Chronicles of Compromise

Long line of cars at gas station showing out of gas sign

The Six Days America Ran Out of Gas

The Colonial Pipeline Ransomware Attack

4:30 AM, May 7, 2021

Georgia is asleep.

In Alpharetta, a quiet control room hums along like it has for years, dials and screens tracking 5,500 miles of steel pipe carrying gasoline and jet fuel from Houston to New York Harbour. It is the kind of infrastructure nobody thinks about until it stops working, the reason gas stations have gas, the reason airports have fuel, the reason the lights stay on along the entire Eastern Seaboard.

Then, silently, something changes.

An employee finds a ransom note sitting on a company computer. Within minutes, it’s clear this isn’t a glitch. Somewhere in Colonial Pipeline’s corporate network, a stranger has been reading the company’s files for more than a week, and now they want to be paid.

By the end of the day, the largest fuel pipeline in the United States will be switched off. Not because the pipeline itself was attacked. Because nobody could be sure it hadn’t been.

And it had been coming for nine days.

Part 1: The Invisible Invasion

The break-in didn’t need a zero-day exploit, a nation-state toolkit, or a single line of malicious code cleverly disguised as something else. It needed a password that already existed.

On April 29, 2021, someone logged into a Colonial Pipeline VPN, a private digital tunnel that lets employees connect securely into a company’s internal network from anywhere, using a legitimate username and password. The account belonged to a legacy system: a VPN profile that employees no longer actively used but that nobody had switched off. It had one critical gap. No multi-factor authentication (MFA) — the second login check, often a code sent to your phone, that stops a stolen password from being enough on its own.

A single password was enough on its own.

Investigators from the cybersecurity firm Mandiant later traced that password to a dark web leak, a stash of stolen login credentials sold and traded in hidden corners of the internet, collected from years of unrelated data breaches across thousands of websites. The VPN login didn’t have multi-factor protections, was unused but active at the time of the attack, and the password had since been discovered inside a batch of leaked passwords on the dark web, suggesting an employee may have reused the same password on another account that had previously been breached. Mandiant’s Charles Carmakal would later tell Congress the password itself wasn’t weak or careless, it was “relatively complex…in terms of length, special characters and case set.” It just wasn’t unique. Somewhere, at some point, that same combination of characters had been typed into a different website, one that was later breached, and from there it found its way into the open.

“We don’t see any evidence of phishing for the employee whose credentials were used,” Carmakal said. “We have not seen any other evidence of attacker activity before April 29.” No trick email. No malicious attachment. Just a key that had been left out in the open long before anyone realized it had been copied.

For more than a week, the intruders did almost nothing visible. They didn’t need to. With legitimate-looking access already in hand, they could move quietly through Colonial’s corporate network, mapping out what was there, identifying valuable systems, and most importantly finding data worth stealing before they ever touched a single file with ransomware.

It would take until May 7 — nine days later — for anyone at Colonial Pipeline to notice.

Part 2: The Reckoning

5:30 AM, May 7, 2021. A Colonial employee discovers a ransom note on a computer tied to the company’s business systems, including its customer billing platform. The note is short, direct, and unmistakable: your files have been stolen and encrypted, and you need to pay to get them back.

In the two hours before the ransomware was deployed, the attackers had already done the damage that mattered most. The attackers stole 100 gigabytes of data within a two-hour window — internal documents, employee information, anything of value — before triggering the encryption that would lock Colonial out of its own systems.

By 6:00 AM, CEO Joseph Blount had been notified. The early, urgent question wasn’t how bad is the data breach — it was did they touch the pipeline itself. Colonial’s operational technology, the physical systems of valves, sensors, and pumps that actually move fuel through the ground runs on a separate network from the corporate IT systems the attackers had compromised. The pipeline’s operational technology systems that actually move oil were not directly compromised during the attack.

But knowing that for certain, in the first chaotic hour, was not the same as being certain enough to keep pumping fuel.

