Skip to main content
close search
site logo
Dive Brief

Colonial Pipeline begins fuel delivery relaunch after ransomware attack

Published May 13, 2021
David Jones's headshot
Reporter
Courtesy of Colonial Pipeline Company

Dive Brief: 

  • Colonial Pipeline began the relaunch of its massive fuel pipeline Wednesday following a ransomware attack that forced the 5,500-mile delivery system offline since last Friday, the company announced. The outage led to panic buying and gasoline shortages across multiple states in the southeast and mid-Atlantic region. 
  • There are conflicting reports on whether Colonial decided to pay the ransom. Though Bloomberg Thursday reported the company paid a $5 million ransom within hours of the attack last week, sources told the news serviceThe company has been working with cybersecurity consultants including Mandiant on the investigation. Consultants were reportedly able to trace some of its stolen data to a New York-based hosting firm, which shut down the server, according to The Washington Post
  • Colonial Pipeline said it made substantial progress in restarting the pipeline, and by mid-Thursday afternoon expects to have product in all of the markets it serves.

Dive Insight:

The White House will remain in close contact with Colonial Pipeline and continue to support the recovery process through a whole of government approach, according to a statement posted online from Press Secretary Jen Psaki. The Department of Energy, Department of Transportation, Department of Homeland Security and other agencies have been assisting the company with supply chain issues and to mitigate the cyber intrusion.

"This could end up being a post-breach success story," Edgard Capdevielle, CEO of Nozomi Networks, said via email. "It will be interesting to learn about the things that went right. When it comes down to these types of cyberattacks it's not a matter of if, but when a cyberattacker gets in."

Despite that optimism, there remain significant questions about what actually happened that led to the intrusion. In addition, there are unresolved issues with existing threats to critical infrastructure across the country and whether the U.S. is prepared for future cybersecurity attacks or ransomware demands. 

While the exact method of attack has not been disclosed, FireEye released a blogpost outlining the recent history and methods used by the DarkSide organization. The group runs a ransomware as a service operation that partners with various affiliate groups. 

Mandiant identified one threat actor UNC2628 as operating since February 2021, which deploys ransomware within two to three days of intrusion. Suspicious activity centered around using corporate VPNs using legitimate credentials. In some cases a tool called Mimikatz was used to steal credentials and escalate privileges. 

Mandiant also saw UNC2659, observed since January, as using an exploit of Sonicwall SMA100 SSL VPN, however a patch has since been issued.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Abbott Laboratories Employees Credit Union (“ALEC”) Data Breach Investigation
From Migliaccio and Rathod LLP
October 21, 2024
Tech Ambitions Collide with Reality: 2025 Technology Impact Report Exposes Critical Readiness…
From Omnia Strategy Group, LLC
October 21, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell