Colonial Pipeline Ransomware Attack (2021)

to date and to respond quickly to new vulnerabilities. Buyers are protected as well by the SBOM by using it to perform vulnerability or license analyses, both of which can be used to evaluate risk in a product.7 By 7 June 2021, and with the collaborative efforts of multiple agencies, 63.7 bitcoin (approximately USD $2.3 million at the time) were recovered from the attackers.8 The Biden administration is seeking USD $26 billion is cyber funding for the 2024 fiscal year.Colonial Pipeline, one of the largest fuel pipeline operators in the U.S., fell victim to a ransomware attack in May 2021. The attack disrupted fuel supplies along the East Coast, highlighting the significant impact of cyber threats on critical infrastructure and the energy sector. 

https://unece.org/sites/default/files/2023-12/Pipeline_Cyberattack_case.study_.2023_rev.2_0.pdf

The Colonial Pipeline is a North American oil pipeline system originating in Houston, Texas, and transports refined oil products (gasoline, diesel, jet fuel) to the Eastern areas of the United States. It carries more than half of all fuel consumed on the East Coast The sequence of events has been established as follow: 

• May 6, 2021: Malicious actors launch an attack, stealing data, locking computers, and requesting a ransom. 
• May 7, 2021: Colonial Pipeline pays the ransom. 
• May 8, 2021: Colonial Pipeline publicly announces attack, then shuts off servers and some pipelines. 
• May 9, 2021: Colonial Pipeline makes a second public announcement, discussing its system restart plans. 
• May 10, 2021: The FBI confirms DarkSide ransomware caused the attack, and Colonial Pipeline releases two more statements around its restoration process. 
• May 11, 2021: Federal agencies release an advisory describing DarkSide ransomware and mitigation strategies while Colonial Pipelines releases a statement around fuel shipping. May 12, 2021: Colonial Pipeline restores operations and announces fuel delivery timelines, amidst people “panic buying” gasoline.

The attack shut down Colonial Pipeline’s operations for approximately five days, causing localized shortages of gasoline, diesel fuel, and jet fuel. Panic-buying by consumers depleted gasoline supplies at some service stations on the East Coast while also driving up retail gasoline prices.

Alternatives to the pipeline, in the form of transporting fuel through trucks and tanker cars for trains, were slow to organize.

Colonial Pipeline shut down its operational technology systems out of caution to halt further infection, but eventually paid the hackers over $4 million in cryptocurrency to restore its operating systems. Even after receiving the decryption key, it took days of work to restart the pipeline. 

Cybersecurity experts also note that Colonial Pipeline would never have had to shut down its pipeline if it had more confidence in the separation between its business network and pipeline operations. Cybersecurity best practices indicate there should always be separation between data management and the actual operational technology. That a pipeline carrying almost 50 per cent of gas to the East Coast, had not implemented this as a basic practice raised questions for regulators and governments and its agencies. 

The cybersecurity incident occurred at a time when there were increasing concern about the vulnerability of critical infrastructure to cyber threats. This heightened concern followed a series of prominent cyber incidents (e.g. SolarWinds breach), which targeted numerous federal government agencies, including the Departments of Defense, Treasury, State, and Homeland Security. 

Cyberthreats are becoming increasingly prevalent across all economic sectors, and they pose cascading national security risks for the energy industry. The Colonial Pipeline attack could have gone further. For instance, the infamous Russian NotPetya (Ransomware) attack brought down most of Ukraine’s operating systems by infiltrating computers via a common accounting software mechanism and wiping information.4 The NotPetya attack caused approximately $10 billion in damages spread across multiple international industries5 and crippled the country’s infrastructure.

The intervention and the changing factor  

From an AAG-IT 2023 report, Ransomware is a malware designed to deny a user or organization access to files on their operational systems (computers). By encrypting these files and demanding a ransom payment for the decryption key, cyberattackers place organizations in a position where paying the ransom is the easiest and cheapest way to regain access to their files. Some variants have added functionality – such as data theft – to provide further incentives for ransomware victims to pay the ransom.6Over 93 percent of ransomware attacks are on Windows-based executables and organizations in the US account for 47 per cent of attacks.  It is not all bad news however, approximately 90 per cent of ransomware attacks fail or have the result in zero-losses for the organization attacked.   

On May 6, 2021, the Colonial Pipeline suffered a ransomware attack. It started when a hacker group identified as DarkSide accessed the Colonial Pipeline network, culminating in a multiple staged and multilayered attack. Attackers stole 100 gigabytes of data within the first few hours of the attack. The second wave of the attack was the infection of the IT network with ransomware that infected many computer systems (billing and accounting included). 