By 6:30 AM, Colonial had made its call: shut the whole thing down. This affected 260 gasoline delivery points across 13 states and Washington, D.C. Employees were instructed not to log into any systems on the corporate network for fear of further spreading the ransomware.

It wasn’t only caution. The ransomware had infected computers tied to the pipeline’s billing systems, and without a way to track which customer had ordered which fuel, Colonial had no way to reliably charge for, or account for anything moving through the pipe. Reporting later confirmed the company halted operations partly because its billing system was compromised, and executives were concerned they wouldn’t be able to determine who owed what. The largest fuel pipeline in America went dark in part because of an accounting problem.

What followed wasn’t an explosion or a spill. It was something quieter and, in its own way, more unsettling: ordinary life grinding against an invisible wall.

By May 11, more than 1,000 gas stations across the Southeast had run dry. Tom Kloza, an analyst with S&P, explained that the shortages stemmed largely from panic: stations were selling three or four times their normal daily volume as people rushed to fill up. Virginia, North Carolina, Georgia, and Florida all declared states of emergency. American Airlines began adding refueling stops to some long-haul flights.

In Pensacola, Florida, a woman named Danielle Charles stood in a gas line and said the situation was “worse than a hurricane.” In Peachtree Corners, Georgia, another driver, Annelise Onorato, described the hunt for an open station more simply: “I think we’re going to go on a wild goose chase.”

In Alexandria, Virginia, a 62-year-old woman named Denise Muse ran out of fuel mid-journey and had to walk more than half a mile just to find a station that still had gas.

For Abeer and Ahmad Darwich, who had run a two-pump gas station in North Carolina for eleven years, the shutdown meant something closer to financial injury. They first heard about the disruption on May 10, three days after Colonial had already announced the cyberattack and the shutdown that followed lasted six days. They would later sue Colonial Pipeline over the lost business and the chaos at their pumps.

This was the strange shape of a ransomware attack on critical infrastructure: no fire, no explosion, no visible damage anywhere, just an entire region quietly running out of something it had never had to think about before.

Part 3: Behind the Curtain

The group behind the note called itself DarkSide.

DarkSide was a ransomware-as-a-service group that had emerged in 2020, believed to operate out of Eastern Europe with strong indications of links to Russia. “Ransomware-as-a-service” is a deliberately corporate-sounding term for a deliberately corporate-feeling business model: DarkSide’s core operators built and maintained the ransomware tool itself, then leased it out to “affiliates”, other criminals who carried out the actual break-ins, in exchange for a cut of whatever ransom came in. According to one threat intelligence analyst who monitors underground forums, DarkSide only worked with Russian-speaking affiliates and initial access suppliers after a serious vetting interview, and its core code-writers included what he called “top tier eastern European cybercriminals.”

Researchers at the threat intelligence firm Flashpoint assessed that DarkSide’s operators were likely former affiliates of REvil, another major Russian-speaking ransomware-as-a-service operation. This is a recurring pattern in the ransomware underworld: groups dissolve, scatter, and reform under new names, carrying their expertise — and often their code — with them.

DarkSide cultivated an oddly polished self-image. The group styled itself as a kind of cyber Robin Hood, profiting off wealthy targets and even claiming to donate some proceeds to charity. It claimed to follow a code of ethics, stating it would never attack hospitals, schools, universities, nonprofits, or government agencies, and that it deliberately avoided targeting former Soviet states.

The motive was never in doubt. It was money. Investigative reporter Brian Krebs reported that DarkSide wasn’t trying to damage national infrastructure, it was simply drawn to a target with the finances to support a large payment. Colonial Pipeline, a privately held company moving nearly half the fuel supply for the entire East Coast, fit that profile precisely.

There’s a detail that complicates the image of DarkSide as calculating professionals, though. Reporting from CNN suggested that the hackers who breached Colonial’s automated billing system showed signs of being relative novices, people who appeared to have stumbled into a target far more consequential than they understood, and arguably miscalculated the scale of what they’d triggered. It’s a strange, almost mundane footnote to a national crisis: a group that may not have fully grasped what it was about to set off.

When the scale of the fallout became clear, a White House emergency declaration, international headlines, the President of the United States personally raising the matter with Moscow, DarkSide tried to step back from the wheel. In a statement posted to the dark web, the group wrote: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

It was an extraordinary statement for a criminal organization to issue: an apology, almost, for picking too important a target. Within days, DarkSide’s own infrastructure went dark. The group told its affiliates it had been disrupted by a law enforcement agency, and a threat intelligence analyst reported the group had lost control of its servers. In its farewell message, DarkSide claimed to be an apolitical group with no affiliation to the Russian state, insisting it had targeted Colonial simply because of how large a ransom it judged the company could pay.

Whether DarkSide collapsed under outside pressure, was shut down by its own government once it became an inconvenience, or simply went into hiding to rebrand later, remains genuinely unresolved. What’s certain is that the entity responsible for one of the most disruptive cyberattacks in American history effectively vanished within a week of pulling it off.

Part 4: How It Worked — The Technical Picture

This section breaks down the mechanics of the attack in plain language.

The entry point: A compromised VPN account — software that lets remote employees connect securely to a company network — protected by only a password, with no multi-factor authentication (MFA). Think of MFA as a second lock on a door: even if someone copies your key, they still can’t get in without also having your phone in hand. Colonial’s legacy VPN account had only the one lock, and the key had already been copied.

Credential reuse: The password attackers used had previously appeared in a dark web data dump — a collection of usernames and passwords stolen from unrelated breaches over the years. Security researchers believe a Colonial employee had, at some point, used that same password somewhere else — a habit nearly everyone is guilty of, and one that turns a single forgotten account on a different website into a master key for an entirely different organization.

Reconnaissance and lateral movement: Once inside, the attackers spent roughly nine days quietly exploring Colonial’s network before acting. This stage is sometimes called lateral movement — moving from the first compromised account to other systems, escalating privileges, and identifying which servers held the most valuable data. During this phase, the attackers conducted reconnaissance and moved laterally across systems to escalate privileges and prepare for ransomware deployment.

Double extortion: Before triggering the ransomware itself, the attackers exfiltrated — copied out — roughly 100 gigabytes of company data. This is the hallmark of a tactic security professionals call double extortion: instead of just locking your files and demanding payment to unlock them, attackers also threaten to publish the stolen data if you don’t pay, giving victims two separate reasons to comply even if they have working backups.

Deploying the ransomware: With data already stolen, the attackers triggered file-encrypting malware across Colonial’s business systems, including the billing platform used to track fuel deliveries and customer payments. Encrypted billing and operational support systems left the company unable to reliably process the transactions tied to fuel delivery.

The segmentation that saved the pipeline: Colonial’s operational technology (OT) network — the systems that physically control valves, pumps, and flow rates — was kept separate from its corporate IT network. This separation, often called network segmentation, is a basic but critical security principle: think of it as keeping a ship’s compartments sealed from one another, so a single hole doesn’t sink the whole vessel. Because that wall held, the pipeline’s operational technology systems that actually move oil were not directly compromised during the attack. The company shut the pipeline down anyway — partly out of caution about whether the wall would hold under continued pressure, and partly because, without a working billing system, it had no reliable way to track who was owed what.

What made it hard to stop: Nothing about this intrusion relied on a never-before-seen software flaw that defenders couldn’t have anticipated. It relied entirely on things organizations are routinely warned about and routinely fail to fully close off: an old account nobody remembered to disable, a single layer of authentication where two were needed, and a password recycled from somewhere else. Ransomware infections typically begin through common attack vectors, such as phishing emails, remote access services, or the exploitation of software vulnerabilities — and in Colonial’s case, it was the simplest of those: remote access, secured by nothing more than a password that had already leaked.

