Skip to main content

Colonial Pipeline attack began with compromised account credentials

(Image credit: Shutterstock / Song_about_summer)

The Colonial Pipeline ransomware attack, which saw one of the largest pipelines in the US shut down its servers and raised the price of oil to $3 per gallon, began with a compromised VPN account, investigators have found.

As reported by multiple media sources, including The Verge, the VPN service the company used did not have two-factor authentication set up. Once the login credentials for the VPN were obtained, criminals gained easy access to the network.

How exactly they obtained the login credentials remains unclear, but Bloomberg suggested the compromised password was discovered in a batch of credentials leaked on the dark web.

Cybersecurity firm Mandiant says the breach took place on April 29, but the ransomware attack was triggered on May 7, when an employee first discovered the ransom note.

The results of the attack are already known: the company had to force its servers offline to contain the damages, resulting in a rise in the price of oil.

The Transportation Security Administration subsequently created a new policy that requires pipeline operators to report any cyberattacks to the government within twelve hours of discovery, while the company’s CEO, Joseph Blount, will speak before the House Committee on Homeland Security this Wednesday.

Talking to NPR recently, he confirmed the company paid almost $4.5 million in ransom fees, saying it was “the right decision to make for the country”.