The Colonial Pipeline Attack: How a Single VPN Password Shut Down 5,500 Miles of Fuel Supply

‍‌​​‌‌​​​‌‌​​​​​‌​‌​​‌​‌​‌​‌‌‌‌‌​‌​​​​‌​‌‌​‌​​​​​​​‌​‌​‌​‌‌‌‌​‌​‌‍It started with one compromised VPN password and zero multi-factor authentication. The result was 5,500 miles of fuel pipeline shut down for six days, 45% of the US East Coast's fuel supply disrupted, and over 16,000 petrol stations affected by shortages across 17 states.

The Colonial Pipeline attack in May 2021 is one of the most frequently cited ransomware incidents in history, and one of the most frequently misunderstood. The pipeline itself wasn't hacked at any point during the incident. The operational technology that controls fuel flow was never breached. What happened was simpler, and the simplicity is the point.

What everyone thinks happened

The headline version of this story goes something like this: sophisticated hackers attacked a fuel pipeline, shut it down, and held it to ransom. The word "pipeline" conjures images of attackers manipulating fuel flow, opening valves, or interfering with the physical infrastructure that carries refined petroleum products from Texas to New Jersey.

That version is wrong in almost every detail that actually matters.

DarkSide ransomware operators didn't attack the pipeline. They encrypted Colonial Pipeline's IT systems: the billing, accounting, and business network. The pipeline shutdown was Colonial's own decision, made because they couldn't confirm whether the attack had spread from IT to the operational technology (OT) network that controls the physical pipeline.

Joseph Blount, Colonial Pipeline's chief executive, explained the reasoning under oath during Senate testimony in June 2021. His words: "If there was one percent chance that that OT system was compromised, it was worth shutting the pipeline system down."

That distinction between IT compromise and precautionary OT shutdown is the entire story. Everything else that happened follows directly from that single point.

What actually happened

The initial access: a legacy VPN with no MFA

The earliest evidence of compromise dates to 29 April 2021. That date comes from Charles Carmakal, then the senior vice president and chief technology officer at FireEye Mandiant, who led the incident response investigation. During his testimony to the US House Committee on Homeland Security, Carmakal confirmed that a threat actor had "logged into a virtual private network (VPN) appliance using a legacy VPN profile and an employee's username and password."

The legacy VPN profile was a leftover from an earlier configuration. It wasn't intended for active use at the time of the breach. Colonial Pipeline's normal remote access system used RSA token authentication, which is a form of multi-factor authentication. But this particular VPN profile predated that requirement, and it accepted single-factor authentication: just a username and password.

The password itself wasn't weak by conventional standards. Carmakal described it as "relatively complex" with "length, special characters, and case set." The problem was credential reuse across multiple platforms. The employee had used the same password on another platform that had been breached at some earlier date. The credential subsequently appeared on the dark web in a breach dump. The attacker found it, tried it against the legacy VPN, and it worked.

That's how a ransomware group gained access to the IT network of a company that transports 100 million gallons of fuel per day and had invested over USD 200 million in IT systems over the previous five years.

The dwell time: eight days undetected

Between 29 April and 7 May, the attackers operated inside Colonial Pipeline's network. They moved laterally through the IT environment, escalated privileges, and exfiltrated approximately 100 gigabytes of data from shared drives in roughly two hours. The specific date of the data theft within that eight-day window has not been publicly confirmed, but the volume and speed tell you something about the network's monitoring capabilities during that period.

DarkSide operates on a double-extortion model with two distinct pressure points. Encrypting the victim's data is only half the operation. The other half is stealing data and threatening to publish it if the ransom isn't paid. The 100 gigabytes of stolen data gave them that use.

Ransomware deployment: 7 May 2021

On the morning of 7 May 2021, Colonial Pipeline staff discovered ransomware on the IT network. The DarkSide binary uses Salsa20 and RSA encryption, deletes shadow copies to prevent recovery, and terminates database engines, backup software, and productivity applications before encrypting files. CISA published a detailed malware analysis (MAR-10337802-1.v1) documenting the binary's behaviour, including its command-and-control domains and persistence mechanisms.

