Askhat - stock.adobe.com

Colonial Pipeline hack explained: Everything you need to know

A ransomware attack brought a major gas pipeline to a standstill in May. Here's what happened and who was behind the hack.

The Colonial Pipeline was the victim of a ransomware attack in May 2021. It infected some of the pipeline's digital systems, shutting it down for several days.

The shutdown affected consumers and airlines along the East Coast. The hack was deemed a national security threat, as the pipeline moves oil from refineries to industry markets. This caused President Joe Biden to declare a state of emergency. 

The Colonial Pipeline is one of the largest and most vital oil pipelines in the U.S. It began in 1962 to help move oil from the Gulf of Mexico to the East Coast states.

The Colonial Pipeline comprises more than 5,500 miles of pipeline. It starts in Texas and moves all the way up through New Jersey, supplying nearly half of the fuel for the East Coast. The Colonial Pipeline delivers refined oil for gasoline, jet fuel and home heating oil. Colonial Pipeline headquarters is in Alpharetta, Ga.

What is the Colonial Pipeline hack?

The Colonial Pipeline hack is the largest publicly disclosed cyber attack against critical infrastructure in the U.S.

The attack involved multiple stages against Colonial Pipeline IT systems. The pipeline's operational technology systems that actually move oil were not directly compromised during the attack.

The attack began when a hacker group identified as DarkSide accessed the Colonial Pipeline network. The attackers stole 100 gigabytes of data within a two-hour window. Following the data theft, the attackers infected the Colonial Pipeline IT network with ransomware that affected many computer systems, including billing and accounting.

Colonial Pipeline shut down the pipeline to prevent the ransomware from spreading. Security investigation firm Mandiant was then brought in to investigate the attack. The FBI, Cybersecurity and Infrastructure Security Agency, U.S. Department of Energy, and Department of Homeland Security were also notified of the incident.

Colonial Pipeline paid DarkSide hackers to get the decryption key, enabling the company's IT staff to regain control of its systems.

Colonial Pipeline restarted pipeline operations May 12.

What was the root cause of the Colonial Pipeline attack?

Attackers got into the Colonial Pipeline network through an exposed password for a VPN account, said Charles Carmakal, senior vice president and CTO at cybersecurity firm Mandiant, during a hearing before a House Committee on Homeland Security on June 8.

Many organizations use a VPN to provide secure, encrypted remote access into a corporate network. According to Carmakal's testimony, a Colonial Pipeline employee -- who was not publicly identified during the hearing -- likely used the same password for the VPN in another location. That password was somehow compromised as part of a different data breach.

Password reuse has become a common problem, as many users often use the same password more than once.

Colonial Pipeline attack timeline

The Colonial Pipeline attack and recovery unfolded at a rapid pace in a short period of time.

May 6, 2021

  • Initial intrusion and data theft.

May 7, 2021 

  • Ransomware attack begins.
  • Colonial Pipeline becomes aware of the breach.
  • Security firm Mandiant called in to investigate and respond to attack.
  • Law enforcement and federal government authorities notified of the attack.
  • Pipeline taken offline to reduce risk of exposure to the operational network.
  • Colonial Pipeline pays ransom of 75 bitcoin ($4.4 million) to

May 9, 2021

  • Emergency declaration by President Joe Biden.

May 12, 2021

  • Pipeline restarted as normal operations resumed.

June 7, 2021

  • Department of Justice recovers 63.7 bitcoin -- approximately $2.3 million -- from the attackers.

June 8, 2021

  • Congressional hearing on the attack.

Who was responsible for the Colonial Pipeline hack?

The Colonial Pipeline hackers were identified as a group known as DarkSide.

As part of a ransomware attack, attackers make a ransom demand, which is how they reveal themselves. If they don't ask for the ransom, they won't get paid -- and getting paid is what ransomware is all about. With ransomware, attackers encrypt an organization's data and hold it hostage until a ransom is paid. Once attackers receive payment, they are supposed to share a decryption key, enabling victims to recover their data.

