Browse Definitions :

Askhat -

Colonial Pipeline hack explained: Everything you need to know

A ransomware attack brought a major gas pipeline to a standstill in May. Here's what happened and who was behind the hack.

The Colonial Pipeline was the victim of a ransomware attack in May 2021. It infected some of the pipeline's digital systems, shutting it down for several days.

The shutdown affected consumers and airlines along the East Coast. The hack was deemed a national security threat, as the pipeline moves oil from refineries to industry markets. This caused President Joe Biden to declare a state of emergency. 

The Colonial Pipeline is one of the largest and most vital oil pipelines in the U.S. It began in 1962 to help move oil from the Gulf of Mexico to the East Coast states.

The Colonial Pipeline comprises more than 5,500 miles of pipeline. It starts in Texas and moves all the way up through New Jersey, supplying nearly half of the fuel for the East Coast. The Colonial Pipeline delivers refined oil for gasoline, jet fuel and home heating oil. Colonial Pipeline headquarters is in Alpharetta, Ga.

What is the Colonial Pipeline hack?

The Colonial Pipeline hack is the largest publicly disclosed cyber attack against critical infrastructure in the U.S.

The attack involved multiple stages against Colonial Pipeline IT systems. The pipeline's operational technology systems that actually move oil were not directly compromised during the attack.

The attack began when a hacker group identified as DarkSide accessed the Colonial Pipeline network. The attackers stole 100 gigabytes of data within a two-hour window. Following the data theft, the attackers infected the Colonial Pipeline IT network with ransomware that affected many computer systems, including billing and accounting.

Colonial Pipeline shut down the pipeline to prevent the ransomware from spreading. Security investigation firm Mandiant was then brought in to investigate the attack. The FBI, Cybersecurity and Infrastructure Security Agency, U.S. Department of Energy, and Department of Homeland Security were also notified of the incident.

Colonial Pipeline paid DarkSide hackers to get the decryption key, enabling the company's IT staff to regain control of its systems.

Colonial Pipeline restarted pipeline operations May 12.

What was the root cause of the Colonial Pipeline attack?

Attackers got into the Colonial Pipeline network through an exposed password for a VPN account, said Charles Carmakal, senior vice president and CTO at cybersecurity firm Mandiant, during a hearing before a House Committee on Homeland Security on June 8.

Many organizations use a VPN to provide secure, encrypted remote access into a corporate network. According to Carmakal's testimony, a Colonial Pipeline employee -- who was not publicly identified during the hearing -- likely used the same password for the VPN in another location. That password was somehow compromised as part of a different data breach.

Password reuse has become a common problem, as many users often use the same password more than once.

Colonial Pipeline attack timeline

The Colonial Pipeline attack and recovery unfolded at a rapid pace in a short period of time.

May 6, 2021

  • Initial intrusion and data theft.

May 7, 2021 

  • Ransomware attack begins.
  • Colonial Pipeline becomes aware of the breach.
  • Security firm Mandiant called in to investigate and respond to attack.
  • Law enforcement and federal government authorities notified of the attack.
  • Pipeline taken offline to reduce risk of exposure to the operational network.
  • Colonial Pipeline pays ransom of 75 bitcoin ($4.4 million) to

May 9, 2021

  • Emergency declaration by President Joe Biden.

May 12, 2021

  • Pipeline restarted as normal operations resumed.

June 7, 2021

  • Department of Justice recovers 63.7 bitcoin -- approximately $2.3 million -- from the attackers.

June 8, 2021

  • Congressional hearing on the attack.

Who was responsible for the Colonial Pipeline hack?

The Colonial Pipeline hackers were identified as a group known as DarkSide.

As part of a ransomware attack, attackers make a ransom demand, which is how they reveal themselves. If they don't ask for the ransom, they won't get paid -- and getting paid is what ransomware is all about. With ransomware, attackers encrypt an organization's data and hold it hostage until a ransom is paid. Once attackers receive payment, they are supposed to share a decryption key, enabling victims to recover their data.

