Colonial Pipeline Hackers Used Unprotected VPN to Access Network: Report
The ransomware attack that took down the Colonial Pipeline and caused fuel shortages on the East Coast worked because of an unprotected Virtual Private Network (VPN).
The criminal gang of hackers known as DarkSide who took responsibility for the attack gained access to the Pipeline's system through an unprotected VPN account that had been set up to allow employees to access the company's computer networks remotely, according to an interview Charles Carmakal, senior vice president at the security firm Mandiant gave to Bloomberg. He noted that the account was no longer in use by an employee, but was still active and accessible to the hackers.
The password for the particular VPN account the hackers used, which has since been deactivated, has been found after the fact on the dark web in a batch of exposed passwords. So it could be that the Colonial employee had used the same password for multiple accounts and had been hacked before in another scenario, said Carmakal. However, that's only one possibility.
The VPN account was lacking in multifactor authentication, a basic security measure that many companies use for employee accounts—especially when employees need to sign in to systems remotely. This lack of security precaution means there are more potential ways hackers could have found the compromised username and password and breached Colonial Pipeline's network.
"We did a pretty exhaustive search of the environment to try and determine how they actually got those credentials," Carmakal said. "We don't see any evidence of phishing for the employee whose credentials were used. We have not seen any other evidence of attacker activity before April 29."
On May 7, the hackers used the company networks to send a ransom note demanding cryptocurrency to Colonial's control room. Colonial then immediately began shutting down their pipeline as they realized hackers had breached their networks, according to CEO Joseph Blount.
"The last thing we wanted was for a threat actor to have active access to a network where there is any possible risk to a pipeline. That was the biggest focus until it was turned back on," Carmakal said.
Mandiant was able to assess the damage and protect against future threats. It was determined that hackers didn't breach the critical operational tech systems, Carmakal said.
The Colonial Pipeline was back up and running within a few days, but not before over 11,000 gas stations closed due to fuel shortages. The Pipeline, which goes from Texas to New Jersey, carries up to 45 percent of the East Coast's gas. And while stalls and slow-downs in delivery contributed to shortages, consumer "panic-buying" played a major part in the scarcity of gas.
Newsweek reached out to Mandiant for comment.
