Cybersecurity Scary Stories: Colonial Pipeline

Cybersecurity | September 20, 2021

When hackers strike, we should all be scared. 

Gather ‘round the campfire, let us tell you the harrowing tale of the Colonial Pipeline Attack: 

Founded in 1961, The Colonial Pipeline Company is the largest refined products pipeline in the United States. Running from New York Harbor to Houston, it delivers over 100 million gallons of fuel to the East Coast of the country each and every day – that’s nearly 45% of the total gas supply for the region.  

Needless to say, the functionality of this mighty piece of infrastructure is fundamental to the daily lives of millions; So, when officials discovered that Colonial Pipeline had been hit with a debilitating cyberattack this past spring, you can understand that the response was nothing short of horror. 

The mighty had fallen.   

On May 7th, 2021, Colonial Pipeline announced the immediate halt of all operations in the wake of a cybersecurity breach. The shutdown caused gas shortages, price spikes, and considerable consumer alarm up and down the East Coast for days on end. This reaction, of course, is understandable – with no immediate resolution in sight, Americans began fearfully stockpiling gas, officials called emergency meetings in anticipation of the worst – it was chaos.  

Luckily, in this case, the attacker’s target was not the infrastructure of the pipeline itself, but rather the business operations of the Colonial Pipeline Company. Once the threat was dealt with, regular service returned to consumers within a few days. But while the world awaited an answer from the FBI and others as to what really happened, many remained visibly shaken by how easily bad actors were able to decimate such a large enterprise. If this could happen to Colonial Pipeline, couldn’t it happen to the water supply? The electricity? Couldn’t it happen to you

Fears only mounted a month later when the alleged cause of the breach was finally revealed: one single leaked password.  

That’s right; One exposed password wreaked days-worth of havoc for the entire eastern seaboard of a global superpower. According to testimony from Colonial Pipeline CEO Joseph Blount during a U.S. Senate Committee hearing, the inactive employee password was discovered by hacking group DarkSide on the dark web. Some speculate that the password was a repeat, meaning it had previously been used for another of the employee’s personal accounts.  

Once found, this password was then used to access the Colonial Pipeline network via a legacy VPN that did not have multi-factor authentication enabled. Worming in through this small point of entry, DarkSide was then able to encrypt a significant portion of Colonial Pipeline’s data with ransomware, essentially holding the company hostage to their demands. Panic ensued.  

And in that panic, Blount made a decision that the EMPIST team never recommends – he paid the ransom. Desperate to get the system back online, Colonial Pipeline paid DarkSide approximately $4.3M in bitcoin for the safe return of their data. While the U.S. government was eventually able to trace some of the bitcoin Colonial Pipeline used, to this day the full balance has never been recovered.  

News of the ransom payment left leaders shocked; As did the follow-up statements, in which Blount revealed that the Colonial Pipeline Company did not even have a proactive ransomware attack program, but rather just an emergency response protocol.  

Those who weren’t shocked in the slightest, however, were cybersecurity professionals. You see, cyber experts have been warning the general public for years about the gaping holes in much of our protective protocol. From business owners to government agencies, no one is safe from ransomware or other cybersecurity attacks.  

And while we’d love to end this story on a high note, there really isn’t one. Comprehensive, proactive security isn’t just the best measure we have to protect our data, it’s the only measure.  The threat of cyberattacks is very, very real; And if you aren’t scared yet, just wait – you will be.  

Ready to build out your own cybersecurity program? Contact team EMPIST online today to get started!  

(Sources: Bloomberg, Vox, Reuters, New York Times, USA Today, The Washington Post)