Colonial Pipeline ransomware attack linked to a single VPN login

A lack of multifactor authentication on the unused account may have let hackers right in.

Sponsored Links

Richard Lawler
June 4, 2021 9:06 PM
Notes are left on gas pumps to let motorists know the pumps are empty at an Exxon gas station in Charlotte, North Carolina on May 12, 2021. - Fears the shutdown of the Colonial Pipeline because of a cyberattack would cause a gasoline shortage led to some panic buying and prompted US regulators on May 11, 2021 to temporarily suspend clean fuel requirements in three eastern states and the nation's capital. (Photo by Logan Cyrus / AFP) (Photo by LOGAN CYRUS/AFP via Getty Images)
LOGAN CYRUS via Getty Images

Last month's oil pipeline ransomware incident that spurred fuel shortages/hoarding and a $4.4 million payout to the attackers has apparently been traced back to an unused but still active VPN login. Mandiant exec Charles Carmakal told Bloomberg that their analysis of the attack found that the suspicious activity on Colonial Pipeline's network started April 29th.

While they couldn't confirm exactly how the attackers got the login, there apparently isn't any evidence of phishing techniques, sophisticated or otherwise. What they did find is that the employee's password was present in a dump of login shared on the dark web, so if it was reused and the attackers matched it up with a username, that could be the answer to how they got in.

Then, a little more than a week later a ransom message popped up on Colonial Pipeline's computer screens and staff started shutting down operations. While this is just one in a never-ending string of similar incidents, the impact of the shutdown was great enough that Colonial Pipeline's CEO is scheduled to testify in front of congressional committees next week, and the DoJ has centralized ransomware responses in a manner similar to the way it deals with terrorism cases.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget