Named attack · kill-chain walkthrough
Colonial Pipeline / DarkSide
Ransomware attack on critical U.S. fuel infrastructure
Attributed to a DarkSide ransomware-as-a-service affiliate. DarkSide itself shut down ~May 13 2021 citing "pressure from the US". U.S. Treasury OFAC sanctioned DarkSide's Bitcoin wallet; DOJ recovered $2.3 M of the ransom.
A DarkSide affiliate used a single leaked VPN password — pulled from a dark-web credential dump — to access Colonial Pipeline's IT network. No MFA was required. Within nine days, ~100 GB of data had been exfiltrated and DarkSide ransomware had encrypted IT systems. Colonial preemptively halted its 5,500-mile OT pipeline, cutting ~45% of East Coast fuel supply for five days, triggering shortages and panic buying across the U.S. Southeast. Colonial paid a 75 BTC (~$4.4 M) ransom on May 8; the FBI recovered $2.3 M on June 7.
scene 00 / 07
- Phase 01 · Initial AccessTA0001
One leaked password, no MFA — a DarkSide affiliate walked straight in through Colonial's VPN
- Colonial CEO Joseph Blount confirmed in June 8, 2021 Congressional testimony that attackers used a single compromised VPN account password.
- The password had previously appeared in a dark-web credential dump from an unrelated breach; the VPN gateway did not enforce multi-factor authentication.
- The account belonged to a former employee and was still active; Mandiant's Charles Carmakal confirmed the password was found in a batch of leaked credentials (Bloomberg, June 4 2021).
- The DarkSide affiliate logged into Colonial's network through this VPN on April 29, 2021.
- CISA advisory AA21-131A highlighted MFA absence and reused credentials as the root-cause control failure.
TechniquesSources- AA21-131A — DarkSide Ransomware: Best Practices for Preventing Business Disruption · CISA · 2021-05-11
- Colonial CEO Joseph Blount — Written Testimony, Senate Commerce Committee · U.S. Senate Commerce Committee · 2021-06-08
- Hackers Breached Colonial Pipeline Using Compromised Password · Bloomberg · 2021-06-04
- Phase 02 · ExecutionTA0002
Cobalt Strike beacon established a hands-on-keyboard foothold inside the corporate IT environment
- Following initial VPN access, the affiliate deployed a Cobalt Strike beacon — standard tradecraft in the DarkSide ransomware-as-a-service affiliate playbook.
- Cobalt Strike provided an interactive C2 channel enabling PowerShell and Windows Command Shell execution without dropping additional stage-0 malware.
- Mandiant's analysis of DarkSide operations confirmed Cobalt Strike as the primary post-exploitation framework across affiliate intrusions.
- The beacon enabled subsequent discovery, credential harvesting, and lateral movement entirely from the attacker's C2 infrastructure.
Techniques - Phase 03 · DiscoveryTA0007
Active Directory and network-share enumeration mapped the environment to locate data worth stealing and encrypting
- The affiliate conducted Active Directory enumeration to identify accounts, groups, and domain structure.
- Network share enumeration identified file servers and repositories holding sensitive business and operational data.
- System and account discovery gave the attacker the intelligence needed to target both exfiltration staging and ransomware deployment.
- CISA AA21-131A and Mandiant both note internal reconnaissance as a consistent DarkSide affiliate pre-encryption step.
Techniques - Phase 04 · Credential AccessTA0006
Credential harvesting with Mimikatz-style tools expanded access across the IT environment
- After establishing the Cobalt Strike foothold, the affiliate harvested credentials from memory and local credential stores using tools consistent with Mimikatz functionality.
- Harvested credentials enabled lateral movement to additional hosts and privileged accounts without generating new VPN or external-access events.
- CISA AA21-131A explicitly flags credential theft as a primary DarkSide affiliate technique used to expand domain privileges before deployment.
- Mandiant confirmed credential harvesting is standard pre-encryption tradecraft across observed DarkSide affiliate intrusions.
- Phase 05 · Defense EvasionTA0005
Living-off-the-land tools and Cobalt Strike's built-in evasion kept the intrusion undetected for over a week
- The affiliate relied heavily on built-in Windows tooling and Cobalt Strike's malleable C2 profiles to blend into normal IT traffic, a technique MITRE classifies as living off the land (T1027).
- Cobalt Strike beacons used HTTPS to C2 infrastructure; traffic masqueraded as legitimate web requests, evading basic network inspection.
- DarkSide malware includes checks to skip encryption on systems where the display language is set to Russian or former Soviet states, a known anti-attribution/evasion technique.
- The intrusion ran from April 29 to ransomware deployment on May 7 — nine days — without detection by Colonial's security controls.
Techniques - Phase 06 · Collection & ExfiltrationTA0009
~100 GB of sensitive data exfiltrated before encryption — the double-extortion lever that kept Colonial paying
- Colonial CEO Blount confirmed in Congressional testimony that approximately 100 GB of data was stolen from Colonial's network prior to ransomware deployment.
- DarkSide's double-extortion model uses the threat of publishing stolen data on the DarkSide 'leak site' as a second pressure point independent of decryption.
- Mandiant reporting on DarkSide operations identifies cloud-based file-sharing services (including Mega.nz) as a common exfiltration destination for affiliates.
- Exfiltration staging preceded the May 7 encryption event, confirming the attacker had days of dwell time to collect and transfer data.
TechniquesIndicators - Phase 07 · ImpactTA0040
DarkSide ransomware encrypted IT systems on May 7 — Colonial shut down its 5,500-mile pipeline, triggering a 5-day national fuel crisis
- DarkSide ransomware was deployed on Colonial's IT systems on May 7, 2021, encrypting business and billing systems (the operational technology pipeline itself was NOT encrypted).
- Colonial preemptively shut down pipeline OT operations because it could not safely bill customers or manage operations without functioning IT systems; CEO Blount confirmed this decision in Congressional testimony.
- The 5,500-mile pipeline carries approximately 45% of the East Coast's fuel supply; the five-day shutdown caused gasoline shortages, panic buying, and a national emergency declaration by President Biden.
- Colonial paid 75 BTC (approximately $4.4 million) ransom on May 8, 2021; Blount testified this decision was made to restore operations as quickly as possible.
- On June 7, 2021, the DOJ announced seizure of approximately $2.3 million of the ransom from a cryptocurrency wallet, the first major government clawback of a ransomware payment.
- DarkSide announced it was shutting down ~May 13, citing loss of access to infrastructure and 'pressure from the US'; U.S. Treasury OFAC sanctioned DarkSide's Bitcoin address.
Sources- Colonial CEO Joseph Blount — Written Testimony, Senate Commerce Committee · U.S. Senate Commerce Committee · 2021-06-08
- Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to Ransomware Extortionists · U.S. Department of Justice · 2021-06-07
- AA21-131A — DarkSide Ransomware: Best Practices for Preventing Business Disruption · CISA · 2021-05-11
- S0640 — DarkSide · MITRE ATT&CK
Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
Adversary
- DarkSide (RaaS affiliate)
Capability
- T1133
- T1078
- T1078.001
- T1059.001
- T1059.003
- +1 more
Infrastructure
- mega.nz
Victim
- See narrative above
Primary sources
- AA21-131A — DarkSide Ransomware: Best Practices for Preventing Business Disruption · CISA · 2021-05-11
- S0640 — DarkSide · MITRE ATT&CK
- Shining a Light on DARKSIDE Ransomware Operations · Mandiant (Google Cloud) · 2021-05-11
- Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to Ransomware Extortionists · U.S. Department of Justice · 2021-06-07
- Colonial CEO Joseph Blount — Written Testimony, Senate Commerce Committee · U.S. Senate Commerce Committee · 2021-06-08
- Hackers Breached Colonial Pipeline Using Compromised Password · Bloomberg · 2021-06-04