Skip to main content

How the Colonial Pipeline attack occurred

By Claudia Piccirilli | May 21, 2021

The timeline of the attack and considerations for business leaders from the ransomware incident.
Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)

The event and timeline

As we have been tracking the Colonial Pipeline incident closely since our May 13 client alert, we have prepared the following timeline of events, detailing how the incident unfolded. Further, we are pleased to provide additional information about the threat actor, historical information about Colonial Pipeline, and some considerations for business leaders as they reflect on the incident.

  • The attack began on Thursday, May 6, when over 100 gigabytes of data was confiscated from Colonial Pipeline’s systems in just under two hours.1
  • On Friday, May 7, the company communicated that it had made the decision to shut down its operations as a precaution until the source of the ransomware could be further investigated and to prevent the hackers from doing anything further, such as damaging the system itself in the event that the hackers had stolen highly sensitive information from corporate computers. As the shut-down interrupted the 5,500 mile pipeline from Texas to New York, causing many gas stations to run out of fuel, Colonial pipeline began to ship fuel via trucks during the disruption.
  • On Saturday, May 8, the FBI, CISA and NSA shut off key servers operated by the hackers.2 This was done to stop the flow of stolen Colonial Pipeline data from the United States to the alleged hacker locations in Russia. Bloomberg3,4 reported, that Colonial was threatened that the stolen data would be leaked to the internet and that the data would remain locked unless Colonial paid a ransom.
  • On Sunday, May 9, it was determined that DarkSide might be involved in the attack. The Department of Energy monitored the impact of the attack to the nation’s energy supply. At the time, there was no indication of how long the pipelines would be shut down. As a pipeline fix was indicated as a priority by the U.S. Commerce Secretary, Washington worked to avoid more severe fuel supply disruptions.5
  • On Monday, May 10, the FBI confirmed that DarkSide, a group residing within Russia’s borders, was responsible for the compromise of the Colonial Pipeline networks. Colonial Pipeline indicated that they intended to substantially restore operational service by the end of the week. The line (Line 4) running from Greensboro, North Carolina to Woodbine, Maryland was operating on manual control for a limited period of time while existing fuel inventory was available. Although main lines continued to be offline, small lateral lines were operational.
  • On Tuesday, May 11 the CISA-FBI issued an Advisory6, providing guidance on DarkSide ransomware and recommended mitigation strategies. Colonial defined shipping strategies that would be followed while the pipeline was safely restored.
  • Colonial indicated on Wednesday, May 12 that “they would move as much gasoline, diesel, and jet fuel as is safely possible”7, but that it would take a series of days for the pipeline to return to normal.
  • As of Thursday, May 13, It has been reported that many gas stations between Georgia and Maryland were without fuel. Drivers in Georgia, North Carolina, South Carolina, Tennessee and Washington, D.C. were panic buying. On this same day, Colonial did indeed pay a ransom of just under $4.4 million to Eastern European hackers in the form of bitcoin, about 75 in all.21,22

About DarkSide and how the attack occurred

DarkSide is an organized crime group, operating out of Russia but with no formal ties to the Russian government, running Ransomware as a Service (RaaS). The two-step hallmark of the group, exfiltration of data followed by encryption of data and a request for ransom in order to release the key to decrypt the exfiltrated data, was present in the Colonial attack. The resulting CISA and FBI8 alert indicated that DarkSide attackers typically first gain initial access through a phishing attempt. They use remote access to systems via virtual desktop infrastructure, including the use of Remote Desktop Protocol (RDP), TOR (The Onion Router) to protect and obscure the user’s identity online and their activities for Command and Control operations, along with Cobalt Strike. Cobalt Strike is threat emulation software, a powerful attack “kit” that enables the execution of targeted attacks. After the CISA-FBI Advisory, the Cyber intelligence group, Intel 4719, reported:

“On May 13, 2021, the operators of the DarkSide Ransomware-as-a-Service (RaaS) announced they would immediately cease operations of the DarkSide RaaS program. Operators said they would issue decryptors to all their affiliates for the targets they attacked and promised to compensate all outstanding financial obligations by May 23, 2021. The group, which has been named as the one responsible for the Colonial Pipeline incident, also passed an announcement to its affiliates claiming a public portion of the group's infrastructure was disrupted by an unspecified law enforcement agency. The group’s name-and-shame blog, ransom collection website, and breach data content delivery network (CDN) were all allegedly seized, while funds from their cryptocurrency wallets allegedly were exfiltrated.”10 DarkSide also indicated that it was releasing decryption keys to all companies that had been ransomed but had not yet been paid.