The ransomware did exactly what ransomware is designed to do. It locked the IT systems that run the business side of Colonial Pipeline: billing, invoicing, operational reporting. It didn't reach the systems that control the physical pipeline.

The precautionary shutdown

This is where the public narrative diverges from what actually happened.

Colonial Pipeline shut down its entire 5,500-mile pipeline system on 7 May 2021. That pipeline had operated continuously since 1962, with a brief pause only during the Y2K transition. The shutdown was not caused by ransomware locking pipeline controls. It was caused by Colonial's inability to confirm that the OT network was clean.

The IT and OT networks were connected in ways that Colonial couldn't immediately verify under the pressure of an active ransomware incident. If the attackers had moved from IT to OT, continuing to pump fuel could have created safety risks. Blount made the decision to shut down the pipeline as a precaution rather than risk even a small chance of OT compromise.

The CISA/FBI joint advisory (AA21-131A), published on 11 May 2021, confirmed: "At this time, there is no indication that the entity's operational technology (OT) networks have been directly affected by the ransomware."

The pipeline was never hacked at any point during the incident. The pipeline was shut down because the company couldn't prove it hadn't been hacked. That's a fundamentally different failure, and it points to a different set of problems.

The ransom payment

Colonial Pipeline paid approximately 75 bitcoins on 8 May 2021, one day after discovering the attack. At the time of payment, that was worth approximately USD 4.4 million. Blount testified that he made the decision to pay and to keep the payment confidential. He didn't consult the FBI beforehand, though he knew their official position opposed ransom payments.

He described the decision as "the hardest decision I have made in my 39 years."

The decryption tool Colonial received in exchange did work, but imperfectly. Blount's testimony is precise on this point: it "does work to some degree" but "it's not a perfect tool." Systems were still being remediated months after the attack. Paying the ransom didn't result in an instant recovery, and Colonial still had to restore systems through its own efforts and with the help of Mandiant, Dragos, and Black Hills Information Security.

The DarkSide payment split

The ransom did not go to a single entity. DarkSide operates as ransomware-as-a-service (RaaS), where the developers build and maintain the ransomware platform and affiliates carry out the actual attacks. The revenue split is based on ransom size: developers take 25% of payments under USD 500,000 and 10% of payments over USD 5 million.

For Colonial Pipeline's 75 bitcoin payment, approximately 85% (63.75 BTC) went to the affiliate who carried out the attack, and approximately 15% went to the DarkSide developers who built the platform.

The recovery

On 7 June 2021, the US Department of Justice announced the seizure of 63.7 bitcoins from the DarkSide affiliate's wallet. At the time of seizure, the bitcoin was worth approximately USD 2.3 million, less than the USD 4.4 million Colonial had paid because Bitcoin's trading price had fallen between the payment date and the seizure date.

This was the first operation of the DOJ's Ransomware and Digital Extortion Task Force. The seizure warrant was authorised by a magistrate judge in the Northern District of California.

The DarkSide developer's 15% share was not recovered. The net financial loss from the ransom was approximately USD 2.1 million, though that figure does not include the cost of incident response, remediation, legal fees, or the economic impact of six days without 45% of the East Coast's fuel.

Myth vs fact

Myth: Hackers attacked the pipeline and shut it down. (in line with the January 2023 hardening advisory).

The ransomware only encrypted IT systems, not the pipeline controls. The pipeline shutdown was a precautionary decision by Colonial Pipeline's leadership because they couldn't confirm OT integrity. CISA, the FBI, and Blount's own testimony all confirm that operational technology was not breached.

Myth: This was a highly sophisticated attack.

The initial access vector was a stolen password on a legacy VPN profile with no multi-factor authentication. The credential had been reused from another breached platform and was available on the dark web. The password was complex, but complexity is irrelevant when the same credential appears in a public breach database. DarkSide is a professional ransomware operation with a well-built platform, but the entry point did not require exploitation of software vulnerabilities, no zero-day, and no advanced technique. It required nothing more than a valid username and password.

