14 DAY TRIAL // The ybersecurity specialist who responded to the incident points out that the major cyberattack that shut down the main fuel pipeline in the United States was the result of a single compromised password, as Al Jazeera notes.
According to Charles Carmakal, senior vice president at the cybersecurity firm Mandiant, part of FireEye Inc, the hackers gained access to Colonial Pipeline Co's networks on April 29 through a VPN account that allowed employees to remotely access the company's computer network. He explained that although the account was no longer in use at the time of the attack, it could still be used to access Colonial's network.
The password was later discovered in a pile of hacked passkeys on the Dark Web. This suggests that a Colonial employee may have used the same password for a previously hacked account. Carmakal, on the other hand, is skeptical that the hackers obtained the password this way, and he believes investigators will never know for sure how the credentials were obtained.
Colonial’s security measures were extremely weak
The VPN account, that has since been deleted, did not use multifactor authentication, a basic cybersecurity tool, so hackers could only gain access to Colonial's network with a compromised login and password. It is unclear how the hackers got the proper username or if they figured it out independently.
Carmakal stated, “We did a pretty exhaustive search of the environment to try and determine how they actually got those credentials”.
“We don’t see any evidence of phishing for the employee whose credentials were used. We have not seen any other evidence of attacker activity before April 29”.
Mandiant also tracked the hackers' network movements to determine how close they were to compromising the computer system that controls the actual flow of gasoline. As the hackers moved through the company's information technology network, there was no indication that they were able to compromise the more important operational technology systems.
Colonial paid a $4.4 million ransom to the hackers, affiliated with DarkSide, shortly after the hack. According to Bloomberg News, the hackers allegedly captured about 100 GB of data from Colonial Pipeline and threatened to release it if the demanded ransom was not paid.