What Went Wrong with Colonial Pipeline?

When a massive ransomware makes the headlines, our networking geeks are all too eager to huddle in the peanut gallery.
Jun 9, 2021

When there’s a cyberattack as massive as the recent $4.4 million ransomware on the Colonial Pipeline, our geeks in the networking department are all too eager to huddle in the peanut gallery and give a blow-by-blow account of “what went wrong”. While details are still murky, they have consolidated the series of unfortunate – yet pitifully preventable – events that caused this colossal vulnerability. Here is their account, along with recommendations on how you can tighten your own cybersecurity.


Jeff Wirtz – Systems Engineer

Seemingly, the initial trigger was not a cyberattack but a leaked password. The username and password of a former employee was discovered by ransomware hackers, DarkSide. From there, the cybercriminals were able to use the still-activated account of this former employee to access the company’s legacy Virtual Private Network (VPN). We often find that the root of cyber vulnerabilities is the attitude and governance around sensitive information. Many companies do not have a systematic protocol of who has access to which critical data nor how to properly store passwords. Much of this can be mitigated through a cyber-first mentality and continuous employee training.


Alex Philips – Systems Engineer

Once the cybercriminals were in Colonial’s VPN, it was essentially a wide-open door to their entire network. This vulnerability could have been so easily prevented with Multifactor Authentication (MFA). That is a line of defense that requires anyone not located on company premises to have a secondary means of authenticating their identity before accessing the company network. So, for example, in addition to inputting their username and password, the employee receives a push notification to their company-issued cellphone, and only once that is validated, can they enter the VPN.


William Turk – Network Support Engineer

Now that Darkside was in, they got to work… The day before the attack, they stole almost 100 GB of data. From what we gather, they then crafted a phishing email that appeared to originate from within Colonial’s network, requesting recipients to download a software upgrade. Rather than being an upgrade, the download was malware which locked down Colonial’s system. DarkSide then threatened to release the trove of stolen data on the internet if the ransom was not paid. We often focus cybersecurity on incoming threats, but don’t put in the same protections for internal communication. A robust email security solution will detect unusual patterns in lateral emails, especially for those emails with .exe file extension or zip files.


Cybersecurity is an everchanging game of staying ahead of cybercriminals. Admittedly, it is very difficult to plug up every possible networking leak, but here are some fundamentals that every company should implement.


  • Adopt a cyber-first mindset. Create a Security and Information Governance Team who will systematize and protect your company’s sensitive data. Review the best practices outlined by the Cybersecurity and Infrastructure Security Agency (CISA)

  • Assess your current firewall configurations and start building it out to include Multifactor Authentication and comprehensive email security.

  • Invest in training. Many of our networking partners include employee training modules as part of their solutions. Take advantage of these ready-made learning tools. Your employees are your frontline defense.


Interested in a free cybersecurity threat assessment? Contact us today!