Colonial Pipeline: The Pipeline Goes Dark

At approximately 11:00 PM on Thursday, May 6, 2021, an employee at Colonial Pipeline Company opened a VPN account that had not been used in months. They did not know that somewhere on the company’s network, a process had quietly begun. By morning, it would be finished.

Colonial Pipeline is not a household name. It operates roughly 5,500 miles of pipeline running from Houston, Texas, up the eastern seaboard to Linden, New Jersey — carrying refined petroleum products that supply approximately 45% of all fuel consumed on the East Coast of the United States. Jet fuel for Atlanta’s Hartsfield-Jackson. Gasoline for millions of cars in Virginia, North Carolina, and Georgia. Heating oil for homes across the Northeast.

At 5:26 AM on Friday, May 7, a Colonial employee discovered a ransom note on the company’s IT systems. The note contained a chilling line:

“We’re DarkSide and we had to do this.”

Colonial Pipeline shut down its entire 5,500-mile pipeline network within the hour. The company’s decision — made out of caution, to prevent the ransomware from potentially spreading from IT systems into operational technology — would touch off the worst domestic fuel supply crisis since the 1970s.

Threat Actor Profile: DarkSide

Designation: DarkSide (industry consensus); CARBON SPIDER subgroup (CrowdStrike); UNC2628 (Mandiant)
Attribution: Russian-speaking cybercriminal group; assessed to operate from within the Russian Federation or Commonwealth of Independent States
Origin: Emerged publicly August 2020
Primary Mission: Ransomware-as-a-Service (RaaS) operations for financial gain; double extortion (encryption + data theft)
Known Tradecraft: Big game hunting (targeting large enterprises), RaaS affiliate model, data leak site (“DarkSide Leaks”), selective targeting with stated code of conduct

Notorious Operations:

• Colonial Pipeline (May 2021): Ransomware attack against the largest US fuel pipeline operator; triggered a US federal emergency declaration and the most publicized ransomware response in history. Colonial paid $4.4 million in Bitcoin. The FBI subsequently recovered approximately $2.3 million worth.
• Brenntag Chemical (May 2021): German chemical distribution giant paid approximately $4.4 million in Bitcoin after DarkSide claimed to have exfiltrated 150GB of data.
• Toshiba Europe (May 2021): DarkSide claimed to have stolen over 740GB of data from Toshiba’s European subsidiary.

Note: Following the Colonial Pipeline incident, DarkSide shut down in May 2021, citing loss of access to infrastructure and “pressure from the US.” Core members are believed to have regrouped as BlackMatter (August 2021) and later ALPHV/BlackCat — the standard RaaS rebrand cycle to evade sanctions and tracking.

The Business of Ransomware: DarkSide’s Model

To understand Colonial Pipeline, you first need to understand what DarkSide was — because it represented something architecturally new in the ransomware ecosystem.

DarkSide operated as a Ransomware-as-a-Service (RaaS) platform. The core DarkSide team maintained the ransomware code, the payment infrastructure, the negotiation portal, the data leak website, and the “customer support” apparatus. They did not, themselves, conduct most attacks. Instead, they recruited affiliates — vetted cybercriminal operators who licensed the ransomware toolkit, conducted their own intrusions, and split the ransom proceeds with the DarkSide core team. The typical split was roughly 75-80% to the affiliate, 20-25% to DarkSide.

This affiliate model had profound implications. The DarkSide core team bore minimal operational risk for individual attacks while collecting a revenue stream from dozens of simultaneous campaigns. Affiliates brought their own access, their own tooling for initial compromise, and their own negotiation style. The core team’s job was infrastructure maintenance and brand management.

DarkSide distinguished itself from groups like Conti and REvil through a claimed code of conduct: no hospitals, schools, or government targets. Whether genuine or cynical reputation management, it was brand management. The Colonial Pipeline attack demolished it entirely.

The Intrusion: A Single Unused Password

The Colonial Pipeline breach was, in the context of the infrastructure destroyed, remarkably simple in its initial access.

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI’s subsequent investigation determined the initial access vector: a compromised VPN account credential. The account had been used to provide employees remote access to Colonial’s network. It was not protected by multi-factor authentication. The password had almost certainly been obtained from a prior data breach — the credential appeared in a collection of leaked passwords recovered from dark web sources.

Colonial Pipeline had a published VPN service. The credential worked. An affiliate of DarkSide signed in, and they were inside a major piece of American critical infrastructure.

From that foothold, the attackers moved laterally through Colonial’s IT network, spending time mapping the environment and exfiltrating data before executing the ransomware payload. Before encrypting, DarkSide’s affiliates extracted approximately 100 gigabytes of data — a standard double-extortion precondition. If Colonial refused to pay, the data would be published on DarkSide’s leak site.

