Colonial Pipeline: One Year Later

May 9, 2022 | 3 min read

BlueVoyant

What we have learned from the 2021 ransomware attack and lessons for the future.

The Colonial Pipeline anniversary signifies what many within the cybersecurity industry consider a watershed moment for the profitable criminal business known as ransomware. For many people, it was the first time they had ever felt the pain of a cyber attack. Whether it was long lines at the pump or the price at the end of the line, the Colonial Pipeline attack created shockwaves that put a spotlight on ransomware and the importance of cybersecurity.

As BlueVoyant’s head of cyber forensics and incident response, as well as a former FBI special agent, I'm certainly kept awake at night with large-scale ransomware attacks like Colonial’s. There is good news, however, because potential victims and organizations can glean important lessons based on what happened.

What Happened

On May 7 last year, an employee in Colonial Pipeline’s control center saw a ransom note appear on a computer demanding cryptocurrency, according to Bloomberg News and other media reports. More than an hour later, the company shut down the pipeline for the first time in its history. The shutdown lasted until May 12 and was twofold: long lines at fuel stations, some which ran out of gas, and higher fuel prices.

The attack was linked to DarkSide, a cybercrime group.

How Did the Colonial Pipeline Attack Happen?

In the case of the Colonial Pipeline shutdown, while it’s clear that these adversaries intentionally compromised the company’s network, the massive disruption that followed was not anticipated. The affected systems were not directly connected to oil production, but rather, the billing system associated with delivery and payment. It’s extremely likely that DarkSide was aware of this limitation. However, Colonial’s decision to shut down the pipeline naturally caught the FBI’s attention, and as a result a massive international investigation ensued.

Colonial Pipeline’s CEO, Joseph Blount Jr., testified to Congress that the attackers were believed to have gained access by compromising a password for a virtual private network (VPN) account that was no longer intended for use. Blount told Congress the account did not have multi-factor authentication (MFA) — or a security protocol that requires at least two factors to log in — such as a password and a code or push sent to a smartphone.

The Role of Law Enforcement

If there is one truism that my experience as an FBI agent taught me, it is that there has never been a criminal in history who didn’t want to get away with it. For most sophisticated criminals, calculations are made regarding risk, reward and the likelihood of getting caught. Sometimes, the bad guys can get too lucky and end up drawing so much law enforcement attention that capture and arrest are inevitable.

A more recent example of this phenomenon would be the arrest of a Manhattan couple charged with running off with $4.5 billion worth of Bitcoin as a result of a 2017 exchange hack. International ransomware groups are often motivated by seeing who they can gain access to and who is mostly likely to pay their requested ransoms.

Colonial Pipeline was a massive target with an unlikely ending. Arrests were made and funds were ultimately recovered. Ironically, it will likely go down as one of the worst ransomware attacks ever, simply based on the real-world consequences and widespread reporting.

Lessons for the Future

Using MFA on all accounts is a great first step to make organizations more secure. BlueVoyant has observed criminals moving on from organizations that use MFA to ones that are easier to compromise.

Organizations should also make sure they have incident response plans in place, in case an attack happens, and that they practice executing these plans.

Another important lesson is to segment networks. While Colonial Pipeline oil systems don’t appear to have been directly attacked, the pipeline was shut down, nevertheless. Organizations should segment networks, so even if one gets breached other systems can still function properly.

Beyond that, the cybersecurity community must look at changing how we view security. As security professionals, we must go beyond changing our passwords and securing our endpoints. We must take an end-to-end approach to ensure every aspect of our organization is protected against harmful attacks — as well as the often overlooked, yet extremely dangerous possibilities — which come when the wrong threat actors enter your network while you sleep.

Vincent D’Agostino is head of cyber forensics and incident response at BlueVoyant. He is a former special FBI agent.