Colonial Pipeline ransomware attack linked to Microsoft Exchange vulnerabilities [Updated]

Microsoft logo at Ignite
Microsoft logo at Ignite (Image credit: Windows Central)

What you need to know

  • Colonial Pipeline suffered a massive ransomware cyberattack that forced it to halt business.
  • The attack resulted in oil prices skyrocketing as a result of paused pipeline operations.
  • Microsoft Exchange seems to be linked to the root of the cyberattack.

Update May 13, 2021 at 9:15 a.m. ET: Microsoft has provided the following statement: "We have not seen any evidence to support the speculation that this ransomware attack is related to Exchange vulnerabilities. Such a tactic is not consistent with the known behaviors of these attackers."

After months of Microsoft Exchange drama thanks to the Microsoft Exchange Server hacks at the hands of multiple groups, including state-sponsored Chinese hacker group Hafnium, it seems the MS product is back at the center of controversy. This time, it's being linked to the Colonial Pipeline ransomware attacks and subsequent halting of Eastern U.S. oil supplies.

As spotted by The New York Times' cybersecurity reporter Nicole Perlroth, a forensic finding made during an evaluation of Colonial Pipeline noted numerous blind spots that could have led to the security breach, with the "most likely culprit" being vulnerable Microsoft Exchange services.

See more

That is to say: It's not guaranteed that Microsoft Exchange issues are to blame for Colonial Pipeline's current problems. Rather, an overall lack of technological sophistication is the root cause of the pipeline operator's issues. Exchange may have played a role, though, if its vulnerabilities were indeed what left Colonial Pipeline open for ransomware attacks.

There are many takeaways from the news, with one being that no major organization should rely on outdated versions of products that were compromised and used in massive government-shaking hacks. What happens from here is anyone's guess, but it stands to reason that every sort of organization and company, be it pipeline operators or otherwise, is going to be reassessing cybersecurity measures to avoid becoming the next national center of attention.

Robert Carnevale

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to

  • From reading the Twitter link in the article there were more possible "culprits" than outdated MS software. "... 'Coalition evaluated Colonial Pipeline and found..... The most likely culprit is vulnerable Microsoft Exchange services, but the organization also exposed SNMP, NTP, and DNS services, which indicates an overall lack of cybersecurity sophistication,
    unfortunately. Other possibilities include the numerous network protocols exposed on the internet publidy, as well as targeted virtualization software or SSL VPN access with names that imply ICS network access-also with an invalid certificate--could be culpable vulnerability points......."
  • And they were all probably used, or at least identified/evaluated. One vulnerability is a foothold and they'll recon for multiple attack vectors.
  • Underscores why lazy IT is so dangerous. There's a reason companies like Microsoft, Apple, etc, issue security updates. They don't do it just because it's a "fun" thing for them do to.
  • If somebody leaves their purse in an unlocked Honda Accord, is that Honda's fault? The issue is lack of leadership, budget, training, and internal processes. Clearly cybersecurity wasn't a priority.
  • Don't give anyone any ideas. I can see someone actually trying to sue a car manufacturer for something like that. :p
  • Typical irresponsible New York Time reporting. That cub reporter needs to be taught a lesson in getting the facts before going to press. My Lawd!