How did criminals take down that oil pipeline?

Colonial Pipeline made history last month when they reported being the victim of a ransomware attack, the largest ever cyberattack on US critical infrastructure. Cybercriminals had shut down the major pipeline pipeline which covers the entire eastern seaboard, as far north as New York as well as southern states, causing major disruption including fuel shortages, a sharp rise in gas prices and airlines scrambling for fuel.

The attack’s effects were so dire that President Joe Biden declared a state of emergency and Colonial Pipeline ended up paying the ransom, about $4.4 million in Bitcoin to the Russian DarkSide non-state ransomware gang for a decryption tool to restore systems they had disabled.

So how did the cybercriminals get into Colonial Pipeline’s network and take it down?

Was it a sophisticated email phishing campaign with a malicious payload?

FireEye, the The cybersecurity firm hired to perform the investigation announced that all it took only one old, no-longer-used password for the DarkSide cybercriminals to breach the network. They used it to VPN in and encrypt everything. This revelation highlights the importance of password security and comes on the heels of a separate report that hackers leaked the largest password collection to date – a 100 gigabyte file called “RockYou2021” containing 8.4 billion passwords on a popular hacker forum earlier this week.

The Takeaway

The password used for the Colonial attack was extracted from a batch of leaked passwords listed on the Darkweb and no evidence of phishing has been found. In fact no evidence of cybercriminal activity of any kind took place before the attack. So in short, the attack came right out nowhere and took advantage of poor cyber hygiene.

What can we learn? This news highlights problems with the most commonly method for allowing employees to access corporate networks (VPN), even though there are numerous inexpensive multi-factor authentication methods available. Without MFA, anyone with nefarious intent could access a company network  and use it for financial gain or disruption since huge numbers of passwords are constantly being dumped online.

Good cyber hygiene includes enabling multi-factor authentication on all available services and using a unique password on every website and network resource. You’ll need to use a password manager to do this as it is not humanly possible. This short video explains why you should stop memorizing your passwords and what to do about it:


Stay safe out there.

-A