In May 2021, Colonial Pipeline, the largest fuel pipeline in the United States, faced a devastating cyberattack. The attack, perpetrated through ransomware, halted the pipeline’s operations, causing widespread fuel shortages across multiple states and highlighting the vulnerable nature of critical infrastructures to cyber threats. This case study provides an in-depth analysis of the incident, the security failures that enabled it, and the implications for future cybersecurity in essential industries.
Case Study: The 2022 Ransomware Attack on Colonial Pipeline
Colonial Pipeline, with over 5500 miles of pipeline, delivers nearly half of the fuel consumed on the East Coast. In May 2021, the company fell victim to a ransomware attack that disrupted its operations for six days, causing the pipeline’s entire system to shut down. This incident spotlighted the extent to which essential services are at risk from advanced cyber threats.
The Attack
The attack was executed using a ransomware variant known as DarkSide, which encrypts the victim’s files, making them inaccessible until a ransom is paid. The group behind DarkSide operates under a “Ransomware-as-a-Service” model where the malware is developed by the core group and leased to affiliates who conduct the actual attack.
The initial point of entry remains unconfirmed; however, it is suspected to have involved phishing or exploiting unpatched vulnerabilities in the public-facing applications of Colonial Pipeline. The attackers then moved laterally through the network, escalating their privileges until they could deploy the ransomware on key systems, crippling operations.
The root cause of the Colonial Pipeline attack was a compromised password for a VPN account. The attackers were able to use this password to gain access to the Colonial Pipeline network and eventually install ransomware.
Suspected VPN cause of the Colonial Pipeline attack was a compromised Virtual Private Network (VPN) account that didn’t have multi-factor authentication enabled. This account’s password was reportedly used on at least one other website that had been previously compromised, making the credentials accessible to malicious actors.
It’s crucial to note that this cyber attack was not only due to a single weakness but a combination of several factors. These include insufficient network segmentation, lack of multi-factor authentication, and potentially inadequate employee cybersecurity awareness. All these contributed to the successful execution of the attack.
The DarkSide ransomware group used these compromised credentials to gain initial access to Colonial Pipeline’s network, a point of entry confirmed by Mandiant, the cybersecurity firm engaged by Colonial Pipeline to investigate the attack. Once inside the network, the attackers were able to move laterally, escalate their privileges, and deploy their ransomware on critical systems.
According to Charles Carmakal, senior vice president and CTO at cybersecurity firm Mandiant, who testified before a House Committee on Homeland Security on June 8, 2021, the password was likely used by a Colonial Pipeline employee for another location. This means that the password was likely not very strong and was reused across multiple systems.
The use of a compromised password is a common way for attackers to gain access to corporate networks. It is important for organizations to use strong passwords and to avoid reusing passwords across multiple systems. Additionally, organizations should implement multi-factor authentication (MFA) to further protect their networks.
In addition to the compromised password, there were other contributing factors to the Colonial Pipeline attack. These factors included:
- The use of outdated software. The Colonial Pipeline network was using an outdated version of the Microsoft Exchange Server software. This software was vulnerable to a known security flaw that the attackers exploited. Regular software updates and patches are essential to protect against known vulnerabilities that attackers can exploit.
- The lack of segmentation. The Colonial Pipeline network was not segmented, which means that all of the systems on the network were connected to each other. This made it easier for the attackers to move laterally through the network and gain access to critical systems. Proper network segmentation is a fundamental security practice that restricts an attacker’s ability to move laterally across the network. In the Colonial Pipeline incident, the absence of effective network segmentation allowed the attackers to spread their influence more extensively within the network after gaining initial access.
- The lack of security awareness. The Colonial Pipeline employees were not adequately trained on cybersecurity best practices. This made them more likely to make mistakes, such as reusing passwords or clicking on malicious links. Employees serve as a significant line of defense against cyber attacks. The lack of security awareness among Colonial Pipeline employees potentially increased the organization’s vulnerability to phishing attempts and other tactics used by cybercriminals.
The Colonial Pipeline attack was a wake-up call for many organizations. It showed that even critical infrastructure is not immune to cyberattacks. Organizations need to take steps to improve their cybersecurity posture in order to protect themselves from similar attacks in the future.
The presence of reused and potentially weak passwords reflects a common issue in many organizations – inadequate password management. The use of unique, robust passwords and the implementation of multi-factor authentication (MFA) can significantly reduce the risk of unauthorized access. Moreover, password management tools can help employees maintain complex and unique passwords for various accounts.
The Colonial Pipeline attack and recovery unfolded at a rapid pace in a short period of time.
Timeline:
May 6, 2021
- Initial intrusion and data theft.
- The attackers gain access to the Colonial Pipeline network using a compromised password for a VPN account.
- The attackers steal 100 gigabytes of data within a two-hour window.
May 7, 2021
- Ransomware attack begins.
- Colonial Pipeline discovers the attack and shuts down its IT systems
- Colonial Pipeline becomes aware of the breach.
- Security firm Mandiant called in to investigate and respond to attack.
- Law enforcement and federal government authorities notified of the attack.
- The FBI confirms that the attack was carried out by a ransomware group known as DarkSide.
- Pipeline taken offline to reduce risk of exposure to the operational network.
- Colonial Pipeline pays a ransom of 75 bitcoin (~$4.4 million) to the attackers.
May 8, 2021
- Colonial Pipeline publicly announces the attack.
