Browse Definitions :

Askhat -

Colonial Pipeline hack explained: Everything you need to know

A ransomware attack brought a major gas pipeline to a standstill in May. Here's what happened and who was behind the hack.

The Colonial Pipeline was the victim of a ransomware attack in May 2021. It infected some of the pipeline's digital systems, shutting it down for several days.

The shutdown affected consumers and airlines along the East Coast. The hack was deemed a national security threat, as the pipeline moves oil from refineries to industry markets. This caused President Joe Biden to declare a state of emergency. 

The Colonial Pipeline is one of the largest and most vital oil pipelines in the U.S. It began in 1962 to help move oil from the Gulf of Mexico to the East Coast states.

The Colonial Pipeline comprises more than 5,500 miles of pipeline. It starts in Texas and moves all the way up through New Jersey, supplying nearly half of the fuel for the East Coast. The Colonial Pipeline delivers refined oil for gasoline, jet fuel and home heating oil. Colonial Pipeline headquarters is in Alpharetta, Ga.

What is the Colonial Pipeline hack?

The Colonial Pipeline hack is the largest publicly disclosed cyber attack against critical infrastructure in the U.S.

The attack involved multiple stages against Colonial Pipeline IT systems. The pipeline's operational technology systems that actually move oil were not directly compromised during the attack.

The attack began when a hacker group identified as DarkSide accessed the Colonial Pipeline network. The attackers stole 100 gigabytes of data within a two-hour window. Following the data theft, the attackers infected the Colonial Pipeline IT network with ransomware that affected many computer systems, including billing and accounting.

Colonial Pipeline shut down the pipeline to prevent the ransomware from spreading. Security investigation firm Mandiant was then brought in to investigate the attack. The FBI, Cybersecurity and Infrastructure Security Agency, U.S. Department of Energy, and Department of Homeland Security were also notified of the incident.

Colonial Pipeline paid DarkSide hackers to get the decryption key, enabling the company's IT staff to regain control of its systems.

Colonial Pipeline restarted pipeline operations May 12.

What was the root cause of the Colonial Pipeline attack?

Attackers got into the Colonial Pipeline network through an exposed password for a VPN account, said Charles Carmakal, senior vice president and CTO at cybersecurity firm Mandiant, during a hearing before a House Committee on Homeland Security on June 8.

Many organizations use a VPN to provide secure, encrypted remote access into a corporate network. According to Carmakal's testimony, a Colonial Pipeline employee -- who was not publicly identified during the hearing -- likely used the same password for the VPN in another location. That password was somehow compromised as part of a different data breach.

Password reuse has become a common problem, as many users often use the same password more than once.

Colonial Pipeline attack timeline

The Colonial Pipeline attack and recovery unfolded at a rapid pace in a short period of time.

May 6, 2021

  • Initial intrusion and data theft.

May 7, 2021 

  • Ransomware attack begins.
  • Colonial Pipeline becomes aware of the breach.
  • Security firm Mandiant called in to investigate and respond to attack.
  • Law enforcement and federal government authorities notified of the attack.
  • Pipeline taken offline to reduce risk of exposure to the operational network.
  • Colonial Pipeline pays ransom of 75 bitcoin ($4.4 million) to

May 9, 2021

  • Emergency declaration by President Joe Biden.

May 12, 2021

  • Pipeline restarted as normal operations resumed.

June 7, 2021

  • Department of Justice recovers 63.7 bitcoin -- approximately $2.3 million -- from the attackers.

June 8, 2021

  • Congressional hearing on the attack.

Who was responsible for the Colonial Pipeline hack?

The Colonial Pipeline hackers were identified as a group known as DarkSide.

As part of a ransomware attack, attackers make a ransom demand, which is how they reveal themselves. If they don't ask for the ransom, they won't get paid -- and getting paid is what ransomware is all about. With ransomware, attackers encrypt an organization's data and hold it hostage until a ransom is paid. Once attackers receive payment, they are supposed to share a decryption key, enabling victims to recover their data.