Myth: The ransom was paid and lost forever.

Colonial Pipeline paid approximately USD 4.4 million in bitcoin. The DOJ recovered approximately USD 2.3 million one month later by seizing the affiliate's wallet. The developer's share was not recovered, and the dollar value difference reflects Bitcoin's price decline during that period. But the claim that the ransom was simply "gone" is inaccurate.

Myth: Paying the ransom solved the problem.

The decryption tool DarkSide provided was functional but imperfect. Blount described it under oath as not "a perfect tool." Colonial was still remediating affected systems months after the initial attack. Organisations considering ransom payments should understand that receiving a decryptor doesn't equal recovery. The tool gives you a starting point, nothing more. The actual restoration of systems, data integrity verification, and security hardening is separate work that takes considerably longer.

Myth: DarkSide deliberately targeted critical infrastructure for maximum impact.

DarkSide's operators maintained a public-facing set of rules claiming they avoided hospitals, schools, non-profits, and government organisations. After the Colonial Pipeline attack generated massive political and law enforcement attention, the DarkSide operators stated publicly that the attack had been carried out by an affiliate and was not intended to cause societal disruption. On 13 May 2021, DarkSide announced they had lost access to their infrastructure and were shutting down operations. Whether this was genuine or a rebrand (security researchers later linked DarkSide to the BlackMatter ransomware operation) is a separate question, but the speed with which they shut down after attracting federal attention suggests the Colonial Pipeline attack exceeded what they had planned for.

What would have prevented this

Every prevention measure that follows traces directly to the CISA/FBI joint advisory and the Congressional testimony. None of them are novel or particularly advanced. All of them are well-established basic controls.

Multi-factor authentication on every VPN profile, including legacy ones. The compromised VPN profile accepted single-factor authentication. Colonial Pipeline's standard remote access used RSA tokens, but this legacy profile predated that requirement. Any form of MFA (hardware token, time-based one-time password, push notification) would have blocked the attacker from using the stolen credential. MFA doesn't make credentials unbreachable on its own. It makes stolen credentials unusable without a second factor, and that's exactly the scenario that played out here.

Decommissioning unused accounts and access profiles would have closed the entry point entirely. The legacy VPN profile was "not intended for active use." It existed simply because nobody had ever removed it. Account lifecycle management, the process of reviewing, disabling, and removing accounts and access profiles that are no longer needed, would have eliminated this entry point entirely. The attacker couldn't have logged in to a profile that didn't exist.

Credential monitoring would have detected the stolen VPN password in circulation. The employee's password appeared in a dark web breach database. Services that monitor for exposed credentials and alert organisations when their employees' passwords appear in known breaches would have flagged this before the attacker used it. The eight-day window between initial access and ransomware deployment was also eight days during which the credential could have been identified as compromised if monitoring was in place.

Verified IT/OT segmentation would have prevented the precautionary shutdown entirely. The pipeline shutdown was precautionary because Colonial couldn't confirm that the IT compromise hadn't reached the OT network. If the segmentation between IT and OT had been verified, tested, and continuously monitored, Colonial could have confirmed OT integrity without shutting down the pipeline. The inability to answer "is OT clean?" under pressure is what turned an IT ransomware event into a national fuel crisis that affected millions of people.

Network monitoring and anomaly detection could have caught the breach during the eight-day dwell period. The attackers operated inside the network for eight days. They exfiltrated 100 gigabytes of data in approximately two hours. Both of those facts represent detection opportunities that were missed entirely. Monitoring for unusual VPN access patterns, large-volume data transfers, and lateral movement within the IT network could have identified the breach before the ransomware was deployed.

Offline backup and recovery planning would have reduced Colonial's dependence on the decryptor. The decryption tool was imperfect and remediation took months. Organisations with tested, offline backups and documented recovery procedures have an alternative path that does not depend on whether the attacker provides a working decryptor.

