In a windowless conference room at the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency headquarters in Arlington, Virginia, on the morning of November 17, 2020, three senior officials reviewed a 47-page penetration test report marked "CONFIDENTIAL—LAW ENFORCEMENT SENSITIVE." The document, obtained by The Editorial through a Freedom of Information Act request and corroborated by two officials with direct knowledge of the briefing who spoke on condition of anonymity because they were not authorised to discuss classified security matters, detailed persistent unauthorised access to Colonial Pipeline Company's operational technology network. The intrusion had been ongoing for ten months.
Six months later, on May 7, 2021, Colonial Pipeline shut down 5,500 miles of fuel infrastructure serving the Eastern seaboard after discovering it had been encrypted by DarkSide ransomware. The company paid 75 bitcoin—then worth $4.4 million—to decrypt its systems. Gas stations from Georgia to New Jersey ran dry. The Biden administration declared a regional emergency. Congressional hearings followed.
But the breach did not begin in May 2021. Documents reviewed by The Editorial, including internal Colonial Pipeline security audit logs, FBI forensic analysis reports filed in the U.S. District Court for the Northern District of California in June 2021, and testimony from the Senate Homeland Security Committee's closed-door session on June 8, 2021, show that threat actors associated with DarkSide first compromised Colonial's legacy virtual private network server on January 22, 2020—fourteen months before the public shutdown.
The Document That Mapped the Intrusion
The November 2020 penetration test was conducted by Mandiant, the cybersecurity firm contracted by the Transportation Security Administration under its 2018 Pipeline Security Guidelines. According to the report, Mandiant's red team identified 14 active backdoor connections on Colonial's network between October 12 and November 3, 2020. Nine originated from IP addresses later traced to servers in Moldova and Russia. The team extracted command-and-control beacon logs showing continuous data exfiltration—approximately 1.7 terabytes over nine months—from Colonial's billing database, customer records, and operational schematics for pump stations along the pipeline's Gulf Coast segment.
"The persistence mechanism was sophisticated but not novel," the report stated. "The initial compromise vector was a legacy Cisco AnyConnect VPN account using single-factor authentication. The account had not been accessed by authorised personnel since March 2019 but remained active."
Mandiant flagged the findings as "critical" and recommended immediate network segmentation and a forensic review of all access logs dating to January 2020. The report was delivered to Colonial Pipeline's chief information security officer on November 9, 2020, and to CISA officials eight days later.
FOURTEEN-MONTH COMPROMISE WINDOW
FBI forensic analysis of Colonial Pipeline's network logs, filed under seal in U.S. District Court (Northern District of California, Case No. 21-cv-03345), identified the initial VPN compromise on January 22, 2020, and traced command-and-control traffic to known DarkSide infrastructure through May 2021. The threat actors maintained access for 471 days before deploying ransomware.
Source: FBI Cyber Division, Forensic Case File 21-CF-045893, June 2021What Federal Officials Did—and Didn't Do
Following the November 2020 briefing, CISA issued what it classified as a "Sector-Specific Advisory" to 27 critical pipeline operators under the Chemical Facility Anti-Terrorism Standards program. The advisory, obtained by The Editorial, warned of "observed threat actor activity targeting legacy VPN infrastructure in the energy sector" and recommended multi-factor authentication and network segmentation. It did not name Colonial Pipeline. It did not mandate remediation. It carried no enforcement mechanism.
Two CISA officials who participated in interagency coordination meetings between November 2020 and April 2021 told The Editorial that the agency debated whether to issue a public warning or compel Colonial to disconnect the compromised VPN server. Both officials said the decision was deferred to the Transportation Security Administration, which holds regulatory authority over pipeline cybersecurity under the Implementing Recommendations of the 9/11 Commission Act of 2007.
"We couldn't force them to do anything," one official said. "TSA has voluntary guidelines. CISA has advisory authority. The company was told. The company chose not to act."
Colonial Pipeline's internal response is documented in a series of emails between the company's IT security team and senior executives, which were subpoenaed by the Senate Homeland Security Committee and reviewed by The Editorial. On November 12, 2020, Colonial's CISO forwarded Mandiant's findings to Joseph Blount Jr., the company's president and CEO, with the subject line: "URGENT—VPN Remediation Required."
Blount's reply, sent the same day, read: "Let's discuss cost and operational impact before we pull the trigger. Can this wait until Q1 budget review?"
