Ransomware attack on Colonial Pipeline Was Made Possible via leaked VPN password

The criminals behind the ransomware attack on the Colonial Pipeline Company gained entry through a leaked VPN password, security firm Mandiant, which was involved in the investigation into the attack, told Bloomberg . The compromised VPN account was no longer in use, but could still be used to access Colonial's network. Researchers discovered the VPN password in a collection of leaked passwords on the Internet.

A Colonial employee may have used the same password for another account that was leaked, said Charles Carmakal, senior vice president of security firm Mandiant. However, how the attackers got their hands on the password is unknown. No indications were found of a phishing attack on the employee whose login details were used. No evidence was also found that the attackers were active on the network before April 29.

The compromised vpn account did not use multi-factor authentication, leaving only a username and password to access the Colonial network. Furthermore, Carmakal said that no indications were found that the attackers were able to access the operational technology systems of the fuel pipeline. The attackers did manage to steal 100 gigabytes of data. Colonial eventually paid the attackers a $4.4 million ransom.

Next week, Colonial CEO Joseph Blount will testify before several congressional committees. He may also provide more information about the nature of the attack and explain why the company paid the ransom. It may also become clear why the entire pipeline was shut down. Sources previously told CNN and journalist Kim Zetter that the pipeline was shut down over billing concerns .

Previous Post Next Post