A Single Password Forces Largest US Pipeline to Knees, Prompts Payment of $4.4Mn Ransom!

Colonial Pipeline, a major fuel pipeline operator in the US, hit the headlines on May 7, when a ransomware attack led to the shutdown of its entire network. It was the largest ever cyberattack on an American energy infrastructure.

The Russian-based criminal hacking group Darkside infiltrated the billing system of the oil company and stole nearly 100 gigabytes of data. The inability to bill the customers led to the pipeline’s closure for six whole days, disrupting fuel deliveries across the East Coast.

The pipeline shutdown triggered outages at fuel terminals, panic buying, and a spike in gas prices. Even American Airlines rescheduled their flights temporarily in response to fuel shortages. The average fuel price stood at USD 3 a gallon, the highest since 2014. The crisis was critical enough to be termed as a ‘state of emergency’ on May 9 by President Biden.


Also Read: Leading US Gasoline Pipeline Hit By Ransomware Attack


Complicating the situation was the Darkside’s ransom demand of USD 4.4 million (75 bitcoins) in exchange for the compromised data. After the dust has settled, people realized it was one simple error which led to this East Coast energy crisis.

How the Crisis Unfolded?

Colonial Pipeline Attack

Joseph Blount, CEO of Colonial Pipeline, learnt about the attack in the wee hours of morning on May 7, when a control-room employee found a ransom note from hackers. The note said the hackers had ‘exfiltrated’ files from the company’s shared internal drive and demands USD 4.4 million ransom in exchange for the files. Without further ado, the company made the decision to shut down its entire pipeline.

“At approximately 5:55 A.M., employees began the shutdown process. By 6:10 A.M., they confirmed that all 5,500 miles of pipelines had been shut down,” informed Blount.

The same night, Blount came to a difficult conclusion: He had to pay the ransom.

“I made the decision that Colonial Pipeline would pay the ransom to have every tool available to us to swiftly get the pipeline back up and running. It was one of the toughest decisions I have had to make in my life,” said CEO Blount in his first public remarks since the crippling attack.

“I know that’s a highly controversial decision. I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this,” said Mr. Blount.

“But it was the right thing to do for the country,” he added.

The company paid approximately USD 4.4 million worth of bitcoin to the Darkside hackers one day after the attack, revealed Blount on May 19.

In return for the payment, the Colonial received a decryption tool from Darkside group to unlock the crippled systems.

But what brought the largest energy infrastructure in the United States to its knees? A Compromised Password.

Yes! A single leaked password led to the shutdown of the company that has invested around USD 1.5 billion to maintain the integrity of its entire pipeline system over the past five years.

Darkside hackers penetrated Colonial’s computer network just by using a compromised password. The password had been linked to an old Virtual Private Networking (VPN) account that was active but not in use. The account only had single-factor authentication and was not protected by an extra layer of security known as multi-factor authentication.

“In the case of this particular legacy VPN, it only had single-factor authentication,” told Blount. “It was a complicated password, I want to be clear on that. It was not a Colonial123-type password.”

A legacy VPN account with no MFA! It should have been a cakewalk for Darkside.

At the moment, it is unclear how the Darkside hackers obtained the compromised credential. But the attack underscores how cybercriminals could disrupt critical infrastructure companies with something so simple. It also brings to light the grave risks of lax cybersecurity hygiene.

Is Your Firm Safe?

Firm Safe

The Colonial ransomware attack reveals that no organization, regardless of its size, is completely risk-free in today’s digital world, where cybersecurity is a pervasive issue. Cybercriminals are constantly tweaking their attack techniques.

They have become more creative, sophisticated, and evasive, while much of the security industry struggles to catch up. So, the million-dollar question that arose after this attack was: how can firms protect their businesses from such cybercrimes? It is wise to seek help from cybersecurity service providers, like StealthLabs, to stay secure in today’s rapidly growing landscape of cyberattacks.

How Can StealthLabs Help Prevent Attacks Like Colonial?

StealthLabs Help Prevent Attacks

StealthLabs helps organizations instill good cyber hygiene and improve their overall cybersecurity posture. Our team of security professionals can provide timely, actionable insights and leading cyber practices to enable organizations prepare for and defend against ransomware attacks.

StealthLabs’ proactive cybersecurity offerings, including Identity and Access Management (IAM) services and Privileged Access Management (PAM) services, gives complete visibility and control over your firm’s critical data and systems. We help you not only remain secure, but also become more vigilant and resilient to evolving cyberthreats.

Contact Us


More  Articles: