Résumé
On 7 May 2021 the DarkSide ransomware crew hit Colonial Pipeline, operator of the largest fuel pipeline in the United States, and the company shut down operations for six days, triggering fuel shortages and panic buying across 17 states. The entry point was mundane: a single leaked password for a legacy VPN account that was no longer used but had never been disabled, and that was not protected by multi-factor authentication. With that one credential the attackers reached the IT network, deployed ransomware, and stole about 100 GB of data. Colonial paid roughly 75 BTC (about $4.4 million) the day after the attack, most of which the US DOJ later clawed back. It is the case study for MFA everywhere and for killing dormant accounts.
How it happened
The entry point was almost embarrassingly small. Around 29 April 2021, the DarkSide ransomware crew logged into Colonial Pipeline's network using a single username and password for a legacy VPN account. The account was no longer in active use, but it had never been disabled, and, critically, it was not protected by multi-factor authentication. The password later turned up in a batch of leaked credentials on the dark web, suggesting the employee had reused it somewhere that was itself breached. Investigators noted the password was actually complex, so the failure was reuse plus the missing second factor, not a guessable password, and there was no sign the employee had been phished. One reused password, on one forgotten account, with no second factor, was the entire front door.
From there DarkSide moved through Colonial's IT (business) network, stole about 100 GB of data over a couple of hours on 6 May, and on 7 May deployed ransomware that encrypted billing and back-office systems. The pipeline's operational technology, the systems that actually move fuel, was not infected. Colonial shut the pipeline down anyway, partly out of caution and partly because, with billing frozen, it could not track or charge for what it was shipping. That decision is what turned an IT ransomware incident into a national fuel crisis.
The damage
Colonial Pipeline carries about 45% of the fuel consumed on the US East Coast, and it was offline for six days. The result was fuel shortages, panic buying, and emergency declarations across 17 states and Washington DC, with some airports rationing jet fuel. Colonial paid DarkSide a ransom of 75 Bitcoin, about $4.4 million, the day after the attack, though the decryptor it received was so slow the company restored from its own backups anyway; it restarted the pipeline on 12 May, with normal flow returning a few days later. In a rare win, the US Department of Justice traced and seized about 63.7 of those Bitcoin weeks later, the attacker's affiliate share, recovered because the FBI held the private key to the wallet the coins were sent to. The attack pushed ransomware to the top of the US national-security agenda and led directly to the TSA's first mandatory pipeline-cybersecurity directive and President Biden's executive order on cybersecurity.
Why Colonial still matters
Colonial is the cleanest argument for two boring controls. First, MFA everywhere: a second factor on that one VPN account would have stopped the entire attack, because a leaked password alone would not have been enough. Second, kill dormant accounts: an unused login that still works is a free key sitting under the doormat. It is also a lesson in IT and OT separation, the operational side was never touched, yet the business-side compromise still forced the pipeline down because the two were entangled. And it reopened the hard debate about paying ransoms, which funds the next attack; the DOJ clawback was the exception, not the rule.
Comment le corriger
- Disable the compromised account and any other dormant or unused accounts, and force password resets with MFA enrollment.
- Isolate affected systems, restore from clean offline backups, and rotate exposed credentials and keys.
- Engage incident response and law enforcement early; paying is a last resort and recovery may be possible without it.
- Reconstruct the intrusion from VPN and authentication logs and close the access path.
Comment l’éviter
- Require phishing-resistant MFA on every remote-access and VPN account, with no exceptions for "legacy" or service accounts.
- Deprovision dormant accounts automatically; an unused login that still works is a free key for an attacker.
- Monitor credential dumps and dark-web leaks for your domains, and rotate on exposure; a reused password is a breach waiting to happen even when it is complex.
- Segment IT from OT and critical operations so an IT compromise cannot force an operational shutdown.
- Keep tested, offline backups and a rehearsed ransomware response plan.
