‘DarkSide’ Hackers Used Leaked VPN Credentials to Compromise ‘Colonial Pipeline’

Last updated July 30, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

As discovered by security firm Mandiant and shared with Bloomberg, the ‘DarkSide’ ransomware gang used leaked VPN credentials that they bought on the dark web to hack into ‘Colonial Pipeline’s corporate network. The account that was leveraged for this belonged to an employee that had left the company, yet it remained active and usable.

The account has now been deactivated, but not before ‘DarkSide’ caused a significant economic disruption in the United States, leading to a series of legislative initiatives and the formation of special task forces to tackle ransomware.

According to the report, there are no indications of phishing the employee, so acquiring the credentials came from a dark web market. Also, it was discovered that the particular VPN account didn’t use multi-factor authentication, so the security team of Colonial Pipeline failed to follow all the basic security practices.

Through this access, the hackers could have done a lot more damage than what they ended up doing according to Mandiant, and this is why the gas distributor was able to get everything back up and running within a few days.

As the internal investigations revealed, the hackers were present in Colonial’s network between April 29 and May 7, 2021 - when the encryption took place and the ransom note was dropped. An hour after that, the entire pipeline had been shut down, and the top agencies in the U.S. were mobilized. Mandiant was among the first responders, scanning the network to find any detection tools or backdoors that the actors may have planted, but there weren’t any. DarkSide only wanted to get paid, so re-establishing access on the corporate network wasn’t in their interests.

Hackers actively target admin accounts of former employees, maybe more often than IT teams like to think. We saw a similar example in January when Nefilim ransomware actors used the account of a deceased employee to roam the network of the victimized firm for over a month. In another case, Ticketmaster employees were uncovered for repeatedly accessing a competitor’s systems by using the credentials of a former employee who had left the company long before, yet nobody bothered to reset the passwords.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: