Oversight finds ‘small lapses’ in security led to Colonial Pipeline, JBS hacks

A series of “small lapses” in cybersecurity led to several recent successful ransomware attacks, the House Oversight and Reform Committee concluded in a staff memo released Tuesday.

The memo was the result of a panel investigation into ransomware attacks against Colonial Pipeline, meat producer JBS USA and insurance group CNA Financial Corporation, all of which involved the victims paying the ransoms demanded in order to ensure critical systems could be quickly brought back online. 

“Ransomware attackers took advantage of relatively minor security lapses, such as a single user account controlled by a weak password, to launch enormously costly attacks,” the memo reads. “Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack.”

CNA, which paid a ransom of more than $40 million, was successfully attacked after an employee accepted a fake browser update, while JBS, which paid attackers around $11 million in Bitcoin, saw its systems compromised when the hackers gained access to an old account with a weak password that hadn’t been deactivated. 

Colonial Pipeline was compromised due to a single stolen password linked to a profile. The attack led to gas shortages in several states in May after the company was forced to shut down the pipeline, and eventually paid the attackers around $4.4 million in Bitcoin, the majority of which was later recovered by the Justice Department. 

Beyond the security lapses, the committee also concluded that the companies impacted by ransomware attacks did not have clear points of contact with the federal government, hampering response efforts, and that they faced a huge amount of pressure to pay the attackers. 

“Following the discoveries of the intrusions, all three companies faced immediate and repeated pressure from the attackers to quickly pay the ransom,” the memo reads, pointing to efforts by the attackers to increase the ransom demands and set time limits on payment. 

Oversight Chairwoman Carolyn Maloney (D-N.Y.) previously grilled the leaders of CNA, JBS USA and Colonial Pipeline via letters in June, noting she was “extremely concerned” about their decision to pay “international criminal actors” the ransoms demanded.

The memo was published ahead of a hearing on ransomware attacks held by the Oversight and Reform panel on Tuesday, which featured National Cyber Director Chris Inglis and top officials from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) giving testimony.

Members questioned the witnesses in particular on efforts by the Biden administration to push back against the major recent ransomware attacks, particularly those carried out by cybercriminals based in Russia, which included the attacks on Colonial Pipeline and JBS. 

“From an FBI perspective, we have not seen a decrease in ransomware attacks in the past couple of months originating from Russia,” testified Bryan Vorndran, the assistant director of the FBI’s Cyber Division. “We do have incomplete data, in a best case scenario, we only see about 20 percent of the intrusions in the country, no different than our partners at CISA, but the FBI has remained focused on investigating cyber criminals in and around Russia.”

Inglis, who testified to a different House committee last month that he had seen a “discernible decrease” in Russian-linked cyberattacks, stressed the need to continue to take steps to encourage the Russian government to address ransomware attacks originating from malicious actors within the country’s borders. 

“We will continue to pressure the Russians, but they must understand they must do their part,” Inglis testified Tuesday.