Colonial Pipeline hackers entered network through a single compromised password
Password was leaked on the dark web
Researchers investigating the cyber attack on Colonial Pipeline have found that the hackers responsible used a compromised VPN password to gain access.
In an interview with Bloomberg Charles Carmakal, senior vice president at cybersecurity firm Mandiant, said the attackers entered Colonial's networks on 29th April using a VPN account that was no longer in use.
The account, which has now been deactivated, didn't use multi-factor authentication, and its password was found inside a batch of leaked passwords on the dark web.
It's unclear whether the attackers also found the correct username online, or were able to figure it out on their own.
"We did a pretty exhaustive search of the environment to try and determine how they actually got those credentials," Carmakal said.
"We don't see any evidence of phishing for the employee whose credentials were used. We have not seen any other evidence of attacker activity before April 29."
According to Carmakal, a Colonial employee might have used the same password on another account that was previously compromised.
A Colonial control room employee discovered the ransomware attack on the morning of the 7th May, after seeing a ransom note demanding cryptocurrency, Colonial CEO Joseph Blount told Bloomberg.
The employee immediately notified a supervisor, who started the process of shutting down the pipeline to contain the threat.
"We had no choice at that point," Blount said.
Blount is scheduled to appear before Congressional committees on 9th June, where he will provide further detail about the attack, including the firm's decision to pay a ransom to the attackers.
Colonial Pipeline carries about 45 per cent of all fuel consumed on the East Coast. The firm's pipeline spans nearly 8,850 kilometres from Houston, Texas to the New York area, carrying more than 100 million gallons of petrol, diesel and other fuels daily.
The shutdown of Colonial's system sparked panic in the southeastern US, with residents seen lining up at petrol pumps for several hours over fears of fuel shortage. Petrol prices rose as a result of fuel supply disturbance, and some stations ran out of fuel.
The Department of Transportation issued an emergency order, allowing truckers supplying fuel in affected states to work longer hours than federal rules normally allow.
About a week after discovering the attack, Colonial paid nearly $5 million (about £3.55 million) ransom to the DarkSide ransomware group.
In a post online, DarkSide apologised for the attack, saying they are 'apolitical' and 'do not participate in geopolitics'.
'Our goal is to make money and not creating [sic] problems for society,' they wrote.
The group also promised to vet its targets more closely in the future.
Blount said he wants the US government to go after cyber criminals who have found a safe haven in Russia, and use it as a base to attack private firms and organisations in the US and other countries.
"Ultimately the government needs to focus on the actors themselves," he said.
"As a private company, we don't have a political capability of shutting down the host countries that have these bad actors in them."