Références
- https://www.justice.gov/archives/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside
- https://www.chainalysis.com/blog/darkside-colonial-pipeline-ransomware-seizure-case-study/
- https://www.techtarget.com/searchsecurity/news/252502216/Mandiant-Compromised-Colonial-Pipeline-password-was-reused
- https://www.energy.gov/ceser/colonial-pipeline-cyber-incident
Vulnérabilités liées
Tout OpSec →- CRITICALOPSEC-SNOWFLAKE-2024
In mid-2024, a single gap, accounts without multi-factor authentication, turned into one of the largest waves of data theft ever, hitting Ticketmaster, AT&T, Santander, and around 165 other companies at once. The attackers never broke Snowflake, the cloud data platform all of them used. They simply logged in with valid usernames and passwords, harvested months or years earlier by infostealer malware from employees' personal computers and bought on criminal markets. Where MFA was not turned on, a stolen password was a full key. It is the defining lesson of the infostealer era: your breach can start on an employee's home laptop, and MFA is the difference between a leaked password and a catastrophe.
- CRITICALOPSEC-MIDNIGHT-BLIZZARD-2024
In January 2024, Microsoft revealed that Russia's foreign-intelligence service, the same APT29 behind SolarWinds, had been reading the email of its senior leadership. The way in was almost insulting in its simplicity: a forgotten, non-production test account with a weak password and no MFA. The attackers guessed the password by spraying common ones across many accounts, then pivoted through a forgotten over-privileged application to grant themselves access to corporate mailboxes, including those of executives and the security and legal teams. It is the lesson that your security is only as strong as the account you forgot about, and that even Microsoft's perimeter fell to a missing MFA checkbox.
- CRITICALOPSEC-LASTPASS-2022
LastPass is a password manager, the digital vault tens of millions of people trusted with every password they have. In 2022 attackers got into it, and the breach unfolded in a way that turned a developer's home computer into a path to those vaults. A first intrusion stole source code. The attackers used it to identify and target one of only four engineers who held the keys to production backups, planting a keylogger on his home PC through an unpatched flaw in, of all things, his Plex media server. With his master password captured, they exfiltrated backups of customers' encrypted password vaults. The encryption held, but anyone with a weak master password was now exposed to offline cracking at the attacker's leisure. It is the lesson that a vault is only as strong as the master password protecting it, and that your blast radius includes your engineers' home machines.
- HIGHOPSEC-UBER-2022
In September 2022, an 18-year-old broke into Uber and posted screenshots of its internal systems to prove it, an embarrassingly total compromise that started with a tactic anyone can fall for: pestering. The attacker, part of the Lapsus$ group, had a contractor's stolen password, and to get past multi-factor authentication, simply spammed the contractor with login-approval prompts until, worn down and then nudged over WhatsApp by the attacker posing as IT, they tapped "approve." Once inside, the attacker found a script with a hardcoded admin password that unlocked Uber's most powerful systems at once. It is the textbook lesson in MFA fatigue, and in how one hardcoded secret turns a foothold into a takeover.
- HIGHOPSEC-TWILIO-2022
On 7 August 2022, Twilio, a company whose entire business is sending text messages and verification codes for other companies, was breached through text messages. Attackers ran an SMS phishing campaign against Twilio's own employees, texting them fake "your password expired" alerts from numbers that looked like Twilio IT and linking to convincing fake login pages. Several staff entered their credentials, handing over access to internal tools and the data of more than 200 customers, and rippling downstream to users of the secure-messaging app Signal. It was one strike in a sprawling campaign, dubbed 0ktapus, that phished around 130 companies the same way. It is the lesson that phishing-resistant MFA exists for a reason: ordinary credentials and codes can always be talked out of a human.
- HIGHOPSEC-INTERNET-ARCHIVE-2024
The Internet Archive, the nonprofit behind the Wayback Machine, had a brutal October 2024: a data breach, a website defacement, and a wave of DDoS attacks, all at once. Underneath the chaos was an unglamorous root cause. An authentication token sat in plain text in a public config file; the team rotated it repeatedly, but each new token landed right back in the same exposed file, so the leak never actually closed. With it, an attacker downloaded the source code, found more credentials hardcoded inside, and walked out with a database of 31 million users. Weeks later a second token from that same stolen code, for the support system, exposed 800,000 support tickets, some with people's ID documents. It is the lesson that rotating a secret is useless if it goes straight back into a public file, and that one leak unravels everything.