The May 2021 attack that prompted Colonial Pipeline to shut down its 5,500-mile pipeline, cutting off nearly half the fuel supply to the U.S. east coast for the better part of a week, is just one ominous example. Because as modern ransomware attacks go, this one was fairly standard.
DarkSide, a ransomware-as-a-service group reportedly operating in Russia, didn’t just encrypt data. They stole it as well, which puts more pressure on victims to pay since there’s a threat of intellectual property and private customer information going public.
But the group attacked the company’s IT network rather than the more sensitive operational technology (OT) networks that control the pipeline. That gave a measure of credibility to DarkSide’s claim a few days later that, as Reuters put it, they were out for “cash, not chaos.” In a statement posted on its website, the group said, “our goal is to make money, and not creating [sic] problems for society.”
They added that the group is “apolitical” and should not be linked with any government.
Still, the attack created problems well beyond the ransom Colonial ended up paying—a reported US$4.4 million—although the Department of Justice announced June 7 that it had been able to recover about US$2.3 million of that by tracing and seizing the bitcoin wallet used by the hackers.
But at the time, the company shut down the pipeline “out of an abundance of caution” since it didn’t know if the attackers had penetrated its OT systems.