DarkSide's first publicly reported activity was in August 2020, when it began a malicious campaign of infecting victims with ransomware. DarkSide is thought be operating out of Eastern Europe or Russia -- though there is no confirmed link with any nation-state sponsored activity. The Russian government has also denied involvement with DarkSide or the pipeline operator attack.

One of the primary ways that DarkSide operates is with a ransomware-as-a-service (RaaS) model. With RaaS, DarkSide provides its ransomware capabilities to other threat actors. Instead of the other threat actors developing their own ransomware, they can use RaaS against potential victims.

Who was affected?

There was significant and immediate effect when the Colonial Pipeline hack occurred.

It affected the airline industry, where there was a jet fuel shortage for many carriers, including American Airlines. There was also limited disruption at other airports, including Atlanta and Nashville.

Fear of a gas shortage caused panic-buying and long lines at gas stations in many states, including Florida, Georgia, Alabama, Virginia and the Carolinas. There was also a spike in the average price at the gas pump, with regular gas topping $3/gallon in the aftermath of the Colonial Pipeline shutdown. Panic-buying did lead to some real shortages in certain areas as consumers bought more gasoline than usual.

In some states, people even filled plastic bags with gasoline. This triggered a U.S Consumer Product Safety Commission alert, warning consumers to only use containers meant for fuel.

Colonial Pipeline ransom paid and recovered

The goal for attackers in a ransomware attack is to have the victim pay a ransom, which is exactly what Colonial Pipeline did.

The DarkSide attackers asked for a ransom of 75 bitcoin, which was worth approximately $4.4 million on May 7. Bitcoin's value is volatile and fluctuates quickly over short periods of time.

Colonial Pipeline CEO Joseph Blount explained why he decided to pay the ransom during the Congressional hearings. At the time the ransom demand was made, Blount said it wasn't clear how widespread the intrusion was or how long it would take Colonial Pipeline to restore the compromised systems. So Blount decided to pay the ransom, hoping it would speed up the recovery time.

Bitcoin is commonly used by ransomware threat actors due to the mistaken belief that the currency cannot be traced. In a press conference on June 7, Deputy Attorney General Lisa O. Monaco said the U.S. Department of Justice's Ransomware and Digital Extortion Task Force traced the ransom paid by Colonial Pipeline. A Wall Street Journal report on June 11 detailed how FBI agents were able to follow the bitcoin payment trail to recover the ransom.

Bitcoin is a cryptocurrency, and users have a digital wallet to hold it. The DOJ was able to find the digital address of the wallet that the attackers used and got a court order to seize the bitcoin. The operation recovered 64 of the 75 bitcoin that Colonial Pipeline paid. At the time of the recovery, the 64 bitcoin were worth approximately $2.4 million.

Next Steps

DHS opens valve on new pipeline security requirements

Top 10 ransomware targets in 2021 and beyond

Dig Deeper on Malware

  • pure risk

    Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain.

  • risk reporting

    Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes.

  • risk profile

    A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces.

  • script kiddie

    Script kiddie is a derogative term that computer hackers coined to refer to immature, but often just as dangerous, exploiters of ...

  • cipher

    In cryptography, a cipher is an algorithm for encrypting and decrypting data.

  • What is risk analysis?

    Risk analysis is the process of identifying and analyzing potential issues that could negatively impact key business initiatives ...

  • What is risk mitigation?

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • fault-tolerant

    Fault-tolerant technology is a capability of a computer system, electronic system or network to deliver uninterrupted service, ...

  • synchronous replication

    Synchronous replication is the process of copying data over a storage area network, local area network or wide area network so ...

  • gigabyte (GB)

    A gigabyte (GB) -- pronounced with two hard Gs -- is a unit of data storage capacity that is roughly equivalent to 1 billion ...

  • MRAM (magnetoresistive random access memory)

    MRAM (magnetoresistive random access memory) is a method of storing data bits using magnetic states instead of the electrical ...

  • storage volume

    A storage volume is an identifiable unit of data storage. It can be a removable hard disk, but it does not have to be a unit that...