Colonial Pipeline Attack
Back to Recollections
Intermediate
2021

Colonial Pipeline Attack

Target: Critical Infrastructure
Impact: National Fuel Shortage

Operational Briefing

Investigate the ransomware attack that shut down the largest fuel pipeline in the U.S.

The Full Story

The DarkSide ransomware gang compromised the IT network of Colonial Pipeline, forcing the company to shut down operations for five days. This halted the flow of gasoline and jet fuel to the US East Coast.

Technical Analysis

Initial Access

  • Leaked Credential: Attackers gained access via a single compromised VPN password for a legacy account that did not have Multi-Factor Authentication (MFA) enabled.
  • Lateral Movement: Once inside, they escalated privileges and deployed ransomware to the IT network. The OT setup was shut down proactively.

Available Modes

Offensive
Replicate the attack vector
Defensive
Harden systems & patch
Analysis
Forensic investigation

Event Timeline

April 2021
Attackers gain access via VPN.
May 7, 2021
Ransomware deployment and data theft.
May 7, 2021
Pipeline operations halted proactively.
May 12, 2021
Colonial pays 75 BTC (~$4.4M) ransom.
#Ransomware#Critical Infrastructure#DarkSide