RESEARCH STARTER
Colonial Pipeline
Colonial Pipeline is a major pipeline system in the United States, crucial for transporting over 100 million gallons of gasoline, home heating oil, and jet fuel daily from Texas to New York. In May 2021, the pipeline faced a significant disruption when it was targeted by a ransomware cyberattack attributed to a Russian criminal group known as DarkSide. This led to a complete shutdown of operations, causing widespread panic among motorists on the East Coast who experienced long lines and rising fuel prices, as well as disruptions in jet fuel supplies impacting flights.
The company paid a ransom of $4.4 million in cryptocurrency to restore its systems, although a portion of this ransom, approximately $2.3 million, was later seized by the FBI. The incident highlighted vulnerabilities in cybersecurity and the growing threat of cybercrime in the digital age. Established in 1961, Colonial Pipeline has become increasingly vital to the fuel supply on the East Coast, especially as several local refineries have closed in recent years, deepening reliance on this single pipeline system. The event served as a wake-up call regarding the need for improved cybersecurity measures within critical infrastructure.
Published In: 2021 1 of 3
- Related Topics:
2 of 3
- Related Articles:6 Actions CEOs Must Take During a Cyberattack.;Brookfield to Acquire Pipeline Operator Colonial Enterprises.;Brookfield to Buy Colonial Pipeline Owner in $9 Billion Deal.;The Countersovereignty of Critical Infrastructure Security: Settler‐State Anxiety versus the Pipeline Blockade.;Two Years After the Colonial Pipeline Attack.
3 of 3
Full Article
The Colonial Pipeline is one of the largest systems of pipelines in the United States, transporting more than one hundred million gallons of gasoline, home heating oil, and jet fuel each day from Texas to New York. On May 7, 2021, the Colonial Pipeline shut down its operations because of a ransomware cyberattack. Such attacks are conducted by criminal groups holding data hostage until the victim pays the requested ransom. A few days after the attack, the Federal Bureau of Investigation (FBI) determined that the Russian-based cyber-criminal group DarkSide was responsible for the attack.
The shutdown panicked motorists along the East Coast, who had to wait in long lines and pay high prices at gas stations. It also disrupted flights because of a lack of jet fuel.
Colonial Pipeline paid $4.4 million in ransom in an effort to resume operations and provide the East Coast with much-needed fuel. However, the FBI and the US Department of Justice managed to seize $2.3 million of the ransom money paid to DarkSide.
Background
In 1961, some of the largest oil companies of the time, such as Phillips Petroleum and Continental Oil, worked together to begin construction of the pipeline, which was later named Colonial and headquartered in Alpharetta, Georgia. As the largest refined petroleum products pipeline in the United States, providing about 45 percent of the East Coast’s fuel, the Colonial Pipeline originates in Houston, Texas, and ends at the Port of New York and New Jersey—a distance of about 5,500 miles. The pipeline extends through twelve states and part of the Gulf of Mexico.
Reliance on the Colonial Pipeline has increased substantially over the years. At least six refineries have gone out of business in Virginia, Pennsylvania, and New Jersey. These closings cut the amount of fuel processed in these areas by more than half and increased those states’ reliance on the Colonial Pipeline. The pipeline, which provides jet fuel, is particularly vital for the functioning of airports in the East.
Overview
On May 7, 2021, Colonial Pipeline announced that due to a ransomware cyberattack, it had shut down the entire pipeline and frozen its Information Technology (IT) systems. Colonial Pipeline had hired FireEye, a cybersecurity company, to assist with the crisis. The company at first worried that the attackers might have obtained information that would enable them to break vulnerable parts of the pipeline. It shut down the pipeline as a preventative measure and had contacted law enforcement agencies, including the FBI. However, the hackers had targeted the business side of Colonial Pipeline and not its operational systems, suggesting that they sought money. Colonial Pipeline later learned that the hackers gained entry into its networks through a VPN (virtual private network), which allowed employees to remotely access the company’s network. The account that was hacked belonged to an employee who no longer worked at the company. The account’s username and password were later discovered inside a batch of leaked passwords on the dark web, a shadowy realm of illegal activity on the Internet. The account was not protected by the multifactor authentication that the company uses in most of its operations.
Prior to the shutdown, an employee found a ransom note on a control room computer. The hackers claimed to have obtained information from the company’s shared internal drive and demanded roughly $4.4 million in exchange for the files needed to restore some networks. According to the FBI, the cyber-criminal group DarkSide, based in Russia, was responsible for the attack.