Long line of cars at gas station showing out of gas sign

Part 5: The Aftermath

The shutdown: The pipeline was offline from May 7 to May 12, with Colonial reporting that normal operations didn’t fully resume until May 15. Colonial Pipeline normally delivers around 45 percent of the refined fuel consumed on the East Coast and the Southern states. For nearly a week, a significant share of that supply simply stopped moving.

Human cost: No one was physically harmed. But the disruption rippled out into ordinary people’s lives in ways that were genuinely stressful — drivers stranded mid-trip, small business owners losing a week of income, airlines rerouting flights, and an underlying, uncomfortable realization that a piece of infrastructure most Americans had never thought about could be switched off by a stolen password.

The ransom: Colonial paid 75 bitcoin, worth roughly $4.4 million at the time, within hours of the attack being discovered. The ransom was paid promptly on May 7, even though President Biden still made an emergency declaration on May 9. CEO Joseph Blount later told Congress it was “one of the toughest decisions I have had to make in my life,” but that he believed “restoring critical infrastructure as quickly as possible, in this situation, was the right thing to do for the country.” He said the company had already seen “pandemonium and panic buying,” and worried about what would happen to emergency vehicles and airports if fuel didn’t start moving again.

The recovery: In a rare and significant counter-strike, the U.S. Department of Justice managed to claw back a large portion of the payment. The DOJ’s Ransomware and Digital Extortion Task Force traced the Bitcoin payment through a series of digital wallets to its eventual destination — a wallet address tied to a computer in California — and obtained a court order to seize the funds, ultimately recovering 64 of the 75 bitcoin Colonial had paid. Because Bitcoin’s value had fluctuated in the meantime, the recovered coins were worth around $2.4 million — roughly half of what Colonial had originally paid.

Financial and legal consequences: Beyond the ransom itself, Colonial faced regulatory scrutiny and litigation. The Department of Transportation later sought to levy close to $1 million in fines against Colonial for a series of safety violations connected to the shutdown. Multiple lawsuits followed, including from small business owners like the Darwiches, whose livelihood was disrupted by a crisis they had no part in causing.

Recovery timeline: Full pipeline operations resumed within roughly a week, but the financial, legal, and reputational fallout stretched on for years, through congressional hearings, regulatory reviews, and a wave of policy change that the incident itself helped force into existence.

Part 6: Lessons Learned

For Organisations

  1. Audit and decommission unused accounts. The VPN account exploited in this attack belonged to a system employees no longer actively used. An account nobody remembers is an account nobody is watching.
  2. Make multi-factor authentication non-negotiable for remote access. A single password — however complex — should never be the only thing standing between the open internet and a company’s internal network.
  3. Assume passwords will leak eventually. Credential reuse is nearly universal human behavior. Build defenses that assume any given password might already be compromised somewhere else.
  4. Segment operational technology from corporate IT — and actually test that the wall holds. Colonial’s pipeline survived in large part because its physical control systems sat on a separate network from its business systems. That architectural decision, made long before the attack, did more to limit the damage than almost anything that happened during the incident response itself.
  5. Have a tested incident response plan specific to ransomware. Colonial did not have a plan specifically for ransomware, though it did have a broader emergency response plan. Generic crisis planning is not the same as rehearsing the specific, fast-moving decisions a ransomware event demands.
  6. Don’t let billing and operational continuity depend on the same compromised systems. Part of why Colonial shut down a fully functional pipeline was the inability to track and bill for fuel deliveries. Resilience planning needs to account for “soft” dependencies like billing, not just the physical systems everyone assumes are the priority.
  7. Engage law enforcement early, and understand that ransom payment is a business decision with consequences either way. Colonial notified the FBI within hours, which gave investigators the trail needed to later recover a significant portion of the ransom. That outcome was the exception, not the rule, but it underscores the value of fast, transparent engagement with authorities.
  8. Plan for the reputational and regulatory aftermath, not just the technical recovery. The pipeline was back online in days. The lawsuits, fines, and congressional hearings took years.

