• Sudiksha Twayana

Key Takeaways from the Colonial Pipeline Incident



What makes the Colonial Pipeline attack a lesson learned for the world?

Colonial Pipeline is the largest refined products pipeline in the United States owned by Colonial Pipeline Co. From Houston, Texas, to New York Harbor, the pipeline serves all the major urban areas further along the route.

It obtains resources from 29 refineries and delivers to over 260 ports on the East Coast – 5500 miles (about twice the width of the United States) of pipeline and 2.5 million barrels of fuels per day. Colonial Pipeline is responsible for more than half of all refined products available for consumption.


The Colonial Pipeline Ransomware attack happened in early May of 2021. Colonial Pipeline was a Critical National Infrastructure, not an ordinary industrial vertical, although being privately held. Consumerization, geopolitics, and human lives and livelihoods were all severely impacted by the incident. Being a CNI, the Federal Motor Carrier Safety Administration (FMCSA), The FBI, Cybersecurity and Infrastructure Security Agency (CISA), NSA, FireEye, which operated Mandiant cyber forensics team even the President were involved throughout. Threats to Industrial Control Systems (ICS) and Operational Technology (OT) are highlighted in Dragos' fifth Year review report.


Colonial Pipeline CEO Joseph Blount gave the full statement about the incident and assurance to US Senate.


Simple password cracking is one of the quickest methods for cybercriminals to obtain access to accounts and networks, especially if the passwords are common or the login and password have already been exposed in a breach.


Poor Cyber resiliency and Recovery Planning (BCP/DRP) is the cause, despite the attacker handing over the decryption key in exchange for a ransom payment, the recovery and restarting of the system to restore supply was not adequately handled. The risk is increased by the fact that it was CNI-poor identity and access management, as well as system/service decommissioning. Not to overlook but this entire crisis was caused by one stolen password, the use of a service that should have been decommissioned.


What happened to the Colonial Pipeline?

On 7 May 2021, When news broke out of attackers obtaining access to the pipeline surfaced, most people's immediate thoughts became, "How can a pipeline be hacked?" whilst also "Who hacked the colonial pipeline?" However, the present operation of gas pipelines is exceedingly high-tech and digital. There is always a risk of cyber-attacks. After the breach, an employee saw a ransom note on the computer screen in the control room at around 5 a.m.


A hacker group under the name Darkside had demanded 75 Bitcoin (equivalent to $4.5 million at that time) (ISACA).

Who is the Darkside?

Dark Side is indeed a ransomware-as-a-service (RaaS) company that charges users a monthly fee to use their ransomware. Version 2 of the ransomware is presently active. Darksupp released an upgrade for the "Darkside 2.0" RaaS in April 2021, which featured newer functionality as well as a summary of the sorts of partners and services they were looking for.

Fig: Darkside Panel (Source- Dark web)


Dark Side likewise uses double-extortion methods to get victims to pay up, joining the ranks of Maze, Babuk, and Clop, among others. If the victim refuses to give in to the extort, sensitive information may be taken and threatened to be published on a leak site.


Was the ransom paid by Colonial Pipeline? The company did in fact pay the ransom.


Colonial Pipeline CEO Joseph Blount addressed why the business agreed to abide by the intruders' conditions during a congress hearing. He later mentioned the magnitude of the attack was unclear, making it hard to estimate how long it would take to restore the systems.

Blount ended up paying the ransom in the hopes of accelerating the recovery process and regaining control of the systems.


The Colonial CEO went on to say that while the team had backups, they did not know if the data had already been hacked or if it was secured for use. (IT Security Guru)

Why did the Colonial Pipeline Shut down?

Within two hours, after getting access to the company's network, attackers stole around 100 gigabytes of data. Later identified as Darkside. The attackers attacked a few of the company's systems, including accounting and billing after corrupting the company's IT network.

Source – Bleeping Computer


Colonial shut down the pipeline for many days to stop the infection from spreading. The hackers got access to the company's system using a Virtual Private Network (VPN) account that allowed employees to remotely access the firm's network, according to the investigation.


The login credentials for the account in issue could still be used to access Colonial's system, even though it was no longer in use at the time of the operation. The VPN password was eventually discovered among several of the publicly disclosed access credentials on the dark web.


It is very possible that the colonial employee in question used the same password on some other account that had been compromised earlier. Hackers then exploited it to obtain access to the pipeline's network.


The VPN account did not employ multifactor authentication, according to further examination into the event. The Dark Side's attackers used this certain flaw to gain access to the company’s operational network.


Impact made by the hack:

Why was the ransomware attack on the Colonial Pipeline, the catalyst for people to pay attention to system and security management? It has an easy answer, the attack simply made scarcity of gas fuel over the east coast which affected the daily livelihood of the people. Moreover, after the shutdown of Pipeline, there was the average price in the southeast increased by 1.9 percent, compared to a nationwide increase of 1.2 percent.


How to abstain from attacks on an enterprise-level?

Aftermath of Colonial Pipeline Incident signaled all levels of enterprise questioning their security system. Since cyber security hygiene advice is not new, it is often overlooked by organizations which makes a larger impact on many aspects. Some of the simple precautions to put into practice for the safety of your organization are:

  • Utilize logging and monitoring features to get a better understanding of the facility's overall security and activities instantaneously, which include data from outside sources.

  • Verify that automated monitoring tools, in addition to signature-based detection, utilize behavior-based anomaly detection.

  • Modify operating systems to prevent credential reuse after five months. All administrative access, including domain administrative access, should use multifactor authentication. Smart cards with certificates, one-time password tokens, and biometrics are all examples of multi-factor authentication.

  • Before live deployment, use a competent third-party security penetration tester to examine all hardware and software components.

  • Identity management should be classified according to the risk criteria of the facility, with more stringent access restrictions necessary for more sensitive systems.

  • Automatically produce reports for accounts that are locked out, disabled, have passwords that are older than the maximum password age, and have passwords that never expire.

  • Examine all system accounts and deactivate those that cannot be linked to a business process or owner.

  • Anti-exploitation measures including data execution inhibition, address space layout randomized, and virtualization/containerization should be enabled.

The Colonial Pipeline proceeds to influence thousands of individuals, demonstrating how a flaw in a multinational corporation's supply chain may have a substantial impact across numerous businesses as well as common people. It is their commitment as an organization to preserve a trustworthy relationship with your clients and vendors, and considerable cyberattacks are a timely reminder of what may happen when adequate precautions are not followed.



#ColonialPipeline #Darkside #Darksideransomwareattack #Thirdpartyrisk #Ransomwareattack



Contact Us: info@stupa.io

510 views0 comments
stupa_transparent (1).png