Here’s a deeper look at one of the most
Infamous ransomware attacks of all time
The Colonial Pipeline Ransomware
You may have heard of the infamous Colonial Pipeline ransomware attack that dominated headlines in May 2021. Let’s trace our steps back to the starting point to discover exciting details about this cyberattack that threatened the entire East Coast’s gas supply.
So, what exactly happened during the Colonial Pipeline Ransomware Attack, and what can we learn from it?
Colonial Pipeline is an American oil pipeline system in Houston, Texas. It was built in 196g from the Gulf of Mexico to help carry oil to all East Coast states. The organization suffered a major ransomware cyberattack on May 6, 2021, that affected the pipeline’s computerized operating equipment.
Due to the attack, the pipeline was shut down, impacting people and airlines along the East Coast. The attack was considered a national security threat, as the channel carries oil from refineries to industrial markets. This event even set warning bells off in the White House, causing President Joe Biden to announce a state of emergency.
The Colonial Pipeline consists of more than 5,500 miles of pipeline. It begins from Texas and moves up via New Jersey, providing nearly half the fuel for the East Coast.
What is the Colonial Pipeline Ransomware Attack?
The Colonial Pipeline ransomware attack is the most significant publicly declared cyber attack against essential infrastructure in the U.S.
The attack took place in multiple stages against Colonial Pipeline I.T. systems. This large-scale ransomware attack targeted and compromised the pipeline’s operational technology systems that moved oil.
The attack started when a hacker group called DarkSide got access to the Colonial Pipeline network. Within two hours, the attackers stole 100 gigabytes of data. Besides the data theft, the hackers infected the Colonial Pipeline I.T. network, affecting many computer systems, including accounting and billing.
The company shut down the pipeline to control the ransomware from spreading. They then brought the security investigation firm Mandiant to investigate the attack. Colonial pipeline also notified the FBI, Cybersecurity and Infrastructure Security Agency, the U.S. Department of Energy, and the Department of Homeland Security about the incident.
Yet, despite all efforts by these agencies, Colonial Pipeline paid a ransom of $4.4 million to the DarkSide hackers for the decryption key, allowing its I.T. staff to regain control of its systems.
After the attack, Colonial Pipeline restarted its supply operations on May 13, 2022.
Colonial Pipeline Ransomware Attack: How Did It Happen?
The CTO (Chief Technology Officer) and Senior Vice-President at the cybersecurity firm, Mandiant, Charles Carmakal, stated that the attackers got into the Colonial Pipeline network via an exposed password for a VPN account. He confirmed it during a hearing on June 8 in front of the House Committee on Homeland Security.
Organizations mostly use VPNs in corporate networks for delivering remote security and encryption access. According to Carmakal’s testimony, one of the employees of Colonial Pipeline, who was not publicly presented or named during the hearing, was using the same password for the VPN in some other location. Somehow the password was compromised as part of a different data breach.
Password reuse has become a common problem because people use the same password more than once. However, cybersecurity experts discourage this practice as it can lead to multiple breaches, as shown in this case.
Colonial Pipeline Ransomware Attack: The Timeline
The Colonial Pipeline attack and recovery happened in a brief period.
Here’s the Sequence of Events:
May 6, 2021
The initial breach and data theft occur.
May 7, 2021
The Ransomware attack begins.
At its end, Colonial Pipeline becomes aware of the intrusion.
Experts from a top-rated security firm are called in to examine and respond to the data breach.
Colonial Pipeline notifies law enforcement and federal government authorities about the attack.
All systems go offline (including pipeline) to lower the operational network’s exposure risk.
Colonial Pipeline pays DarkSide a ransom of 75 bitcoin ($4.4 million).
May 9, 2021
President Joe Biden declared a state emergency.
May 12, 2021
The pipeline resumed its normal operations.
June 7, 2021
The Department of Justice recovered 63.7 bitcoin, i.e., approximately $2.2 million from the attackers.
Colonial Pipeline Ransomware Attack: The Dark Culprits
A group known as DarkSide was identified as the hackers behind the Colonial Pipeline attack.
In most ransomware attacks, the attackers demand a ransom amount, which is how they disclose themselves. After all, how will they profit from their illegal efforts if they do not ask for ransom?
