The Colonial Pipeline Hack Timeline and How Ransom Funds were Seized

The Colonial Pipeline Hack

On May 7, 2021 Colonial Pipeline Company had its systems hacked.

Essentially, they went offline, waited for an arguably long time to contact federal agencies, and released a public statement that they were the victims of ransomware by bad actors from Darkside (members of a cybercriminal group). Ransomware is when a company’s digital property is encrypted (made unreadable) until a monetary demand is met. BTC (Bitcoin) is a cryptocurrency, or digital currency. It’s very popular with ransomware attacks because it can be very difficult to trace. Over the next two days they slowly began searching the nearby grounds and turning on the smaller systems. By Wednesday May 12, 2021 Colonial Pipeline Company was back up and running with pipeline ops.

Here’s where things get weird

Did you notice none of their timeline provides information on how the systems were regained? Why wouldn’t they provide that information when such a serious event has taken place? Did you also notice I said there was too long of a time between finding out about the ransomware and notifying the feds? Possibly because they didn’t want you to know they paid the ransom, and they were initially very secretive about the details of the attack to the federal agencies they contacted to help them.

There is always an extreme attempt to avoid giving into the demands of those who put our lives and livelihoods at risk due to the opportunity for them to increase their demands or other groups to join in. In the case of the Colonial Pipeline Hack, the ransom was paid by the company itself. In fact, almost 5 million dollars was paid. This equals out to about 75 BTC.

The federal government, though informed of the process, maintains that they had nothing to do with the decision in paying Darkside. They say this was a decision by Colonial Pipeline Company specifically. It did strike me as strange that they were very vague about when the payment was made. This was stated to be confidential information. However, it later came out that the payment was made on May 8, 2021, just one day after the attack.

How did it happen?

One single compromised password.

That’s all it took to encrypt all of Colonial Pipeline Company’s data. Darkside got into the network using a virtual private network (VPN) with existing credentials of an account that should have been deleted. The worst part is that the password was obtained from a previous hack that had information used and sold on the dark web. It is assumed that the hackers themselves are from Russia.

This is why you should change your password often, use multi-factor authentication when possible, and use strong, non-dictionary combos, people! It can literally take down a multi-billion dollar industry when you lazily choose passwords. Because I care about you, here are ways to make better password decisions.

Essentially, Darkside used those credentials to quickly encrypt everything, then send a demand for the amount of BTC they wanted. Unable to decode the encryption, Colonial Pipeline Company was stuck between a rock and a hard place. If it makes you feel any better, that VPN account is now deactivated and measures have been taken to detect unusual activity within their network to hopefully stop these incidents in their tracks next time.

Ultimately, Colonial Pipeline Company paid about $4.4 million dollars in BTC.

How did it end?

The same way it started.

Cybersecurity experts traced the wallet (digital account location for Bitcoin) to a server in North California, and recovered the funds using a private kay (similar to a password) to the wallet that was already in the hands of the FBI. A warrant was obtained to seize the ransom money.

There is still lots of speculation as to how the federal government had the private key to the wallet, but without it they would not have been able to recover the $2.27 million in BTC that was retrieved.

President Biden signed an executive order to increase cybersecurity responsibilities as well as tighten the timeline in which companies contracted with the federal government have to inform the government of cyber attacks.

The takeaway

That’s not what hacking actually looks like.

What you should know is that Colonial Pipeline Company failed to terminate an inactive Virtual Private Network that a cybercriminal group, Darkside, had access to from leaked dark web records. Darkside encrypted Colonial Pipeline Company’s data with ransomware, and against the advice of the government Colonial Pipeline Company paid a roughly $5 million ransom in the form of BTC. The location of the wallet was tracked down to a server in North California, and a warrant was obtained to regain about half of the ransomed BTC using a private key for the hackers’ Bitcoin wallet that seems to have fallen out of the sky. Nobody knows how the private key was obtained, but it’s the only way Colonial was able to have part of the ransom seized. President Biden signed a new executive order forcing government contractors to inform the federal government of ransomware attacks within hours. This incident is still being investigated. Russia was in some way involved, but we are unsure if the Russian government had anything to do with it. There are many questions left unanswered in this situation, but hopefully this will be one hard lesson that cybersecurity in this day and age is key.