Last month’s oil pipeline ransomware incident that resulted in fuel shortages / hoarding and a payout of $ 4.4 to the attackers was apparently attributed to an unused but still active VPN login. Mandiant manager Charles Carmakal told Bloomberg that their analysis of the attack revealed that suspicious activity on the Colonial Pipeline network began on April 29th.
Although they could not confirm exactly how the attackers got the login, there appears to be no evidence of sophisticated or other phishing techniques. They found that the employee’s password was in a login dump shared on the dark web. So if it was reused and the attackers matched it to a username, this could be the answer to how they got in.
Then, just over a week later, a ransom message popped up on Capital Pipeline’s computer screens and employees began to shut down. While this is just one of an endless series of similar incidents, the impact of the shutdown was such that the CEO of Capital Pipeline is due to testify to congressional committees next week, and the DoJ has similarly centralized ransomware responses to dealing with terrorism incidents .
All products recommended by Engadget are selected by our editorial team independently of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may earn an affiliate commission.