DarkSide's first publicly reported activity was in August 2020, when it began a malicious campaign of infecting victims with ransomware. DarkSide is thought be operating out of Eastern Europe or Russia -- though there is no confirmed link with any nation-state sponsored activity. The Russian government has also denied involvement with DarkSide or the pipeline operator attack.

One of the primary ways that DarkSide operates is with a ransomware-as-a-service (RaaS) model. With RaaS, DarkSide provides its ransomware capabilities to other threat actors. Instead of the other threat actors developing their own ransomware, they can use RaaS against potential victims.

Who was affected?

There was significant and immediate effect when the Colonial Pipeline hack occurred.

It affected the airline industry, where there was a jet fuel shortage for many carriers, including American Airlines. There was also limited disruption at other airports, including Atlanta and Nashville.

Fear of a gas shortage caused panic-buying and long lines at gas stations in many states, including Florida, Georgia, Alabama, Virginia and the Carolinas. There was also a spike in the average price at the gas pump, with regular gas topping $3/gallon in the aftermath of the Colonial Pipeline shutdown. Panic-buying did lead to some real shortages in certain areas as consumers bought more gasoline than usual.

In some states, people even filled plastic bags with gasoline. This triggered a U.S Consumer Product Safety Commission alert, warning consumers to only use containers meant for fuel.

Colonial Pipeline ransom paid and recovered

The goal for attackers in a ransomware attack is to have the victim pay a ransom, which is exactly what Colonial Pipeline did.

The DarkSide attackers asked for a ransom of 75 bitcoin, which was worth approximately $4.4 million on May 7. Bitcoin's value is volatile and fluctuates quickly over short periods of time.

Colonial Pipeline CEO Joseph Blount explained why he decided to pay the ransom during the Congressional hearings. At the time the ransom demand was made, Blount said it wasn't clear how widespread the intrusion was or how long it would take Colonial Pipeline to restore the compromised systems. So Blount decided to pay the ransom, hoping it would speed up the recovery time.

Bitcoin is commonly used by ransomware threat actors due to the mistaken belief that the currency cannot be traced. In a press conference on June 7, Deputy Attorney General Lisa O. Monaco said the U.S. Department of Justice's Ransomware and Digital Extortion Task Force traced the ransom paid by Colonial Pipeline. A Wall Street Journal report on June 11 detailed how FBI agents were able to follow the bitcoin payment trail to recover the ransom.

Bitcoin is a cryptocurrency, and users have a digital wallet to hold it. The DOJ was able to find the digital address of the wallet that the attackers used and got a court order to seize the bitcoin. The operation recovered 64 of the 75 bitcoin that Colonial Pipeline paid. At the time of the recovery, the 64 bitcoin were worth approximately $2.4 million.

Colonial Pipeline attack highlights need for software bill of materials

In the aftermath of the Colonial Pipeline ransomware attack, industry and government set out to find ways to mitigate or prevent similar incidents from happening in the future.

In supply chain attacks such as the one that affected Colonial Pipeline, it is a vulnerable component that is in use somewhere within an organization's infrastructure that is the root attack vector. And it is often a challenge for large organizations to know what's inside of all the applications that are in use and if there are software dependencies that could include known vulnerabilities.

In May 2021, the Biden Administration issued an executive order directing U.S. government agencies to take a series of proactive steps to bolster cybersecurity. One of the steps that the order advocates is the use of a software bill of materials (SBOMs).

"An SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities," the Executive Order states. "Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. "

The order also directed the National Telecommunications and Information Administration (NTIA) to issue formal guidance on what the minimum requirements are for an SBOM. That guidance was issued in a report released in July 2021.

Next Steps

DHS opens valve on new pipeline security requirements

Top 10 ransomware targets in 2021 and beyond

Largest IT outages in history

Dig Deeper on Threat management