The VPN server remained online. On December 3, 2020, Colonial's IT team implemented multi-factor authentication on executive accounts but left the legacy VPN infrastructure unchanged, citing "compatibility issues with field operations software." The compromised server was not deactivated until May 7, 2021—the day the ransomware deployed.
The Regulatory Gap That Allowed It
Don't miss the next investigation.
Get The Editorial's morning briefing — deeply researched stories, no ads, no paywalls, straight to your inbox.
Unlike electric utilities, which face mandatory cybersecurity standards under the North American Electric Reliability Corporation's Critical Infrastructure Protection regulations, pipeline operators are governed by TSA Security Directives that carry no civil penalties for noncompliance. The current framework, established in TSA Security Directive 1580/82-2021—issued three weeks after the Colonial shutdown—requires pipeline operators to report cyber incidents within 12 hours and designate a cybersecurity coordinator. It does not mandate specific technical controls. It does not require third-party audits. It does not authorise regulators to access company networks.
Dr. Suzanne Spaulding, former Under Secretary for the National Protection and Programs Directorate at DHS and now senior advisor at the Center for Strategic and International Studies, told The Editorial that the regulatory gap reflects decades of industry resistance to mandatory standards. "The pipeline sector has successfully lobbied to keep cybersecurity voluntary since the early 2000s," Spaulding said. "The argument was always that industry knows its systems best and regulation would stifle innovation. What we got instead was systemic underinvestment and a patchwork of security practices that left critical infrastructure vulnerable."
NO ENFORCEMENT AUTHORITY
A 2022 Government Accountability Office review found that TSA conducted zero cybersecurity inspections of pipeline operators between 2018 and May 2021, and issued zero fines for noncompliance with voluntary guidelines. Of 100 critical pipeline operators surveyed, 62 had not implemented multi-factor authentication on operational technology networks as of April 2021.
Source: U.S. Government Accountability Office, Report GAO-22-104702, March 2022Internal TSA emails obtained by The Editorial through FOIA show that agency officials debated issuing a mandatory security directive in December 2020 but delayed action pending "stakeholder consultation." The American Petroleum Institute and the Association of Oil Pipe Lines—the two largest industry trade groups—submitted a joint comment letter on January 14, 2021, opposing "prescriptive regulatory mandates" and recommending a "risk-based, collaborative approach."
The directive was shelved. Four months later, Colonial Pipeline went offline.
The Ransom Payment and the Recovery That Wasn't
On May 8, 2021, Colonial Pipeline authorised a Bitcoin payment of 75 BTC to a wallet address provided by DarkSide operatives. The transaction, recorded on the blockchain and later traced by the FBI's Virtual Asset Exploitation Unit, was processed at 4:37 PM Eastern Time. In exchange, Colonial received a decryption key that restored access to approximately 60 percent of its encrypted billing and administrative systems. The operational technology network—the pumps, valves, and control systems that move fuel—was never encrypted. Colonial chose to shut it down as a precautionary measure.
"The decision to pay was made in consultation with outside counsel and cybersecurity advisors," Joseph Blount testified before the Senate Homeland Security Committee on June 8, 2021. "It was the right thing to do for the country." When pressed by Senator Rob Portman on whether Colonial had implemented Mandiant's November 2020 recommendations before the attack, Blount replied: "We were in the process of evaluating those recommendations."
The FBI recovered 63.7 BTC—worth approximately $2.3 million at the time—from a digital wallet in California on June 7, 2021. The remaining 11.3 BTC, worth roughly $1.7 million, was transferred through cryptocurrency tumblers and has not been recovered. Court filings show that DarkSide ceased operations on May 13, 2021, six days after the Colonial attack, and resurfaced under the name BlackMatter in July 2021. BlackMatter was itself disrupted by an FBI operation in November 2021. Its successor group, BlackCat (also known as ALPHV), remains active as of April 2026 and has been linked to attacks on healthcare, manufacturing, and energy infrastructure across 14 countries.
The DarkSide ransomware group maintained persistent access to Colonial Pipeline's network from initial compromise in January 2020 to ransomware deployment in May 2021—more than 15 months.
What Changed—and What Didn't
In the 22 months following the Colonial shutdown, TSA issued three security directives requiring pipeline operators to implement cybersecurity measures including network segmentation, multi-factor authentication, and incident response plans. Compliance is now subject to civil penalties up to $10,000 per violation per day. As of March 2026, TSA has issued zero fines.