On the same day, some Russian cybercrime forums began distancing themselves from ransomware operations altogether. The administrator of the popular Russian forum XSS announced the community would no longer allow discussion threads about ransomware moneymaking programs. On Friday, May 14, Darkside continued to advise that it was shutting down its operations amid pressure from the U.S. and law enforcement and a website operated by the ransomware group has been down since that time. In a message from a cybercrime forum, the group said that their servers were seized, that they had lost access to the infrastructure the group uses to run its operations, and that the money of advertisers and founders was transferred to an unknown account.11,12 The organization said that their goal is to make money, not to create problems for society. Intel 47113 suggests treating these announcements with caution, “as it is likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways. A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to ‘wash’ the cryptocurrency they earn from ransoms.” Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service were reportedly unable to access BitMix in the last week.”20

DarkSide was not the only group to make this type of announcement on May 13. Another Ransomware as a Service (RaaS) group, Babuk, claimed it handed over the ransomware’s source code to "another team," which would continue to develop it under a new brand. The group pledged to stay in business.14

History and about Colonial Pipeline

Some of the biggest oil companies, including Phillips Petroleum, Sinclair Pipeline and Continental Oil, joined to begin construction of the pipeline in 1961, a time of rapid growth in highway driving and long-distance air travel. Today, the company is owned by Royal Dutch Shell, Koch Industries and several foreign and domestic investment firms. The pipeline has become so important because of regulatory restrictions on pipeline construction that go back nearly a century, as well as restrictions on road transport of fuels. The main reason the pipeline is so vital, however, is because at least six refineries have gone out of business in New Jersey, Pennsylvania and Virginia over the past two decades, reducing the amount of crude oil processed into fuels in the region by more than half, from approximately 1.5 million barrels to under half that amount weekly.15

While Colonial Pipeline does not have a Chief Information Security Officer, its Chief Information Officer appears to be the internal stakeholder charged with management of the company’s information security program.16 Auditors routinely recommend the appropriate segregation of duties, separating the responsibility for systems, the security environment and the protection of key corporate information assets. If any subsequent investigation takes place, it will be interesting to track if appropriate segregation of duties was implemented in this case.

Three years ago, an audit of Colonial by IMERGE Consulting found problematic information management practices. IMERGE reported that the environment was “easily penetrable and fraught with vulnerabilities”.17 Recommendations from the security assessment (said to cost $50,000) defined a plan for certain critical hygiene improvements, data protection measures, incident response planning and business continuity planning.

How far Colonial Pipeline, went to address the vulnerabilities isn’t entirely clear. Colonial Pipeline indicated that since 2017, it hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%, reporting expenditure of $200 million on IT in the past 5 years.22 How vulnerable Colonial was to compromise is sure to be intensely scrutinized by federal authorities and cybersecurity experts. Colonial has not disclosed how the intrusion took place, but the CISA-FBI Advisory18 suggests that DarkSide may have gained access through phishing and exploiting remotely accessible accounts.

Experts agree that aging OT and IT environments19 used by energy companies make them vulnerable to cyberattacks like the one perpetrated by DarkSide. As companies are expected to meet ever increasing financial targets, there is more pressure on information security teams to maintain more secure operating environments.

It is essential for the Chief Information Security Officer to be able to articulate the vulnerabilities and threats facing the company, to define the appropriate mitigating actions that will generate the greatest reduction in cyber risk exposure, to lead the management team in identifying the most critical information assets of the firm, and to educate and work with management to understand and define potential impacts. Enlisting support from senior management to prioritize information security investments and goals is critical.

Of course, there are still many unresolved questions regarding the Colonial Pipeline incident. It is still unclear whether ransomware negotiators were utilized (though recent reports suggest this was likely22), how the data was exfiltrated, what specific type of data was exfiltrated and whether the data was recovered. Perhaps most importantly, the full extent of the short term and long-term impacts of the attack is not clear and may not be for some time.

Considerations for business leaders

Operational resilience is essential in any crisis situation. As the shutdown of the Colonial Pipeline has illustrated, preparedness and backup plans must be built into every facet of operational and third-party management.17

Considering backup alternatives and imagining how to do things differently, while being cognizant of potential costs is essential. Documenting, planning and testing chosen alternative(s) is crucial. The Colonial Pipeline incident highlights the potential fragility of systems and processes. The incident also highlights how critical infrastructure — fuel, power, electric, transportation, communication, etc. — remains a prime target for cyberattacks and digital extortion initiatives.16

Regulatory reporting requirements will likely increase as a result of the attack. Without the involvement of government agencies, there will be no ability to obtain retribution for damages incurred. It is also noteworthy to consider the growing importance of companies being able to quantify the cost of an outage in order plan for remediation, risk transfer and proactive mitigation.

There are still many unresolved issues regarding this attack. It will likely be weeks or months before conclusions can be made regarding broader causes and impacts. What is clear, however, is that this is a significant attack with far wider implications than a single organization and seems to have caused a significant escalation in how law enforcement and other agencies will confront ransomware in the future.












11 les-n1267057













Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.


Product Director, Cyber Analytics

Contact Us