Ransomware is all about getting paid. A ransomware cyberattack is when hackers encrypt an organization’s data and hold it captive until the company pays off the ransom. Once the hackers receive the money, they are supposed to share a decryption key, allowing the victims to retrieve their data.
The first publicly reported activity of DarkSide occurred in August 2020, when it started a campaign of maliciously infecting victims with ransomware. DarkSide is believed to operate from outside Eastern Europe or Russia, though there is no confirmation link with any nation-state-sponsored activity. The Russian government has also refused its involvement with DarkSide or the Colonial Pipeline Ransomware Attack.
One of the primary methods that DarkSide uses to function is a ransomware-as-a-service (RaaS) model. With RaaS, DarkSide provides its ransomware abilities to other hackers. Instead of the different hackers creating their ransomware, they can use RaaS against the possible victims.
Whom did the Colonial Pipeline Ransomware Attack Affect, and How?
The effects of the Colonial Pipeline Ransomware Attack were sharp and sudden as they reverberated across the country.
The attack also affected the airline industry, but do you know how? Multiple carriers, including American Airlines, experienced an unprecedented jet fuel shortage. The breach also caused fuel shortages at other airports, including Nashville and Atlanta.
The fear of a gas deficit caused panic among buyers, resulting in long lines at gas stations in many states, including Georgia, Florida, Alabama, Carolinas, and Virginia.
There was also a sudden rise in the average gas pump price, with regular gas topping at $3/gallon in the aftermath of the Colonial Pipeline shutdown. Panic buying resulted in fuel shortages in certain areas as people bought more gasoline than usual.
In some states, consumers even filled plastic bags with gasoline. This caught the attention of the U.S. Consumer Product Safety Commission, which issued an alert to warn buyers to use containers meant for fuel.
Colonial Pipeline Ransomware Attack: The Way Out
It’s been a year since the largest fuel pipeline in the U.S. suffered a ransomware attack. DarkSide, the attackers responsible for the hack, stole about 100 gigabytes of data and threatened to leak it unless the company paid off its demand of $4.4 million.
Colonial Pipeline paid the ransom ($4.5 million) to get their data back; later, the Department of Justice recovered approximately $2.2 million.
The hack resulted in discussions of how the government and companies must be more active in protecting critical infrastructure and handling vulnerabilities.
Colonial Pipeline Ransomware Attack: The End Result
After the Colonial Pipeline ransomware attack, industries and governments set out to find ways to reduce or prevent similar incidents from occurring in the future.
The attack caused a national emergency and severe gas shortage in the U.S. last year, with White House Press Secretary Jen Psaki declaring that the U.S. government was “monitoring supply shortages in parts of the Southeast,” as documented by The Independent, during the attack.
While Colonial Pipeline and the Government searched for a solution, the company operated additional lateral systems manually to deliver supplies. Preference was given to areas that were either not assisted by other fuel delivery services or were experiencing shortages.
Following the attack, the organization hired more than 50 staff members to walk or drive around the 5,000 miles of the pipeline daily to increase patrols. In addition, the company scrambled and delivered around 41 million gallons of fuel while the pipeline system was offline.
On May 13, the company said that operations had restarted, but the delivery supply chain could take some time to get back to normal. This incident shows how swiftly a prominent government organization can be brought to its knees by a well-planned ransomware attack. The resultant chaos is a testament to the adverse effects of these attacks and how it takes companies and organizations to recover fully.
Colonial Pipeline Ransomware Attack: What Did We Learn from It?
In the aftermath of the Colonial Pipeline breach, we understood that every organization is vulnerable to data breaches or cyber-attacks. Hackers are evolving daily, so please immediately upgrade your cybersecurity solutions.
It is better to pay attention to government warnings and the latest news reports on cyber threats to reduce the attack risk. If you fail or do not respond to cyber attacks appropriately, you may put your company’s image and reputation at risk.
Prevention is the key to lowering the risk of a data breach, investing in cybersecurity software, using a VPN, and being aware of standard attack methods.
Another article that will protect you and your company deal with the number one cause of breaches for small to midsized organizations—phishing attacks. Check out this great article:
Suppose you have more immediate concerns and want to do a full assessment or start a cybersecurity conversation. Let’s talk!
Start A Conversation