EXECUTIVE SUMMARY:

Last month, the DarkSide cyber criminal group carried out a cyber attack on Colonial Pipeline Co. The ensuing ransomware scheme resulted in significant disruptions to US fuel transport. The episode remains under intensive investigation by federal officials and cyber security experts. Some characterized the attack as “most disruptive cyberattack on record”.

How did attackers get in?

Attackers found and weaponized the password for an older VPN account, which was no longer in use. The cyber criminals managed to leverage this account in breaking into Colonial Pipeline Co.’s systems.

This information highlights the importance of password security. The news emerged just after a separate report stating that hackers may have dumped the largest collection of passwords on the internet to date.

According to Bloomberg, the password that enabled hackers to conduct an attack on Colonial Pipeline Co. was also found within an aggregate of leaked passwords on the dark web.

However, investigators are still unclear on this one thing…

How did hackers obtain the password in the first place? Did they dig through a database on the dark net? Did they phish an employee to steal credentials? One theory is that the password may have slipped into the wrong hands when another account was hacked on a previous occasion.

The password security conundrum

This password snatching highlights the inherent security issues around what remains as the most commonly deployed security method for the purpose of enabling employees to access corporate networks; password mandates. Should organizations give multi-factor authentication and other identity-management methods a spin? Experts assert that these methodologies can help businesses secure sensitive data.

This incident demonstrates how simple it is for a person with criminal intent to access a person’s password and to disrupt systems. Large caches of passwords consistently dumped online is perceived as a preeminent security problem.

“The bar is now ridiculously low for attackers to come into contact with such large sums of data, virtually undetected,” says expert Mike Puglia.  “It requires minimal technical ability, and the financial cost to carry attacks out is negligible.”

On the dark net, credential lists are easily purchased by anyone interested in obtaining such. They purportedly yield a 0.2-0.5 percent success rate on targets that compromise a limited number of common environments, notes Puglia.

“As long as the success rates remain high and the cost and effort remains low, these attacks will continue to increase,” he continues.

Disruptive attack methodology

Colonial Pipeline initially reported the attack on its infrastructure on May 7th, 2021. Shortly thereafter, the attack halted pipeline operations along the entire Eastern Seaboard, from New York to southern US states. Fuel shortages led airline operators to consider flight stoppages and on a consumer-level, they resulted in long-lines at gas stations and sharp price increases.

The attack resulted in serious set-backs for businesses and individuals alike. Due to the astonishingly wide impact, President Biden’s administration declared a state of emergency.

The criminal crew responsible for that attack, DarkSide, publicly stated that the group’s intent was financial gain. The ensuing disruption represented collateral damage. It was not apart of the group’s initial plan.

Colonial Pipeline paid nearly $5 million to hackers in order to decrypt systems. In recent days, the FBI and the US Department of Justice successfully traced the payment through a series of cryptocurrency wallets. Their efforts resulted in the reclamation of roughly $2.3 million worth of the initial bitcoin payment.

To find out about new pipeline regulations and oversight initiatives, click here. For more on DarkSide’s password theft operation, visit ThreatPost.