- Colonial Pipeline launched an investigation into the nature and scope of the incident and remained mostly silent about the details. At the same time, it started taking systems offline proactively to contain the threat
- The U.S. government declares a state of emergency in response to the attack.
- Panic buying of gasoline begins in some areas.
May 9, 2021
- Emergency declaration by President Joe Biden.
- The U.S. Government became involved, declaring a state of emergency. The Federal Motor Carrier Safety Administration issued a regional emergency declaration for 18 states and the District of Columbia, lifting restrictions on motor carriers and drivers who were providing assistance to the areas suffering a shortage of gasoline, diesel, jet fuel, and other refined petroleum products.
- Colonial Pipeline begins to restart its IT systems.
- The FBI releases a statement warning businesses about the DarkSide ransomware group.
May 10, 2021
- Colonial Pipeline announces that it has restored full operations.
- The U.S. Government confirmed DarkSide as the perpetrator. Colonial Pipeline was reported to be working on a plan to restart operations with the help of private cybersecurity firm Mandiant and legal firm Steptoe & Johnson.
- Gasoline supplies begin to normalize in most areas.
May 12, 2021
- Pipeline restarted as normal operations resumed.
- Colonial Pipeline reportedly paid the ransom, around 75 Bitcoin (equivalent to approximately $4.4 million at the time) to the hackers.
May 13, 2021
- Colonial Pipeline announced it started to resume pipeline operations. However, it warned that the supply chain would not return to normal for several days.
May 14, 2021
- Colonial Pipeline reported that its entire pipeline system had returned to operations.
June 7, 2021
- Department of Justice recovers 63.7 bitcoin — approximately $2.3 million — from the attackers.
June 8, 2021
- Congressional hearing on the attack.
- Charles Carmakal, SVP and CTO at cybersecurity firm Mandiant, testified before a House Committee on Homeland Security. He confirmed that the root cause of the attack was a compromised VPN account that didn’t use multi-factor authentication.
The Aftermath
The shutdown of the Colonial Pipeline resulted in severe gas shortages across the Southeastern United States, demonstrating how a cyber-attack on infrastructure can have real-world, immediate effects. Colonial Pipeline paid approximately $4.4 million in Bitcoin to the attackers to regain access to their systems, underscoring the costliness of these attacks to businesses and consumers alike.
The Colonial Pipeline attack and recovery unfolded at a rapid pace in a short period of time. The attack had a significant impact on the U.S. economy, causing gasoline shortages and price spikes. The recovery was also rapid, with Colonial Pipeline restoring full operations within a week of the attack.
The Colonial Pipeline attack is a reminder that even critical infrastructure is not immune to cyberattacks. Organizations need to take steps to improve their cybersecurity posture in order to protect themselves from similar attacks in the future. 
Analysis of Security Failures
A critical factor in this attack was the apparent lack of segmentation within Colonial Pipeline’s network. Proper segmentation would have limited the ransomware’s ability to spread and encrypt multiple systems. Without effective segmentation, once the attackers breached the initial layer of defense, they were able to move freely and escalate their privileges throughout the network.
Moreover, the incident showcased the limitations of perimeter-based defenses in dealing with advanced threats like ransomware. Once the attackers were inside, they were able to operate with little to no detection. The absence of robust internal monitoring capabilities suggests a lack of maturity in Colonial’s security posture.
The Colonial Pipeline attack is a reminder that even critical infrastructure is not immune to cyberattacks. Organizations need to take steps to improve their cybersecurity posture in order to protect themselves from similar attacks in the future. Here are some of the steps that organizations can take to improve their cybersecurity posture:
- Use strong passwords and keep them secure. Passwords should be at least 12 characters long and should include a mix of upper and lowercase letters, numbers, and symbols. Passwords should not be reused across multiple systems.
- Keep your software up to date. Software updates often include security patches that can help to protect your systems from known vulnerabilities.
- Use a firewall and antivirus software. A firewall can help to block unauthorized access to your network, and antivirus software can help to detect and remove malware.
- Be aware of the latest cyber threats. It is important to stay up-to-date on the latest cyber threats so that you can take steps to protect yourself.
- Train your employees on cybersecurity best practices. Employees should be trained on how to identify and avoid phishing emails, how to create strong passwords, and how to report suspicious activity.
Implications and Lessons Learned
The attack on Colonial Pipeline underscores the urgent need for advanced threat protection measures, including anomaly detection and automated response systems. Such systems can identify unusual behavior within a network and initiate protective measures before extensive damage occurs.
More importantly, the incident highlighted the systemic vulnerabilities of critical infrastructure to cyber threats. Given their essential nature, these systems are high-value targets for criminals. This event emphasizes the need for a nationwide commitment to bolstering the cybersecurity defenses of these critical industries.
Companies should adopt a ‘zero trust’ approach, continuously verifying each request as if it originates from an open network, regardless of its actual location within the system. This approach would reduce the likelihood of an attacker moving freely through the network even after gaining initial access.
Additionally, organizations need to ensure they have a comprehensive, tested incident response plan in place. Colonial Pipeline’s decision to pay the ransom illustrates the difficult choices companies face when under attack, and such decisions should be part of a well-rehearsed response plan.
Conclusion
The ransomware attack on Colonial Pipeline serves as a stark reminder of the cyber threats facing critical infrastructure. As the incident shows, these attacks can have immediate and widespread impacts on society. Moving forward, companies and governments alike must take proactive measures to protect against such threats and ensure the resilience and security of our critical infrastructure.