DarkSide's first publicly reported activity was in August 2020, when it began a malicious campaign of infecting victims with ransomware. DarkSide is thought be operating out of Eastern Europe or Russia -- though there is no confirmed link with any nation-state sponsored activity. The Russian government has also denied involvement with DarkSide or the pipeline operator attack.

One of the primary ways that DarkSide operates is with a ransomware-as-a-service (RaaS) model. With RaaS, DarkSide provides its ransomware capabilities to other threat actors. Instead of the other threat actors developing their own ransomware, they can use RaaS against potential victims.

Who was affected?

There was significant and immediate effect when the Colonial Pipeline hack occurred.

It affected the airline industry, where there was a jet fuel shortage for many carriers, including American Airlines. There was also limited disruption at other airports, including Atlanta and Nashville.

Fear of a gas shortage caused panic-buying and long lines at gas stations in many states, including Florida, Georgia, Alabama, Virginia and the Carolinas. There was also a spike in the average price at the gas pump, with regular gas topping $3/gallon in the aftermath of the Colonial Pipeline shutdown. Panic-buying did lead to some real shortages in certain areas as consumers bought more gasoline than usual.

In some states, people even filled plastic bags with gasoline. This triggered a U.S Consumer Product Safety Commission alert, warning consumers to only use containers meant for fuel.

Colonial Pipeline ransom paid and recovered

The goal for attackers in a ransomware attack is to have the victim pay a ransom, which is exactly what Colonial Pipeline did.

The DarkSide attackers asked for a ransom of 75 bitcoin, which was worth approximately $4.4 million on May 7. Bitcoin's value is volatile and fluctuates quickly over short periods of time.

Colonial Pipeline CEO Joseph Blount explained why he decided to pay the ransom during the Congressional hearings. At the time the ransom demand was made, Blount said it wasn't clear how widespread the intrusion was or how long it would take Colonial Pipeline to restore the compromised systems. So Blount decided to pay the ransom, hoping it would speed up the recovery time.

Bitcoin is commonly used by ransomware threat actors due to the mistaken belief that the currency cannot be traced. In a press conference on June 7, Deputy Attorney General Lisa O. Monaco said the U.S. Department of Justice's Ransomware and Digital Extortion Task Force traced the ransom paid by Colonial Pipeline. A Wall Street Journal report on June 11 detailed how FBI agents were able to follow the bitcoin payment trail to recover the ransom.

Bitcoin is a cryptocurrency, and users have a digital wallet to hold it. The DOJ was able to find the digital address of the wallet that the attackers used and got a court order to seize the bitcoin. The operation recovered 64 of the 75 bitcoin that Colonial Pipeline paid. At the time of the recovery, the 64 bitcoin were worth approximately $2.4 million.

Next Steps

DHS opens valve on new pipeline security requirements

Dig Deeper on Malware

  • OPSEC (operations security)

    OPSEC (operations security) is a security and risk management process and strategy that classifies information, then determines ...

  • smart contract

    A smart contract is a decentralized application that executes business logic in response to events.

  • compliance risk

    Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...

  • What is cybersecurity?

    Cybersecurity is the protection of internet-connected systems such as hardware, software and data from cyberthreats.

  • private key

    A private key, also known as a secret key, is a variable in cryptography that is used with an algorithm to encrypt and decrypt ...

  • DOS (disk operating system)

    A DOS, or disk operating system, is an operating system that runs from a disk drive. The term can also refer to a particular ...

  • What is risk mitigation?

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • change control

    Change control is a systematic approach to managing all changes made to a product or system.

  • disaster recovery (DR)

    Disaster recovery (DR) is an organization's ability to respond to and recover from an event that affects business operations.

  • RAM (Random Access Memory)

    RAM (Random Access Memory) is the hardware in a computing device where the operating system (OS), application programs and data ...

  • RAID 6

    RAID 6, also known as double-parity RAID, uses two parity stripes on each disk. It allows for two disk failures within the RAID ...

  • NOR flash memory

    NOR flash memory is one of two types of non-volatile storage technologies.