBS, REvil also disclaimed any interest in the security or economic effects caused by the attack on the company or the shutdown of its food processing plants, stating: “Its just a business. We absolutely do not care about you or your deals, except getting benefits.”

Victims Paid Attackers
JBS and Colonial ultimately made the decision to pay, as CNA reportedly did as well.

JBS, which paid one of the largest known cyber ransoms in history, later revealed, “At the time of payment, the vast majority of the company’s facilities were operational,” and explained it paid the ransom to “mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.” Two of the three companies, Colonial and CNA also had cyber insurance policies. Colonial has confirmed to the Committee its cybersecurity insurance policy covered the cost of the ransom.

During the attacks, the attackers also provided certain assurances that they would follow through with promises to provide a decryption key and delete their copies of the stolen data if a ransom was paid. Attackers told CNA they would know if stolen data had been deleted because, “We gonna tell you ‘the data was deleted,’” later adding, “It is in our interest to do as agreed.” CNA later recovered the data with the assistance of consultants by locating a repository used by the attackers. In the case of JBS, the REvil attackers never delivered on their promise to provide the company with proof that they had destroyed all copies of the data they stole from JBS.

Decryption Tools Pro and Con
While the decryption keys provided by the cybercriminals appear to have worked, it is unclear whether using the decryption keys was the most effective option, the memo said.

Colonial informed the Committee while it used the decryption key to decrypt some individual files, it did not use the decryption key more broadly for two reasons. First, the process of using the decryption key presented a risk of deleting legitimate files. Second, Colonial determined using its back-up tapes was the better approach to bringing its systems back online. According to press reports, Colonial relied on its backup tapes because the tool provided by DarkSide was too slow to be useful. In the case of CNA, months after regaining access to its files, the company was still in the process of notifying customers and employees of the data breach, as well as providing them with credit monitoring and fraud prevention services in light of the compromised personal information.

In the end, it ends up being all about making sure security professionals stay on top of all the little things and understand the main areas to protect.

“In these attacks, where was the problem? Was it because of a lack of cyber aware security staff? Is it because they don’t know any better because they have lived in their world for a period of time and they haven’t changed? That kind of goes back to why we always run into problem after problem after problem,” Langill said. “You can’t do things today the same way we have done it before. A lot of these attacks all boil down to that.”

Click here to view the entire House Committee memo.