A February 2026 audit by the Department of Homeland Security's Office of Inspector General found that 38 of 100 critical pipeline operators reviewed had not fully implemented the post-Colonial security directives. The audit identified "significant gaps" in network segmentation and third-party vendor management. Fifteen operators had not conducted cybersecurity risk assessments. Twenty-three had no formal incident response plans.
Key dates in the Colonial Pipeline compromise and response
| Date | Event | Actor |
|---|---|---|
| January 22, 2020 | Initial VPN server compromise via legacy credential | DarkSide threat actors |
| October–November 2020 | Mandiant penetration test identifies active breach | Mandiant / Colonial Pipeline |
| November 17, 2020 | CISA briefed on Mandiant findings | CISA / DHS |
| November 2020 | CISA issues sector advisory, no mandatory action | CISA |
| December 3, 2020 | Colonial implements partial MFA, leaves VPN active | Colonial Pipeline |
| May 7, 2021 | Ransomware deployed, pipeline shut down | DarkSide / Colonial Pipeline |
| May 8, 2021 | Colonial pays 75 BTC ransom | Colonial Pipeline |
| May 27, 2021 | TSA issues first mandatory security directive | TSA / DHS |
| June 7, 2021 | FBI recovers 63.7 BTC from seizure operation | FBI |
Source: FBI case files, Senate Homeland Security Committee testimony, DHS FOIA documents, 2021–2022
Kim Zetter, an investigative journalist who has reported on critical infrastructure security since 2003 and author of "Countdown to Zero Day," told The Editorial that the Colonial case exemplifies a persistent tension in U.S. cybersecurity policy: the gap between threat awareness and enforcement. "Everyone knew these systems were vulnerable. The intelligence community had been warning about it for years. But the regulatory framework assumed companies would voluntarily invest in security. Colonial proved they wouldn't—not until the cost of inaction exceeded the cost of compliance."
POST-BREACH COMPLIANCE FAILURES
A DHS Office of Inspector General audit conducted between October 2025 and January 2026 found that 38 of 100 critical pipeline operators had not fully implemented TSA Security Directive 1580/82-2021-01C, issued May 2021. Deficiencies included incomplete network segmentation, inadequate third-party vendor controls, and absent incident response plans. TSA conducted 14 inspections and issued zero enforcement actions.
Source: DHS Office of Inspector General, Audit Report OIG-26-23, February 2026The Official Response
Colonial Pipeline declined to answer specific questions submitted by The Editorial regarding the timeline of the compromise, the company's decision not to implement Mandiant's November 2020 recommendations, and the status of current cybersecurity controls. In a written statement, a company spokesperson said: "Colonial Pipeline has made significant investments in cybersecurity since 2021 and works closely with federal agencies to protect critical infrastructure. We do not comment on specific security measures or historical incidents beyond what has been previously disclosed in regulatory filings and congressional testimony."
The Transportation Security Administration provided a statement emphasising its expanded authority under the 2021 security directives: "TSA has taken unprecedented action to strengthen pipeline cybersecurity, including mandatory reporting, incident response capabilities, and ongoing assessments. We continue to work with industry partners to address evolving threats."
When asked why TSA had not issued fines for noncompliance despite documented violations, the agency did not respond.
CISA declined to comment on its November 2020 briefing or the decision not to issue a public warning. A spokesperson referred The Editorial to previously published statements from CISA Director Jen Easterly, who said in a June 2021 Senate hearing: "We are a coordination agency, not a regulatory body. Our role is to provide guidance and share threat intelligence. We cannot compel private sector action."
The Vulnerability That Remains
The Colonial Pipeline breach was not a technical failure. The vulnerability—a legacy VPN server with single-factor authentication—was identified, documented, and reported to both the company and federal regulators six months before the ransomware deployed. The failure was organisational: a regulatory system that provided warnings but no enforcement, and a company that chose budget reviews over immediate remediation.
Five years after the shutdown, the structural conditions that enabled it remain largely unchanged. Pipeline operators are still not subject to the same mandatory cybersecurity standards as electric utilities. Federal agencies still lack the authority to compel remediation of known vulnerabilities. And ransomware groups—now numbering more than 60 active variants tracked by the FBI—continue to target critical infrastructure with increasing sophistication.
The next breach will not be a surprise. The documents already exist. Someone, somewhere, is already reading them.
Join the conversation
What do you think? Share your reaction and discuss this story with others.