‘Colonial Pipeline Was Shut Down Over Fears About Billing Customers’ Rumor

On May 17 2021, a headline screenshot appeared on Imgur with the claim that the May 2021 Colonial Pipeline cyberattack shutdown occurred because its owner wanted to ensure they would still “get paid”:

That post included an undated (“today”) screenshot from automotive news and opinion site Jalopnik, and an image of a line of cars next to a gas station appeared in it. Visible text on May 18 2021 read:

The Colonial Pipeline Was Fine, But It Was Shutdown To Make Sure Its Owner Could Still Get Paid

José Rodríguez Jr. [May 17 202i] 3:22PM

The cyber attack that shutdown the Colonial […]

Imgur u/dragland03 included a link to the May 17 2021 Jalopnik item, and reported in part:

The cyber attack that shutdown the Colonial pipeline causing a gas panic and stoking fears of gasoline shortages, didn’t actually shut down the pipeline. It impacted the billing system at the Colonial Pipeline Co., which shut it down because they were worried about how they’d collect payments.

Yes, the fuel-carrying pipeline was shut down [in May 2021] in order to prevent a company that is entrusted with what should be a public utility from enduring an accounting headache.

Zero Day’s Kim Zetter had noted this may be the case and CNN confirmed it in a later report … Zetter pointed out the affected system handled the billing in a report prior to CNN’s, wherein she cited Colonial itself. The company said that the hack affected its corporate network and not the operation of the pipeline[.]

Jalopnik primarily based its reporting on two sources — ongoing reporting from national and cybersecurity investigative journalist Kim Zetter, and a CNN report published on May 12 2021 (updated on May 13 2021). Zetter’s May 8 2021 piece, published to zetter.substack.com and excerpted by Jalopnik on May 17 2021, reported:

On Friday [May 7 2021], Colonial Pipeline released a statment [sic] to shippers that it was experiencing “network issues impacting the operation of the Colonial Pipeline system” but didn’t specify the problem. It subsequently told the New York Times that it had been infected with ransomware.

In a statement published Saturday [May 8 2021], it said the ransomware infected only its corporate IT network. Although the operational network that controls its pipelines and distributes fuel is separate from the corporate network and wasn’t infected, Colonial said it temporarily shut down the pipelines as a precaution to prevent the infection from spreading.

Zetter linked to Colonial Pipeline’s page of statements addressing the cyberattack, with several dated updates in reverse chronological order. The first available update was dated May 8 2021 (likely the statement Zetter referenced) and it read:

Saturday, May 8, 12:30 p.m.

On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems. Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies.

Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.

Zetter’s focus in that reporting was not the precise cause of the shutdown, be it operational, logistical, or billing-related. The story’s subheading characterized the balance of reporting:

Colonial Pipeline says ransomware only infected its business network, not the operations network that controls gas flow. But experts say it had potential to spread to control network and suppliers[.]

Overall, Zetter examined the implications of a larger attack, one which affected functionality — writing that the matter “could have been worse if the perpetrators got onto the company’s operational or process control network, experts say.” As Jalopnik noted, Zetter reported that the ransomware attack affected corporate systems.

On May 13 2021, Zetter tweeted the gist of the Jalopnik article published four days later, citing CNN:

Although Zetter and later Jalopnik focused on the detail about inability for Colonial Pipeline to bill customers, that wasn’t the primary point of the CNN article (“Colonial Pipeline did pay ransom to hackers, sources now say”), which led with the news that the company had indeed paid out a $5 million ransom in Bitcoin to a hacker group:

Colonial Pipeline paid the ransomware group that carried out a crippling cyberattack, two sources familiar with the matter told CNN on [May 13 2021].

The group, previously identified as DarkSide, demanded nearly $5 million, two other sources familiar with the incident said. The sources CNN spoke to [on May 13 2021] did not say how much the company paid. Bloomberg first reported the ransom payment.

CNN was previously told by multiple sources that Colonial Pipeline had not yet paid the ransom, but two sources said on [May 13 2021] that the company did pay as it sought to retrieve the stolen information. It is not clear when the payment was made.

That story included a section in which CNN asked a Colonial spokesperson about “whether the shutdown was prompted by concerns about payment,” to which there did not seem to be a direct answer.

In their response, Colonial stated that there was “no evidence that the company’s operational technology systems were compromised by the attackers,” commentary which arguably hinted at pipeline functionality being a lesser concern:

Meanwhile, new details are emerging about Colonial’s decision to proactively shut down its pipeline [on May 8 2021], a move that has led to panic buying and massive lines at gas pumps.

The company halted operations because its billing system was compromised, three people briefed on the matter told CNN, and they were concerned they wouldn’t be able to figure out how much to bill customers for fuel they received.

One person familiar with the response said the billing system is central to the unfettered operation of the pipeline. That is part of the reason getting it back up and running has taken time, this person said.

Asked about whether the shutdown was prompted by concerns about payment, the company spokesperson said, “In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems.”

At this time, there is no evidence that the company’s operational technology systems were compromised by the attackers, the spokesperson added.

A popular Imgur post depicted a May 17 2021 Jalopnik article titled “The Colonial Pipeline Was Fine, But It Was Shutdown To Make Sure Its Owner Could Still Get Paid,” and the linked item drew its information from Zetter’s ongoing reporting as well as a CNN article published on May 12 2021 (updated a day later). Zetter tweeted on May 8 2021 that a source informed her Colonial might “not be able to invoice customers who receive fuel if their IT network is locked with ransomware, preventing them from being paid for fuel,” retweeting the tweet on May 13 2021 and adding that CNN “confirmed what I wrote 4 days ago.” Although CNN did report that three individuals briefed on the matter confirmed Colonial was “concerned they wouldn’t be able to figure out how much to bill customers for fuel they received,” we have as yet been unable to independently corroborate the claim — which was reported separately by Zetter and CNN.