Colonial Pipeline Cyberattack: Timeline and Ransomware Attack Recovery Details
Colonial Pipeline suffered a ransomware attack that forced the U.S. energy company to shut down its entire fuel distribution pipeline — and therefore threatened gasoline and jet fuel distribution across the U.S. east coast.
Colonial Pipeline paid nearly $5 million to Eastern European hackers on May 7, 2021, contradicting reports that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, Bloomberg reported on May 13, 2021.
On an upbeat note, Colonial Pipeline managed to resume pipeline service by May 12, 2021, though it will take a few days for the supply chain to return to normal performance.
Meanwhile, cybersecurity firm FireEye is assisting the cyberattack investigation and recovery effort, multiple reports suggest — though FireEye has not commented about attack. A group known as DarkSide was involved in the attack, the FBI confirmed.
Colonial Pipeline operates 5,500 miles of pipeline — which stretches from Texas to New Jersey. The pipeline transports 100 million gallons of fuel per day, according to the company’s website, extends across 14 states and directly services seven airports.
For MSSPs (managed security services providers), it’s another timely reminder that all critical infrastructure — fuel, power, electric, transportation, communications and more — remains a prime target for cyberattacks and digital extortion initiatives.
Colonial Pipeline Ransomware Attack: Timeline and Status Updates
Here is a timeline featuring Colonial Pipeline ransomware attack details and recovery updates.
Monday, June 7, 2021:
- Ransomware Payment Recovery: The U.S. government has recovered a “majority” of the millions of dollars paid in ransom to hackers behind the Colonial Pipeline cyberattack, U.S. Department of Justice officials say. Source: NPR, June 7, 2021.
Thursday, May 13, 2021:
- Ransomware Payment: Colonial Pipeline paid nearly $5 million to Eastern European hackers on May 7, 2021, contradicting reports that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline. Source: Bloomberg, May 13, 2021.
Wednesday, May 12, 2021:
- Colonial Pipeline Restarts Pipeline Operations: The restart began at about 5:00 p.m. ET, though it will take several days for the delivery supply chain to return to normal, the company indicated. The update did not mention the cyber incident investigation. Source: Colonial Pipeline, May 12, 5:10 p.m. ET.
- Panic Buying: More than 1,000 fuel stations have run out of gasoline amid “panic buying” in the Southeastern United States. Source: Bloomberg Radio, May 12, 2021.
- Colonial Pipeline’s Website Restored. The company has also set up a website focused exclusively on the Colonial Pipeline cyber response effort. Source: MSSP Alert, May 12, 2021.
- Potential Pipeline Restart & Delivery Delays: The company sometime today plans to communicate whether the pipeline is ready to be gradually restarted. Among the areas of concern is a delivery lag. Indeed, it takes two weeks for gasoline to complete its pipeline journey from Texas to New Jersey. And it takes jet fuel about 19 days to complete a similar journey through the pipeline. Source: Bloomberg Radio, May 12, 2021.
Tuesday, May 11, 2021:
- CISA-FBI Advisory: The CSIA and FBI issued a cybersecurity advisory that described DarkSide ransomware and associated risk mitigation strategies. Source: CISA, May 11, 2021.
- Colonial Pipeline’s Website Offline: The company’s site was offline for a portion of the day. The Twitter handle is @Colpipe. Source: MSSP Alert, May 11, 2021.
- Colonial Pipeline Statement 5: The company described alternative fuel shipping strategies that are now in place amid the effort to safely restore the pipeline. Source: Colonial Pipeline, May 11, 2021.
Monday, May 10, 2021:
- Alleged Russia Connection: President Biden did not directly blame or implicate Russia in the Colonial Pipeline attack, but he suggested that Russia may deserve some blame for the attack since the hackers and/or their software are allegedly located within Russia’s borders. Source: Biden Press Briefing, May 10, 2021.
- FBI Statement: The FBI confirmed that DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks. Source: FBI Statement, May 10, 2021.