When the ransomware payload executed at 5 AM on May 7, it encrypted Colonial’s IT systems. Colonial’s operational technology (OT) — the industrial control systems that actually managed the physical flow of fuel — was not directly encrypted. But Colonial’s decision-makers, unable to accurately assess the boundary between their IT and OT networks, made the call to halt pipeline operations preemptively.

It was the right call from an industrial safety perspective. It was catastrophic from an economic one.

The Shutdown: America Without Fuel

The pipeline had been dark before, briefly, for maintenance. But a sustained, multi-day shutdown of a 5,500-mile arterial fuel system was something the East Coast had never experienced in the modern era.

The effects cascaded within 24 hours:

Gas stations ran dry. Panic buying began almost immediately after news broke on May 8. Motorists lined up for hours across Virginia, North Carolina, South Carolina, Georgia, and Florida. Gas prices hit their highest national average since 2014.

Airports scrambled. American Airlines and other major carriers adjusted flight plans and added fuel stops on routes that normally didn’t require them.

Colonial issued a federal emergency declaration. On May 9, the US Department of Transportation issued a regional emergency declaration waiving certain regulations to allow fuel to be transported by road in 18 states — an acknowledgment that the pipeline disruption was severe enough to require emergency distribution alternatives.

The President addressed the nation. President Biden held a press conference acknowledging the attack, urging Americans not to panic-buy (they ignored this advice), and confirming that the FBI and multiple federal agencies were working the incident.

The shutdown lasted six days before Colonial restored operations on May 12, 2021.

The Ransom: $4.4 Million, Then $2.3 Million Back

Within hours of discovering the attack, Colonial Pipeline contacted a professional incident response firm and engaged legal counsel. Within days, they made a decision that would later draw scrutiny: they paid.

The ransom was approximately $4.4 million in Bitcoin, transferred to a DarkSide wallet. Colonial’s CEO Joseph Blount later testified to Congress that he authorized the payment personally, describing it as the right decision given the critical nature of the infrastructure and uncertainty about how long recovery would otherwise take. “I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible,” Blount told the Senate Homeland Security Committee.

The decryption tool DarkSide provided was, per Colonial’s own account, slow — too slow to be useful in the time-sensitive recovery. Colonial largely restored its systems from backups. The ransom payment bought the possibility of a tool they couldn’t use in practice.

Then the FBI entered.

Within a month of the attack, in June 2021, the Department of Justice announced it had seized 63.7 Bitcoin — worth approximately $2.3 million at the time — from the wallet Colonial had paid. The DOJ did not disclose precisely how it had accessed the private key for the wallet; it stated only that it had obtained a court order and recovered the funds through a technique that has been the subject of significant industry speculation. Some analysts assessed that investigators had gained access to the DarkSide infrastructure in the chaos following the group’s shutdown, recovering wallet keys. Others suggested the wallet was hosted on a cloud server whose access credentials investigators obtained.

The implication was significant: not all ransomware payments are irrecoverable.

The Collapse of DarkSide

The political heat from Colonial Pipeline was unlike anything the ransomware industry had experienced. The US government abruptly shifted posture, treating ransomware as a national security matter rather than a criminal law enforcement one.

President Biden confronted Russian President Vladimir Putin at the Geneva Summit in June 2021, directly raising ransomware groups operating from Russian territory. The administration followed with a series of policy actions, including an executive order on improving national cybersecurity (signed immediately after the Colonial attack), and a public declaration that critical infrastructure was off-limits — with implied consequences for nations harboring groups that attacked it.

DarkSide, facing this heat, announced it was shutting down in mid-May 2021, citing loss of access to its infrastructure and payment servers, and “pressure from the US.” The shutdown announcement itself was posted on a DarkSide dark web forum, written in the resigned tone of a startup announcing dissolution.

The core team was not arrested. They were not charged publicly. They simply vanished — as ransomware groups routinely do when the temperature gets too high. Within months, a new group called BlackMatter appeared, offering almost identical RaaS infrastructure, accepting the same types of cryptocurrency, and using code with significant overlaps to DarkSide. The industry consensus was immediate: DarkSide had rebranded.

The cycle continued.

The Legacy: Critical Infrastructure as a Target

Colonial Pipeline crystallized a debate that had been building in policy circles for years: at what point does a cyberattack on private critical infrastructure become a matter of national security, not merely a crime?