The pipeline shutdown elicited panic among East Coast motorists, who feared a lengthy gasoline shortage. To panic-buy gasoline, motorists waited in long lines and paid high prices to fill their tanks. US gasoline prices at the pump rose six cents per gallon in the week following the attack—the greatest spike in the price of gas since 2014, according to the American Automobile Association (AAA).
On June 8, 2021, after the shutdown, Colonial Pipeline’s then-chief executive officer (CEO) Joseph Blount Jr. told members of the US Senate Committee on Homeland Security and Governmental Affairs that the company paid the $4.4 million ransom a day after the cyberattack (May 8, 2021). The money was paid in untraceable cryptocurrency. Blount explained that the company was concerned that the malware would spread to its Operational Technology networks, which control the operation of the pipeline. Colonial also sought to end the pipeline shutdown as soon as possible. Once they received the payment, the hackers provided the company with a decryption tool to restore its networks.
However, Colonial Pipeline assisted the FBI in an operation to recover at least some of the ransom money. The US Justice Department seized $2.3 million in Bitcoins paid to DarkSide. The FBI determined the address of the hackers’ wallet and obtained a court order to seize the funds in it. How the FBI managed to get the digital key needed to open the wallet has not been made public. On May 13, 2021, most of the Colonial Pipeline was back up and running. This event was a learning experience for the operators of the Colonial Pipeline and the US government. The situation brought to light the importance and vulnerability of cybersecurity in the twenty-first century.
Following the Colonial Pipeline incident, the Transportation Security Administration (TSA), the sector risk management agency for pipeline security, issued and later updated mandatory cybersecurity requirements for certain pipeline operators. These measures include requirements to designate a cybersecurity coordinator, report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA), conduct vulnerability assessments, and run incident-response exercises. TSA updated and renewed elements of these requirements in 2023, reflecting the continuing cyber threat to pipeline systems.
Bibliography
Duffy, Claire. “Colonial Pipeline Attack a ‘Wake Up Call’ About the Threat of Ransomware.” CNN Business, 16 May 2021, www.cnn.com/2021/05/16/tech/colonial-ransomware-darkside-what-to-know/index.html. Accessed 23 Jan. 2026.
Eaton, Collin, and Dustin Volz. “Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom.” The Wall Street Journal, 19 May 2021, www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636. Accessed 23 Jan. 2026.
Jaikaran, Chris, and Paul W. Parfomak. “Pipeline Cybersecurity—Updated Directives.” Congressional Research Service (CRS), 7 Sept. 2022, www.congress.gov/crs_external_products/IN/PDF/IN12006/IN12006.1.pdf. Accessed 23 Jan. 2026.
“Looking Back on the Colonial Pipeline Hack.” Imprivata, 17 May 2022, www.imprivata.com/blog/looking-back-colonial-pipeline-hack. Accessed 23 Jan. 2026.
Morrison, Sara. “How a Major Oil Pipeline Got Held for Ransom.” Vox, 8 June 2021, www.vox.com/recode/22428774/ransomeware-pipeline-colonial-darkside-gas-prices. Accessed 23 Jan. 2026.
"Our Operations." Colonial Pipeline Company, www.colpipe.com/our-operations/. Accessed 27 Jan. 2026.
Perez, Evan, et al. “US Recovers Millions in Cryptocurrency Paid to Colonial Pipeline Ransomware Hackers.” CNN, 8 June 2021, www.cnn.com/2021/06/07/politics/colonial-pipeline-ransomware-recovered/index.html. Accessed 23 Jan. 2026.
Russon, Mary-Ann. “US Fuel Pipeline Hackers ‘Didn’t Mean to Create Problems.’” BBC News, 11 May 2021, www.bbc.com/news/business-57050690. Accessed 23 Jan. 2026.
“TSA Updates, Renews Cybersecurity Requirements for Pipeline Owners, Operators.” US Department of Homeland Security, 26 July 2023, www.tsa.gov/news/press/releases/2023/07/26/tsa-updates-renews-cybersecurity-requirements-pipeline-owners. Accessed 23 Jan. 2026.
Turton, William, and Kartikay Mehrotra. “Hackers Breached Colonial Pipeline Using Compromised Password.” Bloomberg, 4 June 2021, www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password. Accessed 23 Jan. 2026.
Wilkie, Christina. “Colonial Pipeline Paid $5 Million Ransom One Day After Cyberattack, CEO Tells Senate.” CNBC, 9 June 2021, www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html. Accessed 23 Jan. 2026.