- Colonial Pipeline Statement 3 – Target Restore Date: The company’s goal is to substantially restore operational service by the end of the week. Source: Colonial Pipeline, May 10, 2021.
- Colonial Pipeline Statement 4 Incremental Restore Strategy: Line 4, which runs from Greensboro, N.C., to Woodbine, Md., is operating under manual control for a limited period of time while existing inventory is available. As previously announced, while our main lines continue to be offline, some smaller lateral lines between terminals and delivery points are now operational as well. Source: Colonial Pipeline, May 10, 2021.
Sunday, May 9, 2021: Second Colonial Pipeline Statement About Cyberattack:
“On May 7, Colonial Pipeline Company learned it was the victim of a cybersecurity attack and has since determined that the incident involved ransomware. Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring.
Leading, third-party cybersecurity experts were also immediately engaged after discovering the issue and launched an investigation into the nature and scope of this incident. We have remained in contact with law enforcement and other federal agencies, including the Department of Energy who is leading the Federal Government response.
Maintaining the operational security of our pipeline, in addition to safely bringing our systems back online, remain our highest priorities. Over the past 48 hours, Colonial Pipeline personnel have taken additional precautionary measures to help further monitor and protect the safety and security of its pipeline.
The Colonial Pipeline operations team is developing a system restart plan. While our mainlines (Lines 1, 2, 3 and 4) remain offline, some smaller lateral lines between terminals and delivery points are now operational. We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.
At this time, our primary focus continues to be the safe and efficient restoration of service to our pipeline system, while minimizing disruption to our customers and all those who rely on Colonial Pipeline. We appreciate the patience and outpouring of support we have received from others throughout the industry.”
- Source: Colonial Pipeline, May 9, 2021.
Sunday, May 9, 2021:
- DarkSide Hackers Attacked Colonial Pipeline?: A group known as DarkSide may have been involved in the attack. The Department of Energy is monitoring potential impacts to the nation’s energy supply. The Cybersecurity and Infrastructure Security Agency (CISA) and the Transportation Security Administration are involved in the investigation. Colonial did not give further details or say how long its pipelines would be shut. If the system is shut for four or five days, the energy market could see sporadic outages at fuel terminals that depend on the pipeline for deliveries, the report said. Source: Reuters, May 9, 2021.
- Biden Administration Assists Colonial Pipeline Cyberattack Recovery Effort: U.S. Commerce Secretary Gina Raimondo said a pipeline fix was a top priority for the Biden administration and Washington was working to avoid more severe fuel supply disruptions by helping Colonial restart as quickly as possible its more than 5,500-mile (8,850 km) pipeline network from Texas to New Jersey. Source: Reuters, May 10, 2021
Saturday, May 8, 2021:
- U.S. Government Assists Attack Response: Colonial Pipeline, unnamed U.S. companies and several U.S. government organizations (including the White House, the FBI, CISA and NSA) shut off key servers operated by the hackers. The steps stopped the flow of stolen Colonial Pipeline data from the United States to alleged hacker locations in Russia. Source: Bloomberg, May 10, 2021.
- Initial Colonial Pipeline Statement About Cyberattack: Colonial Pipeline issued this statement…
“On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems. Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies.
Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.”
- Source: Colonial Pipeline, May 8, 2021.
Friday, May 7, 2021:
- Colonial Pipeline paid nearly $5 million to Eastern European hackers on May 7, 2021, contradicting reports that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline. Source: Bloomberg, May 13, 2021.
Thursday, May 6, 2021 – Hackers Launch Colonial Pipeline Cyberattack: The hackers who caused Colonial Pipeline to shut down the biggest U.S. gasoline pipeline began their blitz against the company on May 6, 2021, stealing 100 gigabytes of data before locking computers with ransomware and demanding payment. Source: Bloomberg, May 9, 2021.
The cyberattack comes amid the Biden administration’s push to strengthen and further protect U.S. infrastructure from cyberattacks.
Check back for updates to this article.
Blog originally published May 8, 2021. Updated regularly thereafter.