In April 2021, hackers gained access to the network of Colonial Pipeline and deployed ransomware that forced the shutdown of a fuel pipeline system serving the Eastern Seaboard of the United States. With fuel supplies threatened, there was panic buying of fuel by Americans on the East Coast which led to local fuel shortages. Gasoline prices rose to their highest level in more than 6 years, and stockpiles of gasoline on the East Coast fell by 4.6 million barrels.
The attack has been attributed to the DarkSide ransomware-as-a-service operation, which has since shut down. Prior to the shutdown, Colonial Pipeline paid a $4.4 million ransom for the keys to unlock the encrypted files. The decision to pay the ransom was made because of the threat to fuel supplies. Colonial Pipeline supplied 45% of fuel to the East Coast, and while paying the attackers was a difficult decision, payment was made due to the threat to fuel supplies given how long it was likely to take to recover without the attacker-supplied decryption keys.
Such a major attack on a critical infrastructure firm should have been difficult; however, an investigation into the cyberattack revealed gaining access to the company’s computer system couldn’t have been simpler. The attackers used a compromised password to remotely access Colonial Pipeline’s systems, and that account was not protected with multi-factor authentication.
The password was for a virtual private network account, according to Charles Carmakal, senior vice president at cybersecurity firm Mandiant which was involved in the investigation. The account was not in use, but it was still possible to use the login credentials to access Colonial Pipeline’s network.
It is not known how the hackers obtained the password. The password has since been found in a database of breached passwords that was leaked on the darkweb. It is possible that an individual had set a password for the account that had been used on another account that had been breached. It is common for passwords from data breaches to be attempted in brute force attacks as password reuse is common. Passwords are also often obtained in phishing attacks.
Mandiant looked for evidence of how the password was obtained by the hackers. The researchers found no signs of attacker activity before the April 29, 2021 nor any evidence of phishing. How the password was obtained and the username determined may never be known.
What is clear is that the attack could have easily been prevented had cybersecurity best practices been followed such as conducting audits of accounts and shutting down accounts that are no longer in use, setting unique, complex passwords for each account, implementing multi-factor authentication to stop compromised passwords from being used, and implementing an effective anti-spam solution to block phishing emails.