Colonial Pipeline ransomware attack linked to a single VPN login

Last month’s oil pipeline ransomware incident that spurred fuel shortages/hoarding and a $4.4 payout to the attackers has apparently been traced back to an unused but still active VPN login. Mandiant exec Charles Carmakal told Bloomberg that their analysis of the attack found that the suspicious activity on Colonial Pipeline’s network started April 29th.

While they couldn’t confirm exactly how the attackers got the login, there apparently isn’t any evidence of phishing techniques, sophisticated or otherwise. What they did find is that the employee’s password was present in a dump of login shared on the dark web, so if it was reused and the attackers matched it up with a username, that could be the answer to how they got in.

Then, a little more than a week later a ransom message popped up on Capital Pipeline’s computer screens and staff started shutting down operations. While this is just one in a never-ending string of similar incidents, the impact of the shutdown was great enough that Capital Pipeline’s CEO is scheduled to testify in front of congressional committees next week, and the DoJ has centralized ransomware responses in a manner similar to the way it deals with terrorism cases.