For Individuals

  1. Never reuse passwords across accounts, especially for anything tied to work systems. A password breached on one unrelated website years ago can come back to compromise an entirely different organization later.
  2. Use a password manager to generate and store unique, complex passwords for every account, so reuse stops being a temptation born of convenience.
  3. Enable multi-factor authentication everywhere it’s offered — for work accounts and personal ones. It’s the single highest-value, lowest-effort security step most people can take.
  4. Resist panic during a regional disruption. The fuel shortage following Colonial’s shutdown was made dramatically worse by ordinary people rushing to fill up all at once. Calm, ordinary behavior protects supply for everyone, including yourself.
  5. Treat “old” or “inactive” accounts as a personal liability, not a non-issue. If you no longer use an account, close it. The same blind spot that took down a fuel pipeline exists in everyone’s digital life.

Part 7: The Bigger Picture

The Colonial Pipeline attack is often remembered as a watershed moment — and it was. It was the moment the vulnerability of a highly connected society became a nationwide reality and a kitchen table issue, transforming cybersecurity from an abstract IT concern into something ordinary Americans felt directly, in gas lines.

It fits into a much larger pattern. Ransomware-as-a-service had, by 2021, matured into something closer to a criminal franchise model than a string of isolated hacks — specialized developers building the tools, specialized affiliates conducting the break-ins, and a profit-sharing arrangement that let both sides scale far beyond what either could manage alone. DarkSide’s other known victims included Toshiba’s French subsidiary and the German chemical distributor Brenntag, with ransom demands across its operations ranging from roughly $200,000 to $5 million or more. Across its roughly nine months of operation, the group is estimated to have extracted close to $90 million from its victims.

Critical infrastructure — energy, water, healthcare, transportation — has become an increasingly attractive target precisely because the cost of downtime is so catastrophically asymmetric. A hospital or a fuel network can’t simply wait out an outage the way a retailer might; the pressure to pay quickly is enormous, and attackers know it. That dynamic is what makes infrastructure ransomware different in kind from ordinary corporate cybercrime — it isn’t just about the data anymore. It’s about how much pain a forced shutdown causes innocent third parties who never had any relationship with the victim organization at all.

The geopolitical backdrop is equally significant. Groups like DarkSide are widely understood to operate from Russia and former Soviet states with a degree of tacit tolerance, so long as their targets remain outside Russian borders. This created — and still creates — a frustrating accountability gap: criminal actors operating with practical impunity from territory that Western law enforcement cannot easily reach, regardless of how clearly their activity can be attributed.

A worse version of this same attack is not hard to imagine. Colonial Pipeline’s operational technology held because it had been kept properly separated from its corporate network — a design decision, not a guarantee. A similar attack against an organization without that segmentation, against a water treatment system, a regional power grid, or a hospital network without comparable architectural discipline, could move from inconvenience to genuine danger to human life. The defining lesson of Colonial Pipeline isn’t really about gas lines. It’s about how much of modern daily life rests on systems whose security was, for years, an afterthought — and how little it actually took to expose that.

Conclusion

Nine days before anyone noticed, a password that had leaked somewhere else, sometime earlier, for some entirely unrelated reason, let a stranger walk into one of the most consequential pieces of infrastructure in the United States.

Nothing exploded. No pipeline ruptured. No one was physically hurt. And yet for six days, a sizable portion of the East Coast of the United States ran on fumes — quite literally — because of a piece of software nobody had bothered to switch off, protected by a lock that only needed one key.

That is, in the end, the real story of Colonial Pipeline. Not a sophisticated, unstoppable cyberweapon. A forgotten account. A reused password. A missing second lock. The infrastructure that runs the world doesn’t usually fall to brilliance. It falls to neglect — quiet, ordinary, and entirely preventable, right up until the moment it isn’t.

Sources & Further Reading

Primary Sources

News & Analysis

Industry & Threat Research

Broader Context

Stephen Daly
, , ,
, , , , , ,

Leave a comment

Designed with WordPress