The Colonial hack on the pipeline, which led to fuel shortages in the United States, is the result, according to Bloomberg, of a caricatured cascade of loopholes pointing to non-compliance with the most basic cybersecurity standards.
Mandiant researchers have been unable to find any phishing evidence of the employee whose credentials were used to install the ransomware.
They found that the attack was initiated over the VPN using his password, which was cracked. The account was no longer in use at the time of the attack, but has not yet been deactivated.
Mandiant also found traces of it in a package of passwords for sale on the dark web, suggesting that it has been hacked for some time.
While it has not been established that the compromise was related to the discovery of this password on the dark web, VPN access was not protected by two-factor authentication.
Hackers associated with the Russian-linked cybercriminal group DarkSide also stole nearly 100GB of data and threatened Colonial to disclose the information if the ransom was not paid.
A cascade of blunders that, in addition to 75 bitcoin redemptions (just under $ 4.4 million), prompted the US Department of Justice to raise its ransomware investigation to terrorism.