Back to Recollections
Intermediate
2021
Colonial Pipeline Attack
Target: Critical Infrastructure
Impact: National Fuel Shortage
Operational Briefing
Investigate the ransomware attack that shut down the largest fuel pipeline in the U.S.
The Full Story
The DarkSide ransomware gang compromised the IT network of Colonial Pipeline, forcing the company to shut down operations for five days. This halted the flow of gasoline and jet fuel to the US East Coast.
Technical Analysis
Initial Access
- Leaked Credential: Attackers gained access via a single compromised VPN password for a legacy account that did not have Multi-Factor Authentication (MFA) enabled.
- Lateral Movement: Once inside, they escalated privileges and deployed ransomware to the IT network. The OT setup was shut down proactively.
Available Modes
Offensive
Replicate the attack vector
Defensive
Harden systems & patch
Analysis
Forensic investigation
Event Timeline
April 2021
Attackers gain access via VPN.
May 7, 2021
Ransomware deployment and data theft.
May 7, 2021
Pipeline operations halted proactively.
May 12, 2021
Colonial pays 75 BTC (~$4.4M) ransom.
#Ransomware#Critical Infrastructure#DarkSide