A forensic report of the Colonial Pipeline noted that the "most likely culprit" within the company’s IT infrastructure was the vulnerable Microsoft Exchange services, as noted by New York Times reporter Nicole Perlroth, though there were several other issues that researchers characterized as an overall "lack of cybersecurity sophistication."
Interesting forensic finding on Colonial Pipeline: They were STILL using a vulnerable version of Microsoft Exchange (the same systems exploited by Chinese hackers that was revealed in March), among other notable lapses. Per Coalition. pic.twitter.com/TvsEN8S3Ew— Nicole Perlroth (@nicoleperlroth) May 11, 2021
The Cybersecurity and Infrastructure Security Agency warned pipeline operators about potential ransomware attacks in 2020 and offered a number of potential mitigation strategies. The FBI confirmed that it believes the DarkSide ransomware is responsible for the attack. DarkSide is a criminal group with origins in Russia.
Microsoft has published many advisories about the importance of keeping the On-Premise Exchange Servers up to date due to several vulnerabilities being exploited in the wild. The latest updates were released in April 2021 after a report from NSA. Exchange Online was not affected by these issues.
Colonial Pipeline took its systems down to contain the threat. Its major pipelines were still down as of Tuesday. The pipeline transports 100 million gallons of fuel each day, including 45% of all fuel consumed on the East Coast. Its products range from various grades of gasoline, diesel fuel, home heating oil, jet fuel, and fuels for the U.S. military.
On Monday night, Line 4, which runs from Greensboro, North Carolina, to Woodbine, Maryland, was temporarily operating under manual control while existing inventory is available, the company said.