Living Through the Colonial Pipeline Hack


My wife crept into an oncoming traffic lane as she avoided a queue of cars crowding a three-lane highway in Durham, North Carolina. A pile of cars jostled for position, playing chicken with each other as they attempted to get into one of the few remaining gas stations with fuel. Immediately memories of people walking out of stores with shopping carts overflowing with toilet paper from early in the pandemic came back. Some drivers brought the same energy and were filling jerrycans up with gasoline. A Florida man had his H2 Hummer burst into flames after trying such an idea.  This was 36 hours after the colonial pipeline was shut down by the ransomware gang Darkside. At that time 30% of gas stations were empty. In two days that number will be 70%. This was the first cyberattack that has an earnestly visible effect on my life. Sure, my passwords have leaked, a credit card or two stolen, those were personal inconveniences.   This was different. This affected everyone. My sister-in-law worried about her son being able to get home that night, he always drove around on empty. She turned to me and asked, “what the heck happened? Where is the gas? How do you steal a pipeline? “


At the time, we didn’t really know what had happened outside of a ransomware attack against the largest fuel pipeline on the East Coast.  The Colonial Pipeline stretches from Texas to New Jersey covering around 5,000 miles and supplying 45% of the fuel to the eastern seaboard. Any given day around 270 million dollars worth of fuel flows through the Colonial Pipeline. All this was brought to a screeching halt.  So where did this start? It likely started with a poorly written email.  Many ransomware attacks start with a phishing attack, a malicious email sent to a company to lure people to a compromised website where additional malware is downloaded. Once inside the real fun starts as, hackers begin to map a companies network architecture, seeing what they can access and more importantly what they can do with it.  Depending on how a companies network architecture is structured, specifically how well isolated or not isolated some sensitive data is the hackers may lie in wait, spreading, until valuable data is found.  Once a leverage point has been located the malware infecting the network is activated encrypting the data leaving only a ransom demand and some contact info.  The ransom in this case was a two-fold threat, one pay us or you lose control of your pipeline, two pay us more in “X” amount of time or we dump your companies data on the web. That’s the situation Colonial Pipeline found itself. It would be easy to let the panic set in at that moment, but if you take a breath and look around you’ll find bigger forces at play.


Ransomware that cripples major economic infrastructure tends to get three reactions: Was this an act of war? Was this just criminal activity? What were they really after?  Being able to shut down 45% of fuel to some of the most populous regions in the United States would be a highly effective attack during a war. It would halt military, federal, state and city services as fuel supplies dwindle.  This did occur in the state of North Carolina and the District of Columbia home to the seat of the US government. Trash services halted for lack of fuel, schools shut down as school busses laid empty, people stayed home conserving as much fuel as possible.  According to many cybersecurity analysts and the ransomware gang Darkside themselves, this wasn’t an attempt to damage infrastructure. It wasn’t an overt act of war. Just criminals out to get some money. Darkside requested 75 bitcoin roughly five million US dollars to restore operations to the Colonial Pipeline.  To an individual that is a lot of money, but in the grand scheme of things, it’s not.  Colonial Pipelines is worth $15 billion, they ship $270 million worth of fuel daily, so paying five million to get back online is pretty cheap. And that is where things don’t make sense. Why accept so little?  Perhaps the ransom payment and cyberattack were only the means, not the end in itself. 


An effective way to hide one crime is to commit another flashier crime. The Kentucky Shelton Boys gang knew this and it was their modus operandi. One group of Shelton Boys would locate and firebomb their rival’s favorite bar and while their rivals and police were putting out the fire, a second group Shelton Boys would rob warehouses of all the valuable goods.  It possible Darkside is doing something similar to make even more money via stock and futures manipulation.  If you know a stock or commodity is going to drop you can short it pocketing huge sums of money, same if you know it’s going to rise. If 45% of all the gasoline on the East Coast is suddenly held hostage, what happens to the price and futures?  If you guess that the value of oil and gas went up, pat yourself on the back. Cyberattacks are great creators of F.U.D., Fear, Uncertainty, Doubt. These emotions can directly affect demand and thus affect a companies stock price.  If you want to short a company a cyberattack would be highly effective in lowering the stock price for a short while. If you want to raise the price of a commodity preventing its distribution would be highly effective. Profiting on the stock market is easy if you have inside knowledge. It would also explain in part why some companies seem to get off cheap. 


Cheap is a relative value. While Colonial Pipeline made the right choice in paying the ransom doing so serves as a call to action. Ransomware gangs keep doing this because it works!  To stop it, you need to prevent it or make it unprofitable. Making crime unprofitable has not worked well in the history of law enforcement. So that leaves companies with prevention.  The biggest hurdle ransomware gangs face is the research phase, identifying an easy target.  Ransomware gangs spend time collecting massive amounts of data on their subjects looking for unprotected assets via suppliers, data centers, connected devices, documents, etc. By locating these items first and securing them, a company can severely affect a ransomware gang’s effectiveness. CybelAngel is the world-leading digital risk protection platform that detects and resolves external threats before these wreak havoc. As more data is being shared, processed, or stored outside the firewall on cloud services, open databases, and connected devices, the digital risk to enterprises has never been greater. CybelAngel is able to discover, monitor, and resolve external threats across all layers of the Internet, keeping their critical assets, brand, and reputation secure.  See how we can help here.