Nov. 16 (UPI) — Several major companies fell victim to ransomware attacks due to “relatively minor security lapses,” according to a memo by House lawmakers Tuesday.
The House Oversight and Reform Committee released the memo in response to a panel investigation into meat producer JBS USA, insurance group CNA Financial Corporation and Colonial Pipeline, which saw all three companies pay ransoms demanded by the attackers.
“Ransomware attackers took advantage of relatively minor security lapses, such as a single user account controlled by a weak password, to launch enormously costly attacks,” the memo states. “Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack.”
CNA paid $40 million in bitcoin after an employee accepted a fake browser update from a cybercriminal group called Phoenix, JBS paid $11 million in bitcoin after hackers gained access to an old account with a weak password and Colonial Pipeline, which is responsible for nearly half of the East Coast’s fuel supply, paid ransomware gang Darkside $4.4 million in bitcoin after they gained access to the company through a single stolen password.
The committee also determined that some of the companies lacked “clear initial points of contact” with the federal government, delaying their ability to respond to the attacks.
“Depending on their industry, companies were confronted with a patchwork of federal agencies to engage regarding the attacks they faced,” the memo reads. “For example, two companies’ initial requests for assistance were forwarded around to different FBI offices and personnel before reaching the correct team.”
This issue was compounded by the fact that the companies faced pressure to quickly pay the ransom under the promise from attackers that they would release the data and allow the companies to avoid negative publicity.
“Given the uncertainty over how quickly systems could be restored using backups and whether any sensitive data was stolen, the companies appeared to have strong incentives to quickly pay the ransom,” the committee said.
Also Tuesday, the nation’s top cybersecurity experts testified on the Biden administration’s efforts to combat ransomware and improve public-private sector coordination.
“We have followed the money flows and apprehended that money when and wherever possible,” National Cyber Director Chris Inglis testified, describing the administration’s response. “We have used our intelligence resources to assist the private sector in understanding what the threats to them are, and at the same time give them best practices so they up their game and become a harder target.”
Executive Director for the Cybersecurity and Infrastructure Security Agency Bryan Vorndran testified that passing legislation requiring companies to report cyberattacks to federal agencies was “a top priority.”
“We need the information because that enables CISA and the FBI to both engage with that victim, offer our assistance, understand what’s happening from on their networks and protect other victims,” Vorndran said.