Anatomy of a Breach

Anatomy of a Breach: Colonial Pipeline — The Ransomware Attack That Shut Down America's Fuel Supply

> series: anatomy_of_a_breach —— part: 149 —— target: colonial_pipeline —— fuel: 45%_of_us_east_coast —— ransom: $4,400,000 —— consequence: fuel_shortage<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2021 15 min read
ransomware colonial-pipeline darkside critical-infrastructure fuel-supply executive-order series
Breach #149

45% of America's East Coast fuel. Shut down. By ransomware. For six days.

On 7 May 2021, Colonial Pipeline — the largest refined fuel pipeline in the United States, transporting 2.5 million barrels per day and supplying approximately 45% of the fuel consumed on the East Coast — shut down its entire 5,500-mile pipeline system after DarkSide ransomware encrypted its billing and IT systems. The company stated it shut down the pipeline as a precautionary measure because it could not bill customers for fuel delivered — demonstrating that ransomware against IT systems can halt physical operations even when the operational technology (OT) systems are not directly compromised.

The consequences were immediate and severe: fuel shortages spread across the southeastern US, panic buying emptied petrol stations, the average price of fuel rose above $3 per gallon for the first time since 2014, and the Federal Motor Carrier Safety Administration issued an emergency declaration allowing fuel tanker drivers to work extended hours. Colonial Pipeline paid the $4.4 million ransom in Bitcoin within hours of the attack. The initial access was later traced to a compromised password on an inactive VPN account that did not use multi-factor authentication. President Biden issued an Executive Order on Improving the Nation's Cybersecurity in direct response.

The Attack Chain
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

A compromised VPN password. No MFA. $4.4 million ransom. National fuel crisis.

One Compromised Password, No MFA
The initial access was through a compromised password on a legacy VPN account that was no longer in active use — but had not been disabled — and did not have MFA enabled. A single credential, without MFA, gave attackers access to the network of America's largest fuel pipeline. <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates MFA on all remote access and requires that unused accounts are disabled. This single control would have prevented the entire incident.
IT Ransomware Halted Physical Operations
Colonial's pipeline OT systems were not encrypted — the company shut down the pipeline because its billing systems were offline. Ransomware against IT systems can halt physical operations when IT and OT processes are interdependent. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses IT/OT dependencies and the operational impact of IT system loss.
$4.4M Paid — $2.3M Recovered
Colonial paid $4.4 million within hours. The DOJ later recovered approximately $2.3 million by seizing the Bitcoin wallet — a rare success enabled by law enforcement's ability to trace the cryptocurrency. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response including ransom negotiation guidance and law enforcement liaison.
Presidential Executive Order
The Colonial Pipeline attack prompted a US presidential Executive Order mandating cybersecurity improvements including MFA, encryption, zero-trust architectures, and software supply chain security for federal agencies and their contractors. For UK organisations in the defence supply chain or operating critical infrastructure, the US executive order's requirements increasingly influence <a href="/blog/sector-under-the-microscope-defence-supply-chain">UK standards</a>.
UK Critical Infrastructure

Colonial Pipeline runs on the same technology as UK critical infrastructure.

The Colonial Pipeline attack is directly relevant to UK energy, water, transport, and other critical infrastructure operators. The attack vector — a compromised VPN credential without MFA — exists in critical infrastructure networks worldwide. The operational impact — IT ransomware halting physical operations through process interdependency — applies wherever IT and OT systems are connected. And the societal consequence — fuel shortages affecting millions of people — demonstrates the cascading impact of critical infrastructure disruption.

Cyber Essentials Danzell mandates MFA on remote access and disabling of unused accounts — the two controls that would have prevented Colonial. Our infrastructure testing assesses VPN security, IT/OT boundaries, and operational resilience. SOC in a Box monitors for VPN compromise and lateral movement. And UK Cyber Defence provides the crisis management capability for critical infrastructure incidents.

Critical Infrastructure Resilience

One password. No MFA. National fuel crisis. Would your critical infrastructure survive the same?

<a href="/cyber-essentials">Cyber Essentials</a> mandates MFA on all remote access. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses VPN and OT security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects ransomware deployment.

Commission a Critical Infrastructure Test Next: Irish HSE + JBS
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 December 2021

Anatomy of a Breach: 2021 Year in Review — Log4Shell, Colonial Pipeline, and the Year Ransomware Became a National Security Crisis

Breach #156 and the 2021 finale. The year Colonial Pipeline shut down America's fuel supply through a single compromised VPN password, the Irish HSE was devastated by Conti ransomware, JBS paid $11 million to REvil, Kaseya's supply chain attack hit 1,500 businesses, Hafnium compromised 250,000 Exchange servers, someone tried to poison Florida's water through TeamViewer, T-Mobile was breached for the fifth time, and — on 9 December — Log4Shell (CVE-2021-44228) was disclosed: a critical remote code execution vulnerability in Apache Log4j, a logging library embedded in hundreds of millions of systems worldwide. The vulnerability in everything.

data-breach year-in-review
16 min read
Anatomy of a Breach 30 June 2021

Anatomy of a Breach: The Irish HSE and JBS — When Ransomware Hit Healthcare and the Food Supply in the Same Month

Breach #150. In May-June 2021, ransomware struck two critical infrastructure sectors simultaneously. On 14 May, Conti ransomware devastated Ireland's Health Service Executive (HSE), forcing hospitals to cancel thousands of appointments, revert to paper records, and delay cancer treatments — with full recovery taking over four months and costing an estimated €100 million. On 30 May, REvil ransomware hit JBS — the world's largest meat processing company — forcing closure of plants in the US, Canada, and Australia, and triggering fears of food supply disruption. JBS paid $11 million in ransom. Two critical sectors. Two weeks apart. The ransomware epidemic against essential services had reached crisis proportions.

ransomware irish-hse
15 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
All Posts Get in Touch