Attackers used a compromised VPN account credential that lacked multi-factor authentication. DarkSide ransomware encrypted billing and business systems. Colonial shut the pipeline because they couldn't meter and bill for fuel — not because the pipeline control systems were compromised.
Colonial paid $4.4 million in Bitcoin ransom (DOJ later recovered $2.3 million). Fuel shortages and panic buying across the southeastern United States. Led to TSA security directives for pipeline operators and accelerated federal critical infrastructure cybersecurity mandates.
The Incident
On May 7, 2021, Colonial Pipeline Company — operator of the largest refined products pipeline in the United States, carrying 2.5 million barrels per day and supplying approximately 45% of all fuel consumed on the East Coast — shut down its entire pipeline system following a ransomware attack.
The shutdown lasted six days. Fuel shortages spread across the southeastern United States. Gas stations ran dry. Panic buying emptied pumps in states from Georgia to Virginia. The national average gas price rose to its highest level since 2014.
The Root Cause
The initial access was a single compromised VPN credential. The account did not have multi-factor authentication enabled. Using this one credential, the DarkSide ransomware group gained access to Colonial's business network and deployed ransomware that encrypted billing and accounting systems.
The pipeline's operational technology (OT) systems — the actual control systems that manage fuel flow — were not directly compromised. Colonial shut the pipeline down because they could not meter, track, or bill for fuel deliveries. The business decision was: if we can't bill for it, we can't deliver it.
The Pattern
A VPN without MFA. A single credential. Ransomware on the billing system. And a business decision that a billing outage requires a pipeline shutdown. The most critical fuel infrastructure on the East Coast was shut down not by an attack on the pipeline, but by an attack on the invoicing system.
Why It Matters
Colonial Pipeline demonstrates that business logic can be the real vulnerability. The pipeline worked. The fuel was ready. The control systems were intact. But the billing system was encrypted, and the company's operating procedures required billing functionality to deliver fuel. The attacker didn't need to hack the pipeline. They just needed to hack the spreadsheet.