Ransomware
CISA / Wikipedia / TechTarget
Primary Source βIncident Details
DarkSide ransomware affiliate (Russian-based) compromised Colonial Pipeline via leaked VPN credentials on a legacy account lacking MFA. 100 GB of data exfiltrated day before encryption. Pipeline operations halted May 7-13 2021 causing fuel shortages across US East Coast. CEO paid $4.4M (75 BTC) ransom. DOJ recovered 63.7 BTC ($2.3M value at time of recovery) in June 2021. Largest cyberattack on US oil infrastructure. DarkSide subsequently shut down operations.
Technical Details
- Initial Attack Vector
- CWE-308: Use of Single-Factor Authentication (compromised VPN account lacking MFA)
- Malware Family
- DarkSide
Timeline
- 2021-05-07 Breach occurred
- 2021-05-08 Publicly disclosed
- 2021-05-08 Customers notified