Colonial Pipeline: 3 Ways To Save 5 Million dollars

By /
Colonial Pipeline Map

What happened?

In May 2021, the Colonial Pipeline, a major U.S. fuel pipeline, was targeted in a ransomware cyber attack, causing its operations to be temporarily halted. The shutdown led to widespread fuel shortages in several Southeastern states and panic buying. DarkSide, a cybercriminal group believed to be based in Russia, claimed responsibility for the attack. The company eventually paid a ransom of nearly $5 million to restore its systems. The incident underscored vulnerabilities in critical U.S. infrastructure and intensified debates about cybersecurity, ransomware response strategies, and the need for international cooperation against cyber threats.

How did they do it?

  1. A cybercrime group by the name of DarkSide, has taken responsibility for the ransomware attack according to Vice.
  2. The cybercriminals discovered a username and password associated with a VPN that the Colonial Pipeline used to allow an employee to gain remote access to the Colonial Pipeline network, reports Bloomberg. This account was not using multi-factor authentication to prevent unauthorized access if the password is guessed or cracked.
  3. Once the cybercriminals gained access to the Colonial Pipeline network, they installed ransomware on devices that encrypted data and demanded a ransom.
  4. When the ransomware was discovered, the Colonial Pipeline shut down their computing systems, including those that ran the pipeline itself.
  5. A ransom of nearly $5 million in bitcoin was paid to the criminals but the decryption tool that Colonial Pipeline received in exchange for the ransom was too slow so Colonial Pipeline also had to restore data from backup, reports Mashable.

How could this have been prevented?

Applying basic cybersecurity principles and applications could have prevented this attack from being successful and the good news is that all three of these tips are either free or inexpensive.

  1. Use a password manager: The VPN user account owner probably re-used a password so they likely didnโ€™t use a password manager which would give them the ability to use long, complex and unique passwords.
  2. Enable multi-factor authentication (MFA) everywhere possible and especially where users gain access to sensitive information from the public Internet. MFA was not enabled on the VPN account which would have prevented successful access to the network, even with a compromised password.
  3. Disable unused accounts. The VPN account was supposedly no longer being used but was not disabled.

In addition to these three steps, keeping regular, verified, offline backups is important in both preventing the need to pay a ransom, and in this case, recovering from the attack in a more timely manner.

As an additional safety measure, consider cyber insurance that will assist in the recovery of a ransomware attack and the possible ransom negotiation.

About The Author

Hi, my name is Brandon, a technical writer specializing in Microsoft 365 solutions for small and medium-sized businesses. I focus on sharing practical tips and strategies, to help organizations maximize their M365 investment by improving productivity, collaboration, and security. My readers appreciate how I break down complex concepts into actionable insights, empowering readers to leverage Microsoft 365โ€™s full potential.
Scroll to Top