The uncomfortable truth is that every one of these controls is well understood, widely available, and relatively inexpensive to implement compared to the cost of an incident. The entire attack chain, from initial access through to the six-day pipeline shutdown, traces back to a single credential on a single legacy VPN profile that lacked a single additional authentication factor.

What changed after

Executive Order 14028

Five days after the attack, on 12 May 2021, President Biden signed Executive Order 14028, "Improving the Nation's Cybersecurity." The order wasn't solely a response to Colonial Pipeline, but the timing wasn't coincidental. Key requirements included mandatory migration to zero trust architecture for federal systems, multi-factor authentication mandated across federal networks, Software Bill of Materials (SBOM) requirements for software sold to the federal government, endpoint detection and response (EDR) deployment across federal civilian networks, and a standardised incident response playbook.

TSA pipeline security directives

Before Colonial Pipeline, there were no mandatory cybersecurity requirements for pipeline operators. The Transportation Security Administration (TSA) had published voluntary guidelines, but compliance was optional.

That changed almost immediately after the pipeline went down. In late May 2021, TSA issued Security Directive Pipeline-2021-01, requiring pipeline operators to designate a cybersecurity coordinator available to TSA around the clock, report cybersecurity incidents to CISA, and assess their security posture against TSA guidelines. In July 2021, TSA followed with Pipeline-2021-02, which imposed specific mitigation measures against ransomware, required cybersecurity contingency and recovery plans, and mandated architecture design reviews. These directives were renewed and updated in 2022 and 2023.

DarkSide shutdown and evolution

On 13 May 2021, six days after the attack, DarkSide operators announced they had lost access to their infrastructure and were closing their service. Affiliates complained on underground forums about unpaid earnings. Security researchers assessed this as a rebrand rather than a genuine shutdown, with DarkSide linked to the later BlackMatter ransomware operation.

Blockchain analysis by Elliptic showed that DarkSide had collected over USD 90 million in ransom payments from approximately 47 victims during its nine months of operation. The developer's cut came to roughly USD 15.5 million in total. The remaining USD 74.7 million was distributed across the various affiliates.

The bounty

In November 2021, the US State Department's Rewards for Justice programme offered up to USD 10 million for information leading to the identification or location of DarkSide leadership, and up to USD 5 million for information leading to the arrest of anyone participating in a DarkSide ransomware incident.

CISA institutional response

CISA created stopransomware.gov as a centralised resource hub, established the Joint Ransomware Task Force with the FBI, launched the Joint Cyber Defence Collaborative to bring together industry and government, expanded the CyberSentry programme for OT network threat detection, and published the Cybersecurity Performance Goals framework. CISA and TSA convened over 25 major pipeline operators in the wake of the attack.

The gap that matters

Colonial Pipeline had invested over USD 200 million in IT systems over the five years preceding the attack. The board, according to Blount's testimony, "never denied us any opportunity to spend what we need" on security. This was not an organisation that underinvested in technology.

The attack succeeded through a legacy VPN profile that no one had decommissioned, a reused password that appeared in a dark web breach database, and the absence of multi-factor authentication on that single access point. The cost of the controls that would have prevented initial access is a rounding error compared to USD 200 million.

For anyone responsible for network security, the question this raises is specific. It isn't whether your primary VPN requires MFA. It's whether every access path into your network requires MFA, including the legacy profiles, the test accounts, the service accounts, and the access points that were set up three years ago and never reviewed. The Colonial Pipeline attack didn't exploit a vulnerability in the traditional sense. It walked through a door that should have been locked, and found that nobody had checked whether it was.

---

---

Related articles

• The HSE Ireland Ransomware Attack: Eight Weeks of Missed Signals
• The County Mayo Water Hack: How a Default Password Took 180 Homes Offline
• The SolarWinds Supply Chain Attack: What Actually Happened Inside 18,000 Organisations
• The CrowdStrike Outage: What Actually Happened Inside 8.5 Million Machines
• WannaCry: The Ransomware That Shut Down the NHS

netsec-canary-cdf28ec99930.