WatchGuard Blog

How a secure MFA would have avoided the Colonial cyberattack

The Colonial pipeline, which transports petroleum across 5500 km from the south to the east of the United States, was hit by a large-scale cyberattack against oil supply infrastructure in North America on May 7. Cybercriminals from the DarkSide group managed to gain access to the company’s systems using ransomware with which they stole and blocked 100 GB of data.

This incident had several consequences: the first and most direct was that the company was forced to shut down the pipeline supply temporarily until its IT systems recovered. This disruption led to fuel shortages that affected transportation companies and even Charlotte-Douglas International Airport in North Carolina.

Second, it had a deeper impact in that it generated a direct response from the White House: the President of the United States had to deal with the incident by declaring a State of Emergency in the affected area. And beyond that, it also provided an argument for his recent “Executive Order on Improving the Nation’s Cybersecurity.”  

When the EO was issued in May, we also explained in our blog that, although it addresses multiple areas of cybersecurity, the adoption of a Zero-Trust approach and multi-factor authentication are two aspects that have gained prominence. And, the latter played a particularly important role in the Colonial cyberattack itself.

Insecure VPN  

Forensic investigations suggest that the entry vector used by the DarkSide group to introduce their malware was the Colonial VPN network. It should be noted that, due to the rise in use generated by users working from home during the pandemic, VPNs have become a more frequent target for hackers.

Analysts think they gained access through previously leaked passwords and posted on the dark web. They believe that one of the leaked passwords could have been enough to gain access, as none of them had multi-factor authentication systems. This double-check (via mobile device or other methods) would have greatly reduced the chances of a still-active password, like those leaked, being used by someone outside the company.

On the other hand, despite the access gained into IT systems to introduce the ransomware, analysts have found no evidence that they could reach OT systems that directly control industrial facilities. However, this does not detract from the seriousness of the incident, since, although it was not the hackers’ objective, operations were affected in practice.

Multi-factor Authentication: Essential for Critical Infrastructures

Colonial is not the only organization with critical infrastructures hit by a large-scale cyberattack this year, as we addressed in our post on pen drives as a threat vector, but it is the incident that has had the biggest repercussions. It has also highlighted the cybersecurity shortcomings of the industry in areas such as access permission control.

MSPs and IT teams must therefore implement a rigorous policy on access passwords in critical infrastructures, which must cover all systems and must include secure multi-factor authentication for all of them. It’s not easy for teams to manage all permissions, passwords and authentications for a large number of employees using traditional methods or software solutions.

WatchGuard AuthPoint removes all these difficulties as it can be managed very easily from WatchGuard Cloud. Its interface allows you to see access to systems at a glance and manage roles and permissions for each employee very simply. In addition, it offers multiple secure types of multi-factor authentication: ranging from its mobile app protected by its unique Mobile DNA system, to hardware tokens. It adapts to the specific needs of each organization, enabling them to avoid situations as serious as the one suffered by Colonial.