[English]The ransomware attack at US Colonial Pipeline resulted from a phishing attack in which the hackers captured VPN credentials for the IT systems. Such credentials are now traded on the darknet for numerous companies. In addition, the FBI has managed to recover some of the ransom paid. Here is an overview of these new developments.
In May of this year, there was a successful cyberattack using ransomware against the operator of a U.S. pipeline. Colonial Pipeline supplies the eastern US with petroleum products and the shutdown of the pipeline caused fuel shortages in the areas supplied. I had reported on the blog several times (see links at end of article). But how did the attackers get into the system?
VPN credentials gained from darknet
Newsweek reports here, that the successful ransomware attack that crippled the Colonial Pipeline and caused fuel shortages on the East Coast was enabled through an unprotected virtual private network (VPN). The cybergang DarkSide, responsible for the hack, gained access to the pipeline's system through an unprotected VPN account. The account had been set up to allow employees to remotely access the company's computer networks. This came to light through an interview by Charles Carmakal, senior vice president at security firm Mandiant, by Bloomberg. Carmakal He noted that the account was no longer used by an employee, but was still active and accessible to the hackers.
The password for the VPN account in question, but now deactivated, that the hackers used was later found on the dark web in a collection of captured passwords. So it could be that the Colonial employee had used the same password for multiple accounts and had been hacked before in a different scenario, Carmakal said. However, that's just one possibility.
I came across another discussion recently that there are probably whole bundles of several thousand VPN/RDP credentials being traded on the darknet. According to this, access data can be had for a few dollars.
FBI recovers partly Colonial pipeline ransom
The surprise of the day, however, was up to the American FBI. In a press conference held a few hours ago, the FBI announced that they had recovered a large part of the ransom paid by Colonial Pipeline (see also the following tweet).
It seems that the FBI managed to get hold of the private key for the Darkside gang's wallet in question. Of the 75 Bitcoins paid, the FBI was able to recover 63.7 Bitcoin. That currently equates to about $2.26 million left (it was $3.7 million on May 8). It is unclear how the FBI got hold of this private key. But in May, the Darkside gang had lost access to their servers and crypto wallet (see DarkSide gang lost access to it's servers).
Ransomware attack on US pipeline operator (May 2021)
Ransomware attack on the US pipeline – the house is burning
Colonial Pipeline Attack: Wasted $5 Million and uses vulnerable Exchange Servers
DarkSide gang lost access to it's servers
Cookies helps to fund this blog: Cookie settings