Alex - stock.adobe.com

Mandiant: Compromised Colonial Pipeline password was reused

The Colonial Pipeline VPN password was relatively complex, according to Mandiant CTO Charles Carmakal, and likely would have been difficult for DarkSide threat actors to guess.

The VPN password that was compromised in the Colonial Pipeline ransomware attack was used on another website, according to a Mandiant executive at a House Committee on Homeland Security hearing Tuesday.

The hearing, titled, "Cyber Threats in the Pipeline: Using Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure," was led by Rep. Bennie Thompson (D-Miss.). The session was dedicated to discussing the Colonial Pipeline ransomware attack, which occurred in early May and shut down a 5,500-mile oil pipeline for days, leading to gas shortages in parts of the U.S.. Members of the committee asked witnesses Charles Carmakal, senior vice president and CTO at cybersecurity firm Mandiant, and Joseph Blount, CEO at Colonial Pipeline, about how the attack occurred, as well as how they cooperated with the U.S. government.

Much of the information coming out of the hearing was previously known due to a separate Senate hearing Tuesday and press conference Monday that together contained several major revelations, including the announcement that the $4.4 million ransom Colonial paid to ransomware gang DarkSide was partially recovered thanks to an FBI operation. However, a few insights from the hearing added new context to the high-profile attack.

Mandiant CTO Charles Carmakal at House Committee on Homeland Security hearing
Charles Carmakal, senior vice president and CTO at Mandiant, discusses last month's ransomware attack at Tuesday's House Committee on Homeland Security hearing.

Carmakal said near the beginning of the hearing that the VPN login, which remains the earliest known compromise in the attack, was an employee login that wasn't believed to still be active. He added that the employee "may have used" the password on another website that was compromised prior.

After Thompson asked for clarification, Carmakal said the password "had been used on a different website at some point in time" and was a "relatively complex password in terms of length, special characters and case set." It is not currently known how the VPN username was obtained.

Carmakal added that the credentials have been removed and multi-factor authentication has been implemented as part of the recovery. Mandiant was called in May 7 (the day of the attack) to investigate and respond to the Colonial Pipeline attack.

Two other notable pieces of information involved the circumstances of the payment and why that payment was made.

Blount told committee vice president Rep. Ritchie Torres (D.-N.Y.) toward the end of the hearing that the ransom payment was made on Colonial's behalf by a third-party negotiator.

As for why that payment was made, Blount said that while Colonial did have backups and did ultimately use them, the company paid for the decryption key because of the uncertainty surrounding whether the backups were corrupted, compromised or safe to use. Colonial and Mandiant did determine that the backups were safe, but the payment was made so the pipeline could get back online as soon as possible.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

US government launches 'StopRansomware' site

Dig Deeper on Security operations and management