Compromised password results in Pipeline attack, says expert

A single compromised password is what prompted the recent attack on America’s largest pipeline, the Colonial Pipeline. The password was for an already inactive virtual private network (VPN) account that allowed employees to remotely access the company’s computer network, according to a report by Charles Carmakal, vice president of cybersecurity firm Mandiant, which investigated the case.

In an interview with Bloomberg, the expert told that the suspicion is that the account password was discovered within a batch leaked on the Dark Web. This means that an employee may have used the same password on another account previously hacked, according to Carmakal.

The VPN account did not use multi-factor authentication, which allowed the hackers to break into the Colonial Pipeline network using only login and password. It is unknown how the hackers obtained the account’s correct username.

Mandiant also investigated the extent to which the Darkside group, the actor in the break-in, had taken the onslaught through Colonial Pipeline’s networks and found no evidence that the hackers had made further attempts. It also appears that the group was limited to IT networks and did not go as far as to compromise the more critical operational technology (OT) systems.

Colonial Pipeline fell victim to a ransomware attack in early May, causing IT systems to be paralyzed and operations to be temporarily shut down. The company paid a ransom of around $4.4 million in cryptocurrencies in exchange for the decryption key to recover the data. However, in an unprecedented move, the US Department of Justice was able to recover most of the multi-million dollar ransom payment.