Colonial Pipeline ransomware attack (2021)
|Date||The threat actor gained access to the network on 29 April 2021. Data was stolen on 6 May 2021. Ransomware was deployed on 7 May 2021.|
|Suspected actor||DarkSide ransomware-as-a-service cybercrime gang (also known as Gold Waterfall), a private, for-profit Russian-speaking group likely based in Eastern Europe that, according to some analysts, is plausibly tolerated by the Russian government.|
|Target||The Colonial Pipeline Company, a company based in Georgia, US|
|Target systems||Business-side systems|
|Method||The threat actor conducted a double extortion attack, in which the Colonial Pipeline Company was threatened with the leakage of stolen data in addition to the data on its systems remaining encrypted unless a ransom was paid.
The threat actor initially gained access through a compromised virtual private network account, which allowed employees to remotely access the company’s network; however, it is unclear how the account credentials had been obtained. The account credentials sufficed to breach the network since multifactor authentication had not been in use.
According to the company, ransomware was deployed against its systems.
|Purpose||Data exfiltration for profit and ransom-seeking.
In a public statement, the threat actor explained that it is an “apolitical” organisation and stated that “our goal is to make money”.
|Result||Nearly 100 gigabytes of data were stolen.
According to the company, its operational systems were unaffected by the attack. However, the billing system was compromised by the attack. The Colonial Pipeline Company precautionarily shut down the entire pipeline, which transports at least 2.5 million barrels of fuel daily.
Temporary gas shortages resulted throughout the South and East Coasts of the United States due to panic buying, causing sudden hikes in gas prices and unavailability of fuel at many gas stations across Georgia, North Carolina, South Carolina, Virginia, and Washington. At the peak, 16,200 gas stations experienced outages. Jet fuel prices also spiked and up to seven airports suffered from reduced availability of fuel.
The Colonial Pipeline Company paid a ransom of 75 bitcoins (then equivalent to $4.4 million) in exchange for a decryption key, of which 63.7 bitcoins (then equivalent to $2.3 million) were later recovered by the US officials.
|Aftermath||After receiving the ransom, the threat actor provided the company with a decryption tool to restore its disabled network; however, the tool was reportedly so slow that the company ended up using its own backups to restore the system.
The Colonial Pipeline was restarted, after six days, on 12 May 2021; however, operations were not fully restored for at least several weeks thereafter. It was expected that it would cost the company tens of millions of dollars and take several months to completely restore its systems.
Although he did not attribute the cyber-attack to the Russian state, US President Joe Biden asserted that Russia has “some responsibility to deal with this [incident].”
DarkSide accepted responsibility and expressed regret at “creating problems for society”. DarkSide also stated that “We [will] introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
In January 2022, Russia’s Federal Security Service arrested 14 alleged members of the REvil ransomware gang, following direct requests from US authorities. As affirmed by US officials, the individual allegedly responsible for the Colonial Pipeline attack was among those arrested. He presumably joined the REvil group, which had allegedly carried out other major cyber operations, including against the U.S. software provider Kaseya, after the dissolution of DarkSide in mid 2021.
