Colonial pipeline cyberattack: What happened, and what we’ve learned

What happened in the Colonial Pipeline cyberattack

On May 7, 2021, the US fuel company Colonial Pipeline faced a major ransomware attack and shut down its fuel pipeline for approximately six days as a consequence. Colonial Pipeline is one of the largest and most vital oil pipelines in the US, delivering around 45 percent of refined oil products to the East Coast and the Southern states.

Cyberattackers broke into the Colonial Pipeline’s computer systems using a compromised password. Within a two-hour window, hackers tried to steal and leak about 100 gigabytes of data, but the FBI and other agencies cooperated with private companies to respond. However, hackers managed to infect the company’s billing and accounting systems with ransomware.

Typically, ransomware encrypts data and makes the infected systems inoperable until the victim pays the ransom. So even though the ransomware did not compromise the oil delivery system, Colonial Pipeline shut down its networks to prevent the malware from spreading and causing more damage.

With pipeline operations at a halt, the company started transporting fuel in trucks, tanker cars, and trains. These slower delivery methods caused fuel shortages on the East Coast and left some filling stations without fuel for several days.

After paying the ransom to the attackers, Colonial Pipeline restarted its operations on May 12, 2021, and fully resumed its normal pipeline operations by May 15, 2021.

What caused the Colonial Pipeline cyberattack

Hackers gained access to Colonial Pipeline’s network using a compromised password of an employee account. Criminals discovered it on a leaked password list from a previous data breach, likely found on the dark web. This suggests that the employee didn’t update the password or didn’t use multifactor authentication to secure their account.

The attack was most likely indirectly caused by the pandemic with most employees working remotely and accessing the company’s systems through remote desktop tools.

Some say that the pipeline’s network was vulnerable to cyberattacks because of the government’s passive approach to cybersecurity – leaving private-sector companies to implement cybersecurity measures themselves. Even before the Colonial Pipeline incident, government officials urged the Department of Energy to take proactive steps in addressing cybersecurity risks.

Who was behind the Colonial Pipeline hack?

The FBI has confirmed that the Russian hacker group DarkSide launched the attack. DarkSide is an organized collective consisting of veteran hackers who have acted as a group since mid-2020. The hackers claim that their main goal is profit and that they don’t have any political intentions.

DarkSide hackers operate a ransomware-as-a-service business and develop ransomware software. The group provides ransomware to its affiliates and gets a cut of any loot taken during ransomware attacks by these affiliates.

The hacker group is also known for its well-organized operations – it has its own ethics code, mailing list, PR strategy, press center, and victim hotline.

The timeline of the Colonial Pipeline cyberattack

The cyberattack on the US fuel delivery infrastructure happened and was resolved in less than two weeks and required the participation of law enforcement agencies and government authorities.

May 6, 2021

DarkSide hackers gain unauthorized access to Colonial Pipeline’s computer system and begin their data theft.

May 7, 2021

DarkSide begins its ransomware attack. Colonial Pipeline detects the breach and shuts down its pipeline operations. The company also calls the security firm Mandiant to investigate and informs law enforcement and government authorities of the attack.

Overseen by the FBI, Colonial Pipeline pays DarkSide 75 bitcoin ($4.4 million USD at the time), and the group provides an IT tool to restore the system.

May 8, 2021

Colonial Pipeline publicly confirms it became a victim of a ransomware attack.

May 9-11, 2021

On May 9, 2021, President Joe Biden declares a state of emergency. Efforts to manage fuel supply and address shortages intensify, involving state and federal agencies.

May 12, 2021

Colonial restarts its pipeline operations.

May 13-15, 2021

Pipeline operations gradually return to normal – fuel deliveries resume.

June 7, 2021

The Department of Justice manages to recover 63.7 bitcoin from the hackers.

June 8, 2021

Congressional hearing on the attack takes place.

What were the consequences of the Colonial Pipeline hack?

The consequences of the attack affected both Colonial Pipeline and consumers. During the fuel delivery slow-down, consumers started panic buying and depleted gasoline supplies at some service stations on the East Coast, which also drove up gasoline prices.

Disruption in fuel supply also affected the airline industry, with many carriers suffering jet fuel shortages. This disrupted some of the operations in several airports as well.

Colonial Pipeline rushed to find alternative ways to deliver fuel and meet demand. Fuel shortages in the country caused President Biden to declare a state of emergency and even relax regulations on weight limits and personnel working hours to speed up the supply.

Colonial Pipeline also suffered a financial loss of approximately $2.1 million USD – the company paid a $4.4 million USD ransom in cryptocurrency and only recovered $2.3 million USD.

On a wider scale, this situation proved that ransomware is a global threat that can disrupt critical state-level infrastructure. It also highlighted the vulnerabilities of the US’s digital security because the government and private sectors were still recovering from the Solarwinds and Microsoft Exchange attacks.

This new form of cyber extortion is getting increasingly dangerous. While working from home, employees should maintain a high level of digital security, using robust passwords and encrypting their data with a VPN.

How did the Colonial Pipeline attack conclude?

Colonial Pipeline saw no other choice but to pay a ransom to the hackers to restore its operating systems. After the company paid $4.4 million USD in bitcoin, DarkSide provided a decryption key.

Still, it took Colonial Pipeline about five days to restart its fuel delivery system and for the fuel supply to return to its pre-attack state. Luckily, federal authorities were able to recover approximately $2.3 million USD of the ransom payment.

How could the Colonial Pipeline attack have been prevented?

Several straightforward cybersecurity practices could have helped to prevent the attack on Colonial Pipeline. Companies and internet users alike can apply some of these measures:

• Cyber hygiene. Both companies and internet users should use strong passwords, regularly update them, and never reuse them across different services.
• Multi-factor authentication (MFA). MFA adds a layer of security, vital when accessing sensitive systems and using remote-access tools. It prevents unauthorized parties from accessing your accounts even if they get hold of your password.
• Active monitoring and breach detection. Companies should use monitoring tools to detect unusual network activity and potential breaches to quickly respond and contain them.
• Network segmentation. Business networks should be separated from operational networks to prevent the spread of malware.
• Awareness of cyber threats. Knowledge and awareness of common cybersecurity risks, like phishing attacks, helps prevent accidental breaches.

What have we learned from the Colonial Pipeline attack?

The Colonial Pipeline attack highlighted how vulnerable the US energy infrastructure can be. Because the breach occurred during the pandemic, it also drew attention to the cybersecurity risks related to remote work. During the pandemic, many companies transitioned to remote operations without appropriate security measures in place.

With hacking techniques becoming more advanced by the day, the response should be just as strong. However, you don’t have to be an IT expert to secure your accounts. The cyberattack on the US fuel infrastructure proved the importance of cyber hygiene – having unique passwords and enabling MFA. You too can take these basic actions to secure your accounts today to prevent unauthorized access. Coupled with cybersecurity tools like a VPN, you can easily improve the privacy of your online traffic, especially when you’re accessing resources remotely.