Wood, Kimberly. “Cybersecurity Policy Responses to the Colonial Pipeline Ransomware Attack.” Georgetown Law, 7 Mar. 2023, www.law.georgetown.edu/environmental-law-review/blog/cybersecurity-policy-responses-to-the-colonial-pipeline-ransomware-attack. Accessed 23 Jan. 2026.
Full Article
The Colonial Pipeline is one of the largest systems of pipelines in the United States, transporting more than one hundred million gallons of gasoline, home heating oil, and jet fuel each day from Texas to New York. On May 7, 2021, the Colonial Pipeline shut down its operations because of a ransomware cyberattack. Such attacks are conducted by criminal groups holding data hostage until the victim pays the requested ransom. A few days after the attack, the Federal Bureau of Investigation (FBI) determined that the Russian-based cyber-criminal group DarkSide was responsible for the attack.
The shutdown panicked motorists along the East Coast, who had to wait in long lines and pay high prices at gas stations. It also disrupted flights because of a lack of jet fuel.
Colonial Pipeline paid $4.4 million in ransom in an effort to resume operations and provide the East Coast with much-needed fuel. However, the FBI and the US Department of Justice managed to seize $2.3 million of the ransom money paid to DarkSide.
Background
In 1961, some of the largest oil companies of the time, such as Phillips Petroleum and Continental Oil, worked together to begin construction of the pipeline, which was later named Colonial and headquartered in Alpharetta, Georgia. As the largest refined petroleum products pipeline in the United States, providing about 45 percent of the East Coast’s fuel, the Colonial Pipeline originates in Houston, Texas, and ends at the Port of New York and New Jersey—a distance of about 5,500 miles. The pipeline extends through twelve states and part of the Gulf of Mexico.
Reliance on the Colonial Pipeline has increased substantially over the years. At least six refineries have gone out of business in Virginia, Pennsylvania, and New Jersey. These closings cut the amount of fuel processed in these areas by more than half and increased those states’ reliance on the Colonial Pipeline. The pipeline, which provides jet fuel, is particularly vital for the functioning of airports in the East.
Overview
On May 7, 2021, Colonial Pipeline announced that due to a ransomware cyberattack, it had shut down the entire pipeline and frozen its Information Technology (IT) systems. Colonial Pipeline had hired FireEye, a cybersecurity company, to assist with the crisis. The company at first worried that the attackers might have obtained information that would enable them to break vulnerable parts of the pipeline. It shut down the pipeline as a preventative measure and had contacted law enforcement agencies, including the FBI. However, the hackers had targeted the business side of Colonial Pipeline and not its operational systems, suggesting that they sought money. Colonial Pipeline later learned that the hackers gained entry into its networks through a VPN (virtual private network), which allowed employees to remotely access the company’s network. The account that was hacked belonged to an employee who no longer worked at the company. The account’s username and password were later discovered inside a batch of leaked passwords on the dark web, a shadowy realm of illegal activity on the Internet. The account was not protected by the multifactor authentication that the company uses in most of its operations.
Prior to the shutdown, an employee found a ransom note on a control room computer. The hackers claimed to have obtained information from the company’s shared internal drive and demanded roughly $4.4 million in exchange for the files needed to restore some networks. According to the FBI, the cyber-criminal group DarkSide, based in Russia, was responsible for the attack.
The pipeline shutdown elicited panic among East Coast motorists, who feared a lengthy gasoline shortage. To panic-buy gasoline, motorists waited in long lines and paid high prices to fill their tanks. US gasoline prices at the pump rose six cents per gallon in the week following the attack—the greatest spike in the price of gas since 2014, according to the American Automobile Association (AAA).
On June 8, 2021, after the shutdown, Colonial Pipeline’s then-chief executive officer (CEO) Joseph Blount Jr. told members of the US Senate Committee on Homeland Security and Governmental Affairs that the company paid the $4.4 million ransom a day after the cyberattack (May 8, 2021). The money was paid in untraceable cryptocurrency. Blount explained that the company was concerned that the malware would spread to its Operational Technology networks, which control the operation of the pipeline. Colonial also sought to end the pipeline shutdown as soon as possible. Once they received the payment, the hackers provided the company with a decryption tool to restore its networks.
However, Colonial Pipeline assisted the FBI in an operation to recover at least some of the ransom money. The US Justice Department seized $2.3 million in Bitcoins paid to DarkSide. The FBI determined the address of the hackers’ wallet and obtained a court order to seize the funds in it. How the FBI managed to get the digital key needed to open the wallet has not been made public. On May 13, 2021, most of the Colonial Pipeline was back up and running. This event was a learning experience for the operators of the Colonial Pipeline and the US government. The situation brought to light the importance and vulnerability of cybersecurity in the twenty-first century.