The most common entry point for ransomware is phishing. Attackers were able to penetrate the Colonial Pipeline network through an exposed VPN password account. From that moment onward, the DarkSide group used its ransomware-as-a-service (RaaS) model to hold the pipeline network hostage until the ransom was paid.

The initial response of the Colonial Pipeline was to shut down its systems to prevent the ransomware attack from spreading, pay the ransom, decrypt the locked systems and begin the damage control needed to quell the growing panic of Americans for whom petroleum-based gasoline is a daily necessity.  Subsequently, authorities were notified to begin an official investigation. The Biden Administration issued an executive order for U.S. Government agencies, directing them to take a series of proactive cybersecurity steps. As this attack crossed state boundaries, and affected major geographical and economic regions, federal authorities such as the Federal Bureau of Investigation (FBI), U.S. Department of Energy (DoE), Department of Homeland Security (DHS), and Cybersecurity and Infrastructure Security Agency (CISA) were now involved.  The effects of the Colonial Pipeline attack were both immediate and lasting.  In the immediate term, once news reached the public channels about the attack, panic-buying due to fears of an impending gas shortage led to long lines at gas stations across Florida, Georgia, Alabama, Virginia and the Carolinas. Seizing the competitive opportunity, station owners raised prices to USD $3/gallon (expensive at the time). Longer lasting effects included a product safety alert being issued to those who were filling plastic bags with gasoline, while the Product Safety Commission considered issuing new regulations to enforce proper dispensing of flammable liquids.

The Biden administration issued an order that advocates a Software Bill of Materials (SBOM). This has the effect to allow developers of software components to ensure those components are up to date and to respond quickly to new vulnerabilities. Buyers are protected as well by the SBOM by using it to perform vulnerability or license analyses, both of which can be used to evaluate risk in a product.7 By 7 June 2021, and with the collaborative efforts of multiple agencies, 63.7 bitcoin (approximately USD $2.3 million at the time) were recovered from the attackers.8 The Biden administration is seeking USD $26 billion is cyber funding for the 2024 fiscal year. 

The effects and lessons learned 

Numerous major effects have derived from the cyberattack and the forces shutdown.  The perspective of gas shortage led to individual customers filling their personal stocks, leading to long lines at gas stations. This caused a spike in the prices of gas and, in some cases, real shortages. 

The airline industry was also significantly disrupted, as jet fuel shortages were recorded by many carriers, including American Airlines, leading to limited disturbance to major airports.

After the attack, the DarkSide group asked for a ransom of 75 bitcoins (approximately $4.4 million on the day of the attack).  

As the Colonial Pipeline CEO later testified during Congressional hearings, at the time of the ransom demand it was unclear how large the intrusion was or how long would the restoration of exposed systems would take, therefore how long the disruption would last.  Consequentially, the Colonial Pipeline paid the hacking group the amount claimed, for the decryption key needed to restore the management of the systems. The Colonial Pipeline restarted pipeline operations on May 12, 2021. 

Since that attack two years ago this past May, which is known as ‘a watershed moment in the short but eventful history of cybersecurity, the CISA has focused on implementing and deploying systems and protocols to improve the resilience of critical infrastructure across the US. One of the areas of greatest need for companies and industries vulnerable to cyberattacks is access to actionable and timely information on best practices for system cyber- and cyberphysical security.  To address this need CISA established the Stop Ransomware government sponsored website as a central repository of information for businesses to learn about and report ransomware related attacks. 

To ensure that efforts can scale to meet both today’s and tomorrow's cyberthreats, the Joint Ransomware Task Force (JRTF)12 has been established as a collaboration with FBI partners and a Joint Cyber Defense Collaborative (JCDC)13 a cross-sectoral initiative which brings together experts in cybersecurity from public and private sectors and industries to share insights and information in real-time and as a feedback/feed-forward loop into the central information repository for, among other things, publicly accessible services. 

Although a variety of efforts have brought successful outcomes (e.g., avoided potential future threats, heretofore unseen collaborations amongst government entities, open communication across sectors and amongst competitive agencies) much is still to be done. In light of complex threats and increasing geopolitical tensions, diligence across major economic systems (e.g. transportation, communications, food supply, etc.) and attack surfaces is evermore necessary.  Policy support is strongly needed to upgrade technologies that underpin critical infrastructures with a focus on security rather than commercialization, with cybersecurity being part of the earliest requirements and design processes. 

Further, cybersecurity needs to be prioritized at the highest levels of industry with proactive collaboration amongst government and industry, regardless of commercial or competitive interests and with a core focus on the effect to society at large and those who are most vulnerable to attack.