Skip to content
Back to all chronicles
Ransomware#ransomware#darkside#infrastructure

Colonial Pipeline: One Password Stopped the Fuel

In 2021 DarkSide ransomware entered Colonial Pipeline through one leaked VPN password, halting half the US East Coast gasoline supply for a week.

Cyber Chronicle2 min read

In May 2021, the largest fuel pipeline in the United States stopped pumping. For a week, gas stations from Georgia to New Jersey papered over their pumps with plastic bags while drivers panic-bought fuel and, in some cases, filled trash cans.

A leaked password

The intrusion did not require an elite operation. Investigators eventually traced it back to a single set of credentials — a username and password for a legacy VPN account, no second factor, leaked into a dump on the dark web in a previous unrelated breach.

The attackers were a Russian-speaking ransomware-as-a-service group called DarkSide. They did not touch the pipeline's operational technology directly. They encrypted the IT side: billing systems, dispatch, the office machinery of running a continent-scale pipeline. Colonial shut down the pipeline itself out of caution.

The receipts come back

Colonial paid roughly 4.4 million dollars in Bitcoin. A few weeks later the FBI announced it had recovered a substantial portion of the ransom by following the funds across the blockchain and obtaining the private key for one of the wallets. DarkSide's infrastructure was knocked offline shortly afterward — though, in the way of ransomware groups, several of the same operators reappeared under new branding within months.

What the chronicle remembers

Colonial was the incident that made ransomware a national security issue rather than a corporate IT issue. It also exposed how thin the membrane is between boring credential hygiene and a queue of trucks at an empty gas station.

Related chronicles