‘DarkSide’ Hackers Used Leaked VPN Credentials to Compromise ‘Colonial Pipeline’

  • An unused VPN account was enough for ‘DarkSide’ actors to disrupt gas supply in the United States.
  • The particular account was leaked onto the dark web and didn’t even have MFA protection.
  • Dormant admin accounts are a huge and undervalued problem in corporate cybersecurity.

As discovered by security firm Mandiant and shared with Bloomberg, the ‘DarkSide’ ransomware gang used leaked VPN credentials that they bought on the dark web to hack into ‘Colonial Pipeline’s corporate network. The account that was leveraged for this belonged to an employee that had left the company, yet it remained active and usable.

The account has now been deactivated, but not before ‘DarkSide’ caused a significant economic disruption in the United States, leading to a series of legislative initiatives and the formation of special task forces to tackle ransomware.

According to the report, there are no indications of phishing the employee, so acquiring the credentials came from a dark web market. Also, it was discovered that the particular VPN account didn’t use multi-factor authentication, so the security team of Colonial Pipeline failed to follow all the basic security practices.

Through this access, the hackers could have done a lot more damage than what they ended up doing according to Mandiant, and this is why the gas distributor was able to get everything back up and running within a few days.

As the internal investigations revealed, the hackers were present in Colonial’s network between April 29 and May 7, 2021 - when the encryption took place and the ransom note was dropped. An hour after that, the entire pipeline had been shut down, and the top agencies in the U.S. were mobilized. Mandiant was among the first responders, scanning the network to find any detection tools or backdoors that the actors may have planted, but there weren’t any. DarkSide only wanted to get paid, so re-establishing access on the corporate network wasn’t in their interests.

Hackers actively target admin accounts of former employees, maybe more often than IT teams like to think. We saw a similar example in January when Nefilim ransomware actors used the account of a deceased employee to roam the network of the victimized firm for over a month. In another case, Ticketmaster employees were uncovered for repeatedly accessing a competitor’s systems by using the credentials of a former employee who had left the company long before, yet nobody bothered to reset the passwords.

How to Watch Grammys 2023 Online: Live Stream the Awards from Anywhere
The 2023 Grammys are around the corner, and you will find the date, time, performers, presenters, host, nominees, and everything else you...
Italy vs. France Live Stream: How to Watch Six Nations 2023 Online from Anywhere
Excitement among spectators has reached new heights as the Six Nations Rugby Championship 2023 draws near. France, the reigning champs, will get...
How to Watch ‘Murf the Surf: Jewels, Jesus, and Mayhem in the USA’ Online from Anywhere
Murf the Surf is a 2023 true-crime docuseries that pulls back the curtain on America's most infamous jewel thief, Jack Roland Murphy....
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari