Colonial Pipeline

The Colonial Pipeline is one of the largest systems of pipelines in the United States, transporting more than one hundred million gallons of gasoline, home heating oil, and jet fuel each day from Texas to New York. On May 7, 2021, the Colonial Pipeline shut down its operations because of a ransomware cyberattack. Such attacks are conducted by criminal groups holding data hostage until the victim pays the requested ransom. A few days after the attack, the Federal Bureau of Investigation (FBI) determined that the Russian-based cyber-criminal group DarkSide was responsible for the attack.

The shutdown panicked motorists along the East Coast, who had to wait in long lines and pay high prices at gas stations. It also disrupted flights because of a lack of jet fuel.

Colonial Pipeline paid $4.4 million in ransom in an effort to resume operations and provide the East Coast with much-needed fuel. However, the FBI and the US Department of Justice managed to seize $2.3 million of the ransom money paid to DarkSide.

rsspencyclopedia-20210628-47-189042.jpgrsspencyclopedia-20210628-47-189095.jpg

Background

In 1961, some of the largest oil companies of the time, such as Phillips Petroleum and Continental Oil, worked together to begin construction of the pipeline, which was later named Colonial and headquartered in Alpharetta, Georgia. In 2024, the Colonial Pipeline was the largest in the United States, providing about 45 percent of the East Coast’s fuel. The Colonial Pipeline originates in Houston, Texas, and ends at the Port of New York and New Jersey, a distance of about 5,500 miles. The pipeline extends through twelve states and part of the Gulf of Mexico.

Reliance on the Colonial Pipeline has increased substantially over the past twenty years. At least six refineries have gone out of business in Virginia, Pennsylvania, and New Jersey. These closings cut the amount of fuels processed in these areas by more than half and increased those states’ reliance on the Colonial Pipeline. The pipeline, which provides jet fuel, is particularly vital for the functioning of airports in the East.

In 2024, the Colonial Pipeline was owned by five companies: Koch Industries, Kohlberg Kravis Roberts, CDPQ (Caisse de depot et placement du Quebec), Royal Dutch Shell, and Industry Funds Management.

Overview

On May 7, 2021, a Friday, Colonial Pipeline announced that due to a ransomware cyberattack, it had shut down the entire pipeline and frozen its Information Technology (IT) systems. Colonial Pipeline had hired FireEye, a cybersecurity company, to assist with the crisis. The company at first worried that the attackers might have obtained information that would enable them to break vulnerable parts of the pipeline. It shut down the pipeline as a preventative measure and had contacted law enforcement agencies, including the FBI. However, the hackers had targeted the business side of Colonial Pipeline and not its operational systems, suggesting that they sought money. Colonial Pipeline later learned that the hackers gained entry into its networks through a VPN (virtual private network), which allowed employees to remotely access the company’s network. The account that was hacked belonged to an employee who no longer worked at the company. The account’s username and password were later discovered inside a batch of leaked passwords on the dark web, a shadowy realm of illegal activity on the Internet. The account was not protected by the multifactor authentication that the company uses in most of its operations.

Prior to the shutdown, an employee found a ransom note on a control room computer. The hackers claimed to have obtained information from the company’s shared internal drive and demanded roughly $4.4 million in exchange for the files needed to restore some networks. According to the FBI, the cyber-criminal group DarkSide, based in Russia, was responsible for the attack.

The pipeline shutdown elicited panic among East Coast motorists, who feared a lengthy gasoline shortage. To panic-buy gasoline, motorists waited in long lines and paid high prices to fill their tanks. US gasoline prices at the pump rose six cents per gallon in the week following the attack—the greatest spike in the price of gas since 2014, according to the American Automobile Association (AAA).

On May 11, the Tuesday after the shutdown, Colonial Pipeline’s then-Chief Executive Officer (CEO) Joseph Blount, Jr. told members of the Senate Homeland Security Committee that the company paid the $4.4 million ransom a day after the cyberattack. The money was paid in untraceable cryptocurrency. Blount explained that the company was concerned that the malware would spread to its Operational Technology networks, which control the operation of the pipeline. Colonial also sought to end the pipeline shutdown as soon as possible. Once they received the payment, the hackers provided the company with a decrypting tool to restore its networks.

However, Colonial Pipeline assisted the FBI in an operation to recover at least some of the ransom money. The US Justice Department seized $2.3 million in Bitcoins paid to DarkSide. The FBI determined the address of the hackers’ wallet and obtained a court order to seize the funds in it. How the FBI managed to get the digital key needed to open the wallet has not been made public. On Thursday, May 13, 2021, most of the Colonial Pipeline was back up and running. This event was a learning experience for the operators of the Colonial Pipeline and the US government. The situation brought to light the importance and vulnerability of cybersecurity in the twenty-first century.

Bibliography

Duffy, Claire. “Colonial Pipeline attack a ‘Wake Up Call’ about the Threat of Ransomware.” CNN Business, 16 May 2021, www.cnn.com/2021/05/16/tech/colonial-ransomware-darkside-what-to-know/index.html. Accessed 23 May 2024.

Eaton, Collin and Dustin Volz. “Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom.” Wall Street Journal, 19 May 2021, www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636. Accessed 23 May 2024.

“Looking Back on the Colonial Pipeline Hack.” Imprivata, 17 May 2022, www.imprivata.com/blog/looking-back-colonial-pipeline-hack. Accessed 23 May 2024.

Morrison, Sara. “How a major oil pipeline got held for ransom.” Vox, 8 June 2021, www.vox.com/recode/22428774/ransomeware-pipeline-colonial-darkside-gas-prices. 21 July 2021.

Perez, Evan and Zachary Cohen and Alex Marquardt. “US Recovers Millions in Cryptocurrency Paid to Colonial Pipeline Ransomware Hackers.” CNN, www.cnn.com/2021/06/07/politics/colonial-pipeline-ransomware-recovered/index.html. Accessed 23 May 2024.

Russon, Mary-Ann. “US fuel pipeline hackers ‘didn’t mean to create problems.’” BBC News, 10 May 2021, www.bbc.com/news/business-57050690. Accessed 21 July 2021.

Turton, William and Kartikay Mehrotra. “Hackers Breached Colonial Pipeline Using Compromised Password.” Bloomberg, 4 June 2021, www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password. Accessed 21 July 2021.

Wilkie, Christina. “Colonial Pipeline paid $5 million ransom one day after cyberattack, CEO tells Senate.” CNBC, 8 June 2021, www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html. Accessed 21 July 2021.

Wood, Kimberly. “Cybersecurity Policy Responses to the Colonial Pipeline Ransomware Attack.” Georgetown Law, 7 Mar. 2023, www.law.georgetown.edu/environmental-law-review/blog/cybersecurity-policy-responses-to-the-colonial-pipeline-ransomware-attack. Accessed 23 May 2024.