The pipeline attack demonstrated that ransomware groups — regardless of their intent — could produce effects indistinguishable from a state-sponsored infrastructure attack. DarkSide almost certainly did not intend to create a national emergency. The affiliate who executed the intrusion wanted a ransom payment, not a confrontation with the United States government. But the effect — fuel shortages, emergency declarations, a presidential press conference — was the kind of disruption that, if caused by a missile strike, would trigger an Article 5 discussion at NATO.

For critical infrastructure operators, Colonial became a case study in IT/OT network segmentation failure. The decision to shut down the physical pipeline — because operators couldn’t confidently assess whether ransomware had spread from IT to OT — was a direct consequence of architectural choices that let a business network compromise threaten operational control. The lesson: if you cannot assert where your IT ends and your OT begins, you are vulnerable in ways that extend far beyond your data.

For law enforcement, the partial Bitcoin recovery demonstrated that cryptocurrency payments are not anonymous and not beyond reach. The DOJ’s National Cryptocurrency Enforcement Team (NCET) was formally created in the months following Colonial — a direct institutional response to the recognition that cryptocurrency tracing and asset seizure had to become a core federal capability.

For the ransomware ecosystem, the political fallout from Colonial Pipeline — and the simultaneous takedowns of REvil by Russian security services in early 2022 (under US diplomatic pressure) — demonstrated that attacking American critical infrastructure carried existential risk for threat actors. DarkSide had touched a wire it didn’t know was live.

The landscape shifted. The wire is still live.

---

Attack Chain: Colonial Pipeline — DarkSide Ransomware

graph TD
    A["💀 DarkSide RaaS\n(Russian-speaking, CIS-based)"] --> B["DarkSide Core Team:\nMaintain ransomware code\nPayment infrastructure\nNegotiation portal\nData leak site"]

    B --> C["Affiliate Operator\n(Unknown — DarkSide RaaS licensee)\nTargets Colonial Pipeline"]

    C --> D["Initial Access\nCompromised VPN Credential\n(No MFA)\nCredential likely from prior breach dump"]

    D --> E["Remote Access Established\nColonial Pipeline IT Network\nMay 6, 2021 (~11 PM)"]

    E --> F["Internal Reconnaissance\nNetwork Mapping\nIT/OT Architecture Assessment"]
    F --> G["Lateral Movement\nPrivilege Escalation\nDomain Access"]

    G --> H["Pre-Ransomware Exfiltration\n~100 GB of Data Stolen\n(Double Extortion Precondition)"]

    H --> I["DarkSide Ransomware\nPayload Executes\nMay 7, 2021 — 5:26 AM"]

    I --> J["Colonial IT Systems Encrypted\nRansom Note Delivered\n'We're DarkSide'"]

    J --> K["Colonial Shuts Down\n5,500-Mile Pipeline\nPreventive OT Protection Decision"]

    K --> L["🔴 45% of East Coast\nFuel Supply Disrupted"]

    L --> L1["Gas Stations Run Dry\nVirginia / NC / SC\nGeorgia / Florida"]
    L --> L2["AAA: Gas Prices\nHighest Since 2014"]
    L --> L3["Airlines Reroute Flights\nJet Fuel Uncertainty"]
    L --> L4["DOT Emergency Declaration\n18 States Affected\nTrucking Regulations Waived"]
    L --> L5["Biden Press Conference\n'Don't Panic Buy'"]

    J --> M["DarkSide Negotiation\nRansom Portal Engaged"]
    M --> N["Colonial Pays:\n$4.4M Bitcoin\n(~75 BTC)"]

    N --> O["DarkSide Provides\nDecryption Tool\n(Too slow to use effectively)"]
    O --> P["Colonial Restores\nfrom Backups\nPipeline Resumes May 12"]

    N --> Q["🔎 FBI Investigation\nBitcoin Wallet Traced"]
    Q --> R["DOJ Seizes 63.7 BTC\n~$2.3M Recovered\nJune 2021"]

    L --> S["Diplomatic Pressure\nBiden–Putin Geneva Summit\nRansomware on Agenda"]
    S --> T["DarkSide Announces Shutdown\nMay 2021\n'Lost access to infrastructure'"]

    T --> U["♻️ DarkSide Rebrands\nBlackMatter (Aug 2021)\nLater: ALPHV/BlackCat"]

    P --> V["🏛️ Policy Consequences"]
    V --> V1["Executive Order:\nNational Cybersecurity\nMay 12, 2021"]
    V --> V2["DOJ NCET Created\nNational Cryptocurrency\nEnforcement Team"]
    V --> V3["Critical Infrastructure\nSecurity Mandates\nTSA Pipeline Directives"]
    V --> V4["IT/OT Segmentation\nBecomes Industry Mandate"]