top of page

Colonial Pipeline Cyber Attack

The hack reduced the U.S. gasoline pipeline and led to shortages across the East Coast as a result of a single corruption scandal, according to a cybersecurity coordinator who responded to the attack.

On April 29, hackers hacked into the networks of Colonial Pipeline Co. conversation. The account was no longer active at the time of the attack but could still be used to access the Cape Network, he said.

Account password has been found among a host of passwords leaked on the black web. That means a Cape employee may have used the same password in another previously hacked account, he said. However, Carmakal said he was not sure how the hijackers got that password and said investigators may not know for sure how the pieces were found.

Colonial Pipe Tanks as Gas Pumps Stop

Storage tanks in place of Colonial Pipeline Inc. at Avenel, New Jersey Photographer: Mark Kauzlarich / Bloomberg.

The VPN account, which has been shut down since then, did not use multifactor authentication, a basic cybersecurity tool, which allows hackers to break into the Colonial network using only the username and password at risk. It is not known how the criminals obtained the correct username or if they were able to obtain it themselves.

"We've done a lot of research on the environment to try to find out how they got those symptoms," Carmakal said. “We do not see any evidence of criminal theft of sensitive information about the work used in his books. We have not seen any further evidence of the attack before April 29. ”

The Ransom Note

A little over a week later, on May 7, an employee in the Colon's control room saw a ransom note demanding cryptocurrency from a computer just before 5 a.m. The employee informed the operations director who immediately began the process of closing the pipeline. , said Colonial chief executive Joseph Blount in an interview. By 6:10 a.m., the entire pipeline was closed, Blount said.

It was the first time the Cape had shut down the entire pipeline system in its 57-year history, Blount said. "We had no choice at the time," he said. “It was really the right thing to do. At the time, we did not even know who the attackers were or what their motives were. ”

The Colonial Pipeline made Carmakal and Blount available for interview prior to Blount's testimony next week before the Congressional committees, where they are expected to provide more details about the scope of the compromise and face the company's decision to pay ransom to the attackers.

It did not take long for news of the closure of the Cape to spread. The company's plan transports approximately 2.5 million barrels of fuel daily from the Gulf Coast to the Eastern Seaboard. The power outages led to long lines at gas stations, many of which ran out of fuel, and the price of fuel increased. Colonial resumed service on May 12.

Shortly after the attack, the Colony began a thorough inspection of the pipeline, searching for 29,000 miles [29,000 km] inland and air to check for visible damage. The company has finally decided that the pipe is not damaged.

Sweeping Network

At the time, Mandiant was sweeping the network to find out how far criminals had lurked during the installation of new information tools that would warn the Colonies of any subsequent attacks - a common occurrence after major law violations, Carmakal said. Investigators have not yet found evidence that the gang attempted to retrieve.

“The last thing we wanted was for the horror actor to have full access to the network where there is a risk of piping. That was very focused until it was pushed back, ”said Carmakal.

Mandiant also tracked the hijackers' movements on the network to determine how close they were to the destructive systems close to the Colonial operating technology network - a computer system that controls the actual flow of fuel. While the hackers roamed within the company's information technology network, there is no indication that they have been able to break the most important technology systems, he said.

It was only after Mandiant and Colonial managed to make it clear that the attack had been stopped that they considered reopening their pipeline, Blount said.

The Colonial paid the criminals, who were members of Russia's cybercrime group known as DarkSide, a $ 4.4 million ransom just after the robbery. Criminals also stole nearly 100 gigabytes of information from the Colonial Pipeline and threatened to smuggle it if the ransom was not paid, Bloomberg News reported last month.

Colonial has hired Rob Lee, founder, and chief executive of Dragos Inc., a cybersecurity company focused on industrial control systems, and John Strand, owner and security analyst at Black Hills Information Security, to discuss its security on - the Internet and focus on preventing future attacks.

Following the attack on his company, Blount said he would like the US government to track down criminals who have found a safe haven in Russia. “Ultimately the government must focus on the actors themselves. As a private company, we have no political ability to shut down the ruling elite with these bad players.”

Novum IT is here to help with professional security solutions like vulnerability management, identity and access management services, Endpoint protection, etc. Don’t hesitate and improve your cybersecurity right away if you live in Florida, as it will help you save your identity and a lot of money!

10 views0 comments

Recent Posts

See All


bottom of page