|Analysed in||Scenario 06: Cyber countermeasures against an enabling State|
Collected by: Darryl Chan
- William Turton, Kartikay Mehrotra, ‘Hackers Breached Colonial Pipeline Using Compromised Password’, Bloomberg (4 June 2021)
- Jordan Robertson, William Turton, ‘Colonial Hackers Stole Data Thursday Ahead of Shutdown’, Bloomberg (9 May 2021)
- ‘FBI Statement on Compromise of Colonial Pipeline Networks’, Federal Bureau of Investigation (10 May 2021)
- ‘Joint CISA-FBI Cybersecurity Advisory on DarkSide Ransomware’, Cybersecurity & Infrastructure Security Agency (11 May 2021)
- ‘Gold Waterfall’, SecureWorks (undated, accessed 8 June 2021)
- Dustin Volz, ‘U.S. Blames Criminal Group in Colonial Pipeline Hack’, Wall Street Journal (10 May 2021)
- Nicolas Rivero, ‘Hacking collective DarkSide are state-sanctioned pirates’, Quartz (11 May 2021)
- ‘Colonial Pipeline CEO paid ransom to swiftly restart pipeline – testimony’, Reuters (8 June 2021)
- Charlie Osborne, ‘Colonial Pipeline attack: Everything you need to know’, ZDNet (13 May 2021)
- Michael Novinson, ‘Colonial Pipeline Hacked Via Inactive Account Without MFA’, CRN (05 June 2021)
- Marisa Penazola, ‘Ransomware Attack Shuts Down A Top U.S. Gasoline Pipeline’, NPR (09 May 2021)
- Joseph Menn, Raphael Satter, ‘Pipeline hackers say their aim is cash, not chaos’, Reuters (10 May 2021)
- Kim Lyons, ‘Colonial Pipeline says operations back to normal following ransomware attack’, The Verge (15 May 2021)
- Natasha Bertrand, Evan Perez, Zachary Cohen, Geneva Sands, Josh Campbell, ‘Colonial Pipeline did pay ransom to hackers, sources now say’, CNN (13 May 2021)
- Christopher Bing, Stephanie Kelly, ‘Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ Biden briefed’, Reuters (8 May 2021)
- Clifford Krauss, Niraj Chokshi, David E. Sanger, ‘Gas Pipeline Hack Leads to Panic Buying in the Southeast’, The New York Times (12 May 2021)
- Vanessa Romo, ‘Panic Drives Gas Shortages After Colonial Pipeline Ransomware Attack’, NPR (11 May 2021)
- Stephanie Kelly, Laura Sanicola, ‘U.S. capital running out of gas, even as Colonial Pipeline recovers’, Reuters (14 May 2021)
- Leslie Josephs, ‘New York jet fuel gets pricier due to Colonial Pipeline outage’, CNBC (12 May 2021)
- Leslie Josephs, ‘Pipeline outage forces American Airlines to add stops to some long-haul flights, Southwest flies in fuel’, CNBC (10 May 2021)
- ‘Carr: Kemp Declares State of Emergency due to Colonial Pipeline Cyber Incident, Invokes Price Gouging Statute’, Office of the Attorney-General of the State of Georgia (11 May 2021)
- 84 JBE 2021 State of Emergency - Colonial Pipeline.pdf ‘PROCLAMATION NUMBER JBE 2021-84’, State of Louisiana (12 May 2021)
- ‘EXECUTIVE ORDER NO. 213’, State of North Carolina (10 May 2021)
- ‘Executive Order NUMBER SEVENTY-EIGHT (2021)’, Office of the Governor of the Commonwealth of Virginia (11 May 2021)
- Ian Carlos Campbell, ‘Colonial Pipeline CEO confirms company paid $4.4 million ransom it wasn’t supposed to pay’, The Verge (19 May 2021)
- Chris Strohm, Alyza Sebenius, ‘Colonial Pipeline’s Bitcoin Ransom Mostly Recouped by U.S.’, Bloomberg (08 June 2021)
- William Turton, Michael Riley, Jennifer Jacobs, ‘Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom’, Bloomberg (13 May 2021)
- Sara Morrison, ‘How a major oil pipeline got held for ransom’, Vox (19 May 2021)
- Mary Louise Kelly, ‘The Colonial Pipeline CEO Explains The Decision To Pay Hackers A $4.4 Million Ransom’, NPR (3 June 2021)
- ‘Biden Says Russia Has 'Some Responsibility' In Pipeline Ransomware Attack’, Radio Free Europe (10 May 2021)
- ‘Russia has nothing to do with cyberattack on Colonial Pipeline – Kremlin’, TASS (11 May 2021)
- Mary-Ann Russon, “US fuel pipeline hackers 'didn't mean to create problems'”, BBC (10 May 2021)
- Charlie Osborne, ‘DarkSide explained: The ransomware group responsible for Colonial Pipeline attack’, ZDNet (14 May 2021)
- Robyn Dixon and Ellen Nakashima, ‘Russia arrests 14 alleged members of REvil ransomware gang, including hacker U.S. says conducted Colonial Pipeline attack’, Washington Post (14 January 2022)
- Sean Lyngaas, ‘US officials believe Russia arrested hacker responsible for Colonial Pipeline attack’, CNN (14 January 2022).
- DW, ‘US 'welcomes' Russian arrests of REvil ransomware gang’ (15 January 2022); Pierluigi Paganini, ‘One of the REvil members arrested by FSB was behind Colonial Pipeline attack’, Security Affairs (15 January 2022).
- Rachel Lerman, Ellen Nakashima and Drew Harwell, ‘DarkSide group that attacked Colonial Pipeline drops from sight online’, Washington Post (14 May 2021).