Colonial Pipeline ransomware attack linked to a single VPN login

Last month’s oil pipeline ransomware incident that spurred fuel shortages/hoarding and a $4.4 payout to the attackers has apparently been traced back to an unused but still active VPN login. Mandiant exec Charles Carmakal told Bloomberg that their analysis of the attack found that the suspicious activity on Colonial Pipeline’s network started April 29th.

While they couldn’t confirm exactly how the attackers got the login, there apparently isn’t any evidence of phishing techniques, sophisticated or otherwise. What they did find is that the employee’s password was present in a dump of login shared on the dark web, so if it was reused and the attackers matched it up with a username, that could be the answer to how they got in.

Then, a little more than a week later a ransom message popped up on Capital Pipeline’s computer screens and staff started shutting down operations. While this is just one in a never-ending string of similar incidents, the impact of the shutdown was great enough that Capital Pipeline’s CEO is scheduled to testify in front of congressional committees next week, and the DoJ has centralized ransomware responses in a manner similar to the way it deals with terrorism cases.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Similar Articles

Comments

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Why Utilities Want to (Sometimes) Control Your Smart Thermostat

One of modern life’s most satisfying certainties is dialing in the AC and sitting back as the room magically maintains your temperature of choice....

24 Best Gaming Gear Deals for Prime Day 2021: PC, Switch, PlayStation, Xbox

the world is opening up again, but on a sizzling summer day you might still want to stay inside with the shades drawn and...