Following the Colonial Pipeline incident, the Transportation Security Administration (TSA), the sector risk management agency for pipeline security, issued and later updated mandatory cybersecurity requirements for certain pipeline operators. These measures include requirements to designate a cybersecurity coordinator, report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA), conduct vulnerability assessments, and run incident-response exercises. TSA updated and renewed elements of these requirements in 2023, reflecting the continuing cyber threat to pipeline systems.
Bibliography
Duffy, Claire. “Colonial Pipeline Attack a ‘Wake Up Call’ About the Threat of Ransomware.” CNN Business, 16 May 2021, www.cnn.com/2021/05/16/tech/colonial-ransomware-darkside-what-to-know/index.html. Accessed 23 Jan. 2026.
Eaton, Collin, and Dustin Volz. “Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom.” The Wall Street Journal, 19 May 2021, www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636. Accessed 23 Jan. 2026.
Jaikaran, Chris, and Paul W. Parfomak. “Pipeline Cybersecurity—Updated Directives.” Congressional Research Service (CRS), 7 Sept. 2022, www.congress.gov/crs_external_products/IN/PDF/IN12006/IN12006.1.pdf. Accessed 23 Jan. 2026.
“Looking Back on the Colonial Pipeline Hack.” Imprivata, 17 May 2022, www.imprivata.com/blog/looking-back-colonial-pipeline-hack. Accessed 23 Jan. 2026.
Morrison, Sara. “How a Major Oil Pipeline Got Held for Ransom.” Vox, 8 June 2021, www.vox.com/recode/22428774/ransomeware-pipeline-colonial-darkside-gas-prices. Accessed 23 Jan. 2026.
"Our Operations." Colonial Pipeline Company, www.colpipe.com/our-operations/. Accessed 27 Jan. 2026.
Perez, Evan, et al. “US Recovers Millions in Cryptocurrency Paid to Colonial Pipeline Ransomware Hackers.” CNN, 8 June 2021, www.cnn.com/2021/06/07/politics/colonial-pipeline-ransomware-recovered/index.html. Accessed 23 Jan. 2026.
Russon, Mary-Ann. “US Fuel Pipeline Hackers ‘Didn’t Mean to Create Problems.’” BBC News, 11 May 2021, www.bbc.com/news/business-57050690. Accessed 23 Jan. 2026.
“TSA Updates, Renews Cybersecurity Requirements for Pipeline Owners, Operators.” US Department of Homeland Security, 26 July 2023, www.tsa.gov/news/press/releases/2023/07/26/tsa-updates-renews-cybersecurity-requirements-pipeline-owners. Accessed 23 Jan. 2026.
Turton, William, and Kartikay Mehrotra. “Hackers Breached Colonial Pipeline Using Compromised Password.” Bloomberg, 4 June 2021, www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password. Accessed 23 Jan. 2026.
Wilkie, Christina. “Colonial Pipeline Paid $5 Million Ransom One Day After Cyberattack, CEO Tells Senate.” CNBC, 9 June 2021, www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html. Accessed 23 Jan. 2026.
Wood, Kimberly. “Cybersecurity Policy Responses to the Colonial Pipeline Ransomware Attack.” Georgetown Law, 7 Mar. 2023, www.law.georgetown.edu/environmental-law-review/blog/cybersecurity-policy-responses-to-the-colonial-pipeline-ransomware-attack. Accessed 23 Jan. 2026.
More Like ThisRelated Articles
Related Articles (5)
Related Articles (5)
- 6 Actions CEOs Must Take During a Cyberattack.Published In: Harvard Business Review Digital Articles, 2023. P. 1Authored By: Maurer, TimPublication Type: Periodical
- Brookfield to Acquire Pipeline Operator Colonial Enterprises.Published In: Bloomberg.com, 2025. P. N.PAGAuthored By: Wade, WillPublication Type: Periodical
- Brookfield to Buy Colonial Pipeline Owner in $9 Billion Deal.Published In: Bloomberg.com, 2025. P. N.PAGAuthored By: Wade, Will; Risser, NathanPublication Type: Periodical
- The Countersovereignty of Critical Infrastructure Security: Settler‐State Anxiety versus the Pipeline Blockade.Published In: Antipode, 2023, v. 55, n. 5. P. 1345Authored By: Bosworth, Kai; Chua, CharmainePublication Type: Academic Journal
- Two Years After the Colonial Pipeline Attack.Published In: Transmission & Distribution World, 2023, v. 75, n. 6. P. 56Authored By: MORRIS, MATTPublication Type: Trade Publication