Colonial Pipeline Hit By Ransomware Attack, Halts Operations

Colonial Pipeline, a major fuel pipeline operator in the US, hit the headlines on May 7, when a ransomware attack led to the shutdown of its entire network. It was the largest ever cyberattack on an American energy infrastructure.

Over the past years, ransomware has become the most prevalent and expensive form of cybercrime. The estimated global damage by ransomware attacks in 2020 stood at $20 billion, a rise from $11.5 billion in 2019. And among the countries, the United States experiences the most severe ransomware attacks. Therefore, it’s important to learn from past incidents and how to prevent ransomware attacks.

In 2019, the US was under a host of ransomware attacks that affected at least 966 state-owned agencies, educational institutions, and healthcare providers, causing potential damage of over USD 7.5 billion.


The pipeline is a crucial artery for the East Coast, transporting around 45% of the fuel consumed across the region. Spanning around 5,500 miles, the pipeline transports more than 100 million gallons of fuel, including gasoline, diesel, and jet fuel, daily to consumers from Houston, Texas, to the New York Harbor.

Colonial Pipeline Company said in a statement on Saturday that they were “the victim of a cybersecurity attack and have since determined that the incident involved ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations and affected some of our IT systems.”

Colonial informed that a leading, third-party cybersecurity expert launched an investigation into the nature and scope of the attack. The oil company also contacted law enforcement and other federal agencies, including the Department of Energy.

“At this time, our primary focus continues to be the safe and efficient restoration of service to our pipeline system, while minimizing disruption to our customers and all those who rely on Colonial Pipeline. Over the past 48 hours, our personnel have taken additional precautionary measures to help further monitor and protect the safety and security of its pipeline,” the company added.


Though the investigation is in the early stages, Allan Liska, senior threat analyst at cybersecurity firm Recorded Future, claimed an Eastern European-based criminal gang called DarkSide to be the hackers.

The DarkSide group has hit utility firms before, he said. For example, in February, DarkSide disrupted operations at two Brazilian state-owned electric companies, Companhia Paranaense de Energia (Copel) and Centrais Eletricas Brasileiras (Eletrobras).

The attack comes at the time the nation’s energy sector is bracing for summer travel and high fuel demand due to easing lockdown restrictions. And a prolonged shut down of the pipeline could lead to outages at fuel terminals along the US East Coast and trigger a spike in gas prices.

After the Colonial interruption was reported on Friday, the refining margin for a combined barrel of gasoline and diesel increased 2%. Nymex gasoline futures gained 1.32 cents to settle at USD 2.1269 per gallon.

A White House statement said that President Joe Biden was briefed on the ransomware attack. It said that the government is “working to assess the incident’s implications, avoid disruption to supply, and help Colonial Pipeline restore operations as quickly as possible.”

“We are working with the company and our interagency partners regarding the situation,” said Eric Goldstein, Executive Assistant Director of the cybersecurity division at the Department of Homeland Security’s CISA. “This underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cybersecurity posture.”

How is the Crisis Unfolded?

Colonial Pipeline Attack

CEO Joseph Blount learned about the attack on May 7 morning, when a control-room employee found a ransom note. The note said the hackers had ‘exfiltrated’ files from the company’s shared internal drive and demands a USD 4.4 million ransom in exchange for the files. Without further ado, the company made the decision to shut down its entire pipeline.

“At approximately 5:55 A.M., employees began the shutdown process. By 6:10 A.M., they confirmed that all 5,500 miles of pipelines had been shut down,” informed Blount.

The same night, Blount came to a difficult conclusion: He had to pay the ransom.

“I made the decision that Colonial Pipeline would pay the ransom to have every tool available to us to swiftly get the pipeline back up and running. It was one of the toughest decisions I have had to make in my life,” said CEO Blount in his first public remarks.

“I know that’s a highly controversial decision. I didn’t make it lightly and wasn’t comfortable seeing money go out the door to people like this,” said Mr. Blount.

“But it was the right thing to do for the country,” he added.

The company paid approximately USD 4.4 million worth of bitcoin to the Darkside hackers one day after the attack.

In return for the payment, the Colonial received a decryption tool from the Darkside group to unlock the crippled systems.

But what brought the largest energy infrastructure in the United States to its knees?

A Compromised Password.

Yes! A single leaked password led to the shutdown of the company that has invested around USD 1.5 billion to maintain the integrity of its entire pipeline system over the past five years.

Darkside hackers penetrated Colonial’s computer network just by using a compromised password. The password had been linked to an old Virtual Private Networking (VPN) account that was active but not in use. The account only had single-factor authentication and was not protected by an extra layer of security known as multi-factor authentication.

“In the case of this particular legacy VPN, it only had single-factor authentication,” told Blount. “It was a complicated password, I want to be clear on that. It was not a Colonial123-type password.”

A legacy VPN account with no MFA! It should have been a cakewalk for Darkside.

At the moment, it is unclear how the Darkside hackers obtained the compromised credential. But the attack underscores how cybercriminals could disrupt critical infrastructure companies with something so simple. It also brings to light the grave risks of lax cybersecurity hygiene.

In conclusion

Firm Safe

The Colonial Pipeline ransomware attack reveals that no organization is completely risk-free in today’s digital world. Cybercriminals are constantly tweaking their attack techniques.

They have become more creative, sophisticated, and evasive, while much of the security industry struggles to catch up. So, the million-dollar question that arose after this attack was: how can firms protect their businesses from such cybercrimes? It is wise to seek help from cybersecurity service providers to stay secure in today’s rapidly growing landscape of cyberattacks.

Contact Us

More Articles: