Case Study 2.2: Colonial Pipeline Ransomware Attack and the Lapsus$ Group

Overview

Part 1: The Colonial Pipeline Ransomware Attack

Background

Colonial Pipeline operates the largest refined-products pipeline in the United States, transporting approximately 2.5 million barrels per day of gasoline, diesel, jet fuel, and other refined products. The 5,500-mile pipeline stretches from Houston, Texas, to Linden, New Jersey, serving the entire eastern seaboard. It supplies approximately 45% of the fuel consumed on the East Coast, making it one of the most critical pieces of infrastructure in the United States.

On May 7, 2021, Colonial Pipeline discovered that their corporate IT network had been compromised by ransomware. What followed was the most consequential cyberattack on U.S. critical infrastructure in history.

The Attack

Initial Access: A Single Compromised Password

The attack did not involve a sophisticated zero-day exploit, an advanced social engineering campaign, or a supply chain compromise. It began with something far simpler: a compromised password.

DarkSide, the ransomware group responsible, gained initial access through a legacy VPN account. The account was no longer in active use but had not been deactivated. Critically, the account did not require multi-factor authentication (MFA). The password for this account was later found in a batch of leaked passwords on the dark web, suggesting it was obtained from a previous, unrelated breach — a classic credential stuffing scenario.

This single finding illustrates a principle that every ethical hacker must internalize: the most devastating breaches often begin with the most basic security failures. A deactivated unused VPN account. A reused password. The absence of MFA. These are not exotic vulnerabilities — they are the kind of findings that appear in virtually every penetration test report.

Ransomware Deployment

Once inside the corporate network through the VPN, the DarkSide operators followed a well-established ransomware playbook:

1. Reconnaissance and lateral movement: The attackers mapped the corporate network, identified valuable systems, and moved laterally to gain broader access.

2. Data exfiltration: Before encrypting anything, the attackers exfiltrated approximately 100 gigabytes of data — a classic double-extortion setup.

3. Ransomware deployment: The DarkSide ransomware was deployed across the corporate IT network, encrypting servers and workstations.

The Shutdown Decision

Here is where the Colonial Pipeline incident becomes particularly significant. The ransomware directly affected only the corporate IT network — not the operational technology (OT) systems that control the pipeline itself. However, Colonial Pipeline made the decision to shut down the pipeline as a precautionary measure because:

• They could not verify the extent of the compromise
• They were unable to process billing and metering (they could move fuel but could not measure or bill for it)
• They feared the attack might spread from the IT network to the OT network
• The lack of visibility into the OT environment meant they could not rule out compromise

This decision to shut down — driven by uncertainty rather than confirmed OT compromise — highlights the interconnected nature of modern infrastructure and the cascading effects of cyber incidents.

The Impact

The pipeline shutdown lasted six days (May 7–12, 2021), and the effects were dramatic:

• Fuel shortages: Panic buying and actual supply disruptions caused gasoline shortages across the southeastern United States. Over 10,000 gas stations ran out of fuel.
• Price spikes: Average gasoline prices rose above $3 per gallon nationally, the highest level in seven years at the time.
• Emergency declarations: The U.S. government declared a state of emergency, relaxing regulations on fuel transport by road and issuing a cybersecurity advisory.
• Flight disruptions: American Airlines rerouted some flights due to fuel concerns at Charlotte Douglas International Airport.
• Public panic: Images of consumers filling plastic bags with gasoline became symbols of the incident's chaotic impact.

The Ransom

Colonial Pipeline paid a ransom of approximately 75 Bitcoin (approximately $4.4 million at the time) to DarkSide within hours of the attack. The FBI later recovered approximately $2.3 million of the ransom by tracking the Bitcoin through the blockchain and seizing funds from a wallet controlled by DarkSide.

The decision to pay the ransom was controversial: - Proponents argued that the critical nature of the infrastructure justified paying to expedite recovery - Critics argued that paying ransoms incentivizes future attacks and funds criminal organizations - Practically, the decryptor provided by DarkSide was reportedly so slow that Colonial Pipeline largely restored from its own backups anyway

DarkSide: The Threat Actor

DarkSide was a Ransomware-as-a-Service (RaaS) operation believed to be based in Eastern Europe (likely Russia or a former Soviet republic). Their business model was typical of modern RaaS operations:

• DarkSide developers created and maintained the ransomware platform
• Affiliates (independent criminal operators) used DarkSide's tools to conduct attacks
• Revenue was split between developers and affiliates (typically 75/25 for large ransoms)
• DarkSide maintained a public website (on the dark web) where they published stolen data from victims who refused to pay
• The group had an explicit policy of not targeting hospitals, schools, non-profits, or government agencies (though they defined these categories narrowly)

After the Colonial Pipeline attack drew intense U.S. government attention, DarkSide announced they were "shutting down" and claimed their infrastructure had been seized. Security researchers believe the operators likely rebranded as BlackMatter and later as ALPHV/BlackCat — a common pattern in the ransomware ecosystem.

Part 2: The Lapsus$ Group

A Different Kind of Threat Actor

While DarkSide represents the professionalized, financially motivated end of the threat landscape, the Lapsus$ group represents something different and, in many ways, more unsettling: a loosely organized group of young people — some teenagers — who used relatively simple techniques to breach some of the world's most security-conscious companies.

Lapsus$ challenged the assumption that only nation-state actors or sophisticated criminal organizations could compromise major technology companies. Their success demonstrated that the human factor remains the weakest link in security, regardless of how much technology is deployed.

The Campaign (Late 2021 – March 2022)

Known victims and methods:

Nvidia (February 2022): Lapsus$ breached Nvidia and stole approximately 1 TB of data, including employee credentials, proprietary source code, and details about unreleased GPU architectures. They demanded that Nvidia open-source their GPU drivers and remove cryptocurrency mining limitations. The group published stolen data progressively to pressure Nvidia.

Samsung (March 2022): The group stole approximately 190 GB of source code from Samsung, including source code for Galaxy devices, biometric unlock algorithms, and Samsung Knox security platform code.

Microsoft (March 2022): Lapsus$ compromised an employee account and exfiltrated partial source code for Bing, Bing Maps, and Cortana from Azure DevOps repositories. Microsoft confirmed the breach but stated that no customer data was compromised.

Okta (March 2022): Perhaps the most alarming breach — Lapsus$ compromised a support engineer at Sitel, a third-party contractor for Okta, and gained access to Okta's customer support tools. Through these tools, they could potentially have affected hundreds of Okta customers. Okta's initial response was criticized for downplaying the impact, and the incident raised serious questions about third-party access management.

Other victims included: Vodafone, T-Mobile, Ubisoft, Globant, and the Brazilian Ministry of Health.

Techniques: Simple but Effective

What made Lapsus$ remarkable was not the sophistication of their techniques but their effectiveness despite simplicity:

Social engineering and credential theft: - SIM swapping to bypass MFA (convincing mobile carriers to transfer a victim's phone number to an attacker-controlled SIM) - Purchasing stolen credentials from dark web marketplaces - Searching public code repositories (GitHub) for inadvertently committed credentials - Calling helpdesks and using social engineering to reset passwords or enroll new MFA devices

Insider recruitment: Lapsus$ openly recruited insiders on their Telegram channel, posting messages like: "We recruit employees/insiders at the following companies: Microsoft, Apple, Electronic Arts, IBM, Nvidia, Samsung, T-Mobile, Vodafone. Contact us." They offered payment for VPN credentials, Citrix access, or any corporate network access.

MFA bypass: Beyond SIM swapping, Lapsus$ exploited MFA fatigue — repeatedly sending MFA push notifications to a target's phone until they approved one out of frustration or confusion (a technique also known as "MFA bombing" or "push fatigue"). This technique exploits a fundamental usability weakness in push-based MFA.

The Arrests

In March 2022, the City of London Police arrested seven individuals in connection with Lapsus$, including a 16-year-old from Oxford, England. A 17-year-old was later charged with multiple offenses. In August 2023, an 18-year-old member (who had been 16 at the time of the offenses) was convicted and sentenced to an indefinite hospital order after being diagnosed with autism.

The youth of the Lapsus$ members raised difficult questions about juvenile justice, cybersecurity law, and the prosecution of minors for sophisticated cybercrime.

Combined Analysis

Contrasting Threat Actors

The Colonial Pipeline and Lapsus$ cases illustrate the diversity of the modern threat landscape:

Common Threads

Despite their differences, both cases share important commonalities:

1. Initial access through credentials: Colonial Pipeline was compromised through a leaked password on an old VPN account. Lapsus$ primarily relied on stolen or social-engineered credentials. In both cases, multifactor authentication would have significantly complicated the attack.

2. Basic security failures enabled sophisticated outcomes: Neither attack required zero-day exploits or advanced technical capabilities. A deactivated VPN account. A helpdesk susceptible to social engineering. An employee who approved an MFA push. These are basic, preventable failures.

3. Third-party risk: The Okta breach (through a contractor) and the Colonial Pipeline attack (through a legacy VPN) both involved access points that were not fully managed or monitored.

4. Disproportionate impact: A single compromised credential led to a fuel shortage affecting millions of people. A few phone calls to helpdesks led to source code theft from billion-dollar companies. The amplification of impact relative to the simplicity of the initial compromise is a recurring theme.

Lessons for Ethical Hackers

1. Test the basics relentlessly. The most valuable penetration test findings are often the simplest: default credentials, missing MFA, stale accounts, overly permissive access. Do not skip the basics in search of exotic vulnerabilities. DarkSide did not need an exploit — they needed a leaked password and a VPN without MFA.

2. Social engineering is underrated in pentesting. Lapsus$ demonstrated that determined social engineering can bypass technical controls at even the most security-conscious companies. If your engagement scope includes social engineering, test it thoroughly — phishing, pretexting, MFA bypass, and helpdesk manipulation.

3. MFA is not infallible. Both cases expose MFA weaknesses. The absence of MFA enabled the Colonial Pipeline attack. The bypass of MFA (through SIM swapping and push fatigue) enabled Lapsus$ attacks. Test MFA implementation quality, not just its presence.

4. Map the blast radius. When you compromise a system during a pentest, map the blast radius — what else can be reached from here? Colonial Pipeline shut down the entire pipeline because they could not determine if the OT network was compromised. Your report should articulate the full potential impact of each finding.

5. Insider threat simulation matters. Lapsus$ openly recruited insiders. If your engagement scope permits, test whether insider recruitment scenarios could succeed — are employees trained to recognize and report such approaches?

Discussion Questions

1. Colonial Pipeline paid the ransom within hours. Was this the right decision? What factors should inform the ransom payment decision for critical infrastructure?

2. Lapsus$ members were teenagers. How should the justice system handle juvenile cybercriminals who cause significant damage to major corporations? Should the penalties differ from those for adult offenders?

3. The Colonial Pipeline shutdown was precautionary — the OT systems were not confirmed compromised. Was the shutdown decision justified? What does this incident reveal about the relationship between IT and OT security?

4. Lapsus$ bypassed MFA at Microsoft, Okta, and other companies using push fatigue and SIM swapping. What MFA implementations are resistant to these attacks? How would you test MFA resilience during a penetration test?

5. If you were developing a threat model for ShopStack, how would you assess the risk of a Lapsus$-style social engineering attack? What specific controls would you recommend?

Further Reading

• CISA. (2021). "Alert AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks."
• Bloomberg. (2021). "Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom." Bloomberg News.
• Microsoft. (2022). "DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction."
• Okta. (2022). "Updated Okta Statement on LAPSUS$."
• Krebs, B. (2022). "A Closer Look at the LAPSUS$ Data Extortion Group." KrebsOnSecurity.
• Robertson, J. & Mehrotra, K. (2021). "Colonial Pipeline Hack Exposes Vulnerabilities of U.S. Energy Infrastructure." Bloomberg.