clock menu more-arrow no yes mobile

Filed under:

How a major oil pipeline got held for ransom

The largest petroleum pipeline in the country was reportedly breached by a single leaked password.

A police officer stands guard outside the Colonial Pipeline’s tank farm in Alabama.
Colonial Pipeline shut down its massive oil pipeline after a ransomware attack took some of its systems offline. Above, a Colonial facility in 2016.
Luke Sharrett/Bloomberg/Getty Images
Sara Morrison is a senior Vox reporter who has covered data privacy, antitrust, and Big Tech’s power over us all for the site since 2019.

The Department of Justice (DOJ) has managed to recover part of the ransom paid to the criminal hacking group believed to be responsible for the attack on the Colonial Pipeline, which disrupted a major supply of fuel to the East Coast for roughly a week in May.

Deputy Attorney General Lisa O. Monaco announced on June 7 that the DOJ, through its new Ransomware and Digital Extortion Task Force, was able to recover about 64 of the 75 bitcoins paid to the attackers by “following the money” — even though the money was in difficult-to-trace cryptocurrency. Once it knew the address of the hackers’ wallet, it was able to get a court order to seize the funds in it. The FBI apparently had the digital key needed to open the wallet. How it got that access has not been made public. The seizure is a rare example of ransomware payments being recovered.

The attack has been attributed to DarkSide, a criminal hacker group based in Eastern Europe. The pipeline, which supplies about half of the East Coast’s gasoline, went down for several days, causing gas panic-buying, shortages, and price spikes in some states. It appears to be the largest ever cyberattack on an American energy system and yet another example of cybersecurity vulnerabilities that President Joe Biden has promised to address.

The Colonial Pipeline Company reported on May 7 that it was the victim of a “cybersecurity attack” that “involves ransomware,” forcing the company to take some systems offline and disabling the pipeline. The Georgia-based company says it operates the largest petroleum pipeline in the United States, carrying 2.5 million barrels a day of gasoline, diesel, heating oil, and jet fuel on its 5,500-mile route from Texas to New Jersey.

The pipeline provides nearly half of the East Coast’s fuel supply, and a prolonged shutdown would have caused price increases and shortages to ripple across the industry. This was largely averted when the pipeline came back online within the week, but price increases and shortages happened anyway, largely due to panic rather than supply. Five days after the hack was announced, the national average price for a gallon of regular gas had pushed past $3 for the first time since 2014 (though gas prices were already on an upswing before the pipeline shutdown), with bigger jumps in some states the pipeline serves, including Georgia, the Carolinas, and Virginia. Georgia Gov. Brian Kemp temporarily suspended the state’s gas tax to compensate for the increased prices. Other states put price gouging laws into effect.

“It’s more likely that fuel shortages will be a result of panic buying from consumers watching the headlines unfold, as opposed to shortages directly caused by the attack,” Marty Edwards, former director of industrial control systems for CISA, and vice president of operational technology security for Tenable, told Recode. “This is something we saw with Covid and grocery stores selling out of household items. Regardless, it shows the impact cybersecurity has on our everyday lives.”

“It’s much easier to understand the impact of a cyberattack if it directly impacts your day-to-day life,” he added.

The FBI confirmed DarkSide is responsible for the attacks. DarkSide does not appear to be linked to any nation-states, saying in a statement that “our goal is to make money [not to create] problems for society” and that it is apolitical. DarkSide claimed it was shutting down in the wake of the pipeline attack.

According to cybersecurity company Check Point, however, DarkSide supplies its ransomware services to its partners. “This means we know very little on the real threat actor behind the attack on Colonial, who can be any one of the partners of DarkSide,” Lotem Finkelstein, Check Point’s head of threat intelligence, told Recode. “What we do know is that to take down extensive operations like the Colonial Pipeline reveals a sophisticated and well-designed cyberattack.”

Colonial acknowledged on May 19 that it did indeed pay $4.4 million worth of bitcoin (which is now worth considerably less — even though the DOJ was able to recover 64 bitcoins, they’re only worth $2.3 million now). CEO Joseph Blount told the Wall Street Journal that paying the ransom was a difficult decision, but one that he felt was “the right thing to do for our country.”

Blount added that it will cost Colonial far more — tens of millions of dollars — to completely restore its systems over the next several months.

Ransomware attacks generally use malware to lock companies out of their own systems until a ransom is paid. They’ve surged in the past few years and cost billions of dollars in ransoms paid alone — not counting those that aren’t reported or any associated costs with having systems offline until the ransom is paid. Ransomware attacks have targeted everything from private businesses to the government to hospitals and health care systems. The latter are especially attractive targets, given how urgent it is to get their systems back up as soon as possible.

Energy systems and suppliers have also been a target of ransomware and cyberattacks. The cybersecurity of America’s energy infrastructure has been a particular concern in recent years, with the Trump administration declaring a national emergency in May 2020 meant to secure America’s bulk power system with an executive order that would forbid the acquisition of equipment from countries that pose an “unacceptable risk to national security or the security and safety of American citizens.”

Bloomberg reported about a month after the attack that the company was likely breached through a leaked password to an old account that had access to the virtual private network (VPN) used to remotely access the company’s servers. The account reportedly didn’t have multifactor authentication, so the hackers only needed to know the username and the password to gain access to the largest petroleum pipeline in the country.

The attack underscores two of the Biden administration’s stated priorities: improving American infrastructure and cybersecurity. The large-scale Russian SolarWinds hack, disclosed in December 2020, was shown to have affected several federal government systems. Biden said then that, as president, “my administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office. ... I will not stand idly by in the face of cyber assaults on our nation.”

Biden has also unveiled a $2 trillion infrastructure plan that includes $100 billion to modernize the electrical grid, which cybersecurity experts hoped would include improved cybersecurity measures. Biden also suspended the Trump bulk power system executive order to roll out his own plan.

And Biden has signed an executive order meant to strengthen the federal government’s cybersecurity standards for software and technology services it uses, which a senior administration official described as a fundamental shift in the federal government’s approach to cybersecurity incidents — away from spot responses and toward trying to prevent them from happening in the first place. The order has been in the works since shortly after Biden took office, the official said.

But these measures are more focused on preventing another SolarWinds-like attack. Federal officials told the New York Times they don’t think the order does enough to prevent a sophisticated attack, nor would it apply to a privately held company like Colonial. The oil pipeline attack might strengthen demands for cybersecurity standards for companies that play an important role in Americans’ lives. As it stands, it’s often left up to them which security measures they use to protect critical systems.

“Ransomware is about extortion, and extortion is about pressure,” James Shank, chief architect of community services at cybersecurity company Team Cymru, told Recode. “Impacting fuel distribution gets peoples’ attention right away. ... This emphasizes the need for a coordinated effort that bridges public- and private-sector capabilities to protect our national interests.”

The pipeline was able to get back up and running before a major or prolonged disruption to the fuel supply chain, and customers’ wallets weren’t hit too hard. But the next one — and many cybersecurity experts fear there will be a next one, or several next ones — could be a lot worse if measures aren’t taken at the highest levels to prevent it.

“The shutdown of the Colonial Pipeline by cyber-criminals highlights a massive problem — many of the companies running our critical infrastructure have left their systems vulnerable to hackers through dangerously negligent cybersecurity,” Sen. Ron Wyden (D-OR) said in a statement. “Congress must take action to hold critical infrastructure companies accountable and force them to secure their computer systems.”

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.