{ "id": "9080d644-774d-40e8-9877-e251ff27e97a", "created_at": "2026-04-06T00:20:13.59363Z", "updated_at": "2026-04-10T03:28:20.93834Z", "deleted_at": null, "sha1_hash": "12dbf169b7146bd015dbb22659df4a48e5357167", "title": "Colonial Pipeline attributes ransomware claims to ‘unrelated’ third-party data breach", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 76445, "plain_text": "Colonial Pipeline attributes ransomware claims to ‘unrelated’\r\nthird-party data breach\r\nBy Jonathan Greig\r\nPublished: 2023-10-16 · Archived: 2026-04-05 17:09:38 UTC\r\nColonial Pipeline said there has been no disruption to pipeline operations or their systems after a ransomware\r\ngang made several threats on Friday afternoon.\r\nThe company – which runs the largest pipeline system for refined oil products in the U.S. – addressed claims\r\nmade by the Ransomed.vc gang that data had been stolen from their systems.\r\n“Colonial Pipeline is aware of unsubstantiated claims posted to an online forum that its system has been\r\ncompromised by an unknown party. After working with our security and technology teams, as well as our partners\r\nat CISA, we can confirm that there has been no disruption to pipeline operations and our system is secure at this\r\ntime,” a spokesperson for the company said.\r\n“Files that were posted online initially appear to be part of a third-party data breach unrelated to Colonial\r\nPipeline.”\r\nWhen asked further questions about what third party was attacked, whether that incident involved ransomware and\r\nif the situation had been contained, a spokesperson directed Recorded Future News to CISA, which did not\r\nrespond.\r\nThe gang runs a Telegram channel where they boast of attacks, and claimed on Friday afternoon that they\r\nattempted to extort Colonial Pipeline unsuccessfully. They shared a zip file with stolen documents that security\r\nresearchers said had documents related to Colonial Pipeline.\r\nThe post also includes a photo of Rob Lee, CEO of incident response firm Dragos. Lee was closely involved in\r\nthe response to a 2021 ransomware attack on Colonial Pipeline. The company did not respond to requests for\r\ncomment, but on Twitter Lee said the claims of data theft were fictitious.\r\nPSA: Criminal groups lie. Yes even, and especially, ransomware group ones. Exhausting but pointless.\r\n— Robert M. Lee (@RobertMLee) October 13, 2023\r\n“When we wouldn’t pay their extortion attempt they’ve been pretty ticked off since. Have drug my name and the\r\nfirm every chance they get,” he said.\r\nThe 2021 ransomware attack on Colonial Pipeline is largely considered one of the most consequential ransomware\r\nattacks in history, shutting down their operations for five days and paralyzing gas stations throughout the East\r\nCoast.\r\nhttps://therecord.media/colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach\r\nPage 1 of 3\n\nThe company operates about 5,500 miles of pipeline that delivers gasoline, diesel, jet fuel, home heating oil, and\r\nother refined oil products throughout the Southern and Eastern U.S. Colonial Pipeline ended up paying a $5\r\nmillion ransom.\r\nThe attack made ransomware a household topic and kickstarted a push at all levels of government to address the\r\nattacks and the groups behind them. Several new cybersecurity regulations governing pipelines were instituted\r\nfollowing the attack.\r\nIn June, the U.S. government confirmed that it used controversial digital surveillance powers to identify the\r\nindividual behind the crippling ransomware attack and to claw back a majority of the millions of dollars in bitcoin\r\nthe company paid to restore its systems.\r\nRussia arrested one of the people behind the attack in 2022 but it is unclear whether the person was ever convicted\r\nof a crime.\r\nRansomed.vc recently made waves after threatening victims with the prospect of European data breach fines if\r\nransoms for stolen data are not paid. It defaced a Hawaiʻi state government website last month, and two weeks ago\r\nJapanese manufacturing giant Sony told Recorded Future News that it was investigating data theft claims by the\r\ngroup.\r\nBut the group’s legitimacy has been questioned, considering none of the victims added to the group’s leak site\r\nsince it emerged on August 15 have reported incidents. It is still unclear if the group actually uses ransomware.\r\nThe group claimed to have attacked U.S. credit agency TransUnion – which denied its systems were ever breached\r\nbut noted that the data being offered for sale may have “come from a third party.”\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach\r\nPage 2 of 3\n\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach\r\nhttps://therecord.media/colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://therecord.media/colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach" ], "report_names": [ "colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach" ], "threat_actors": [ { "id": "adf68b66-8287-44de-9cdc-3277508a8126", "created_at": "2023-11-05T02:00:08.082461Z", "updated_at": "2026-04-10T02:00:03.400457Z", "deleted_at": null, "main_name": "RansomVC", "aliases": [ "Ransomed.vc" ], "source_name": "MISPGALAXY:RansomVC", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434813, "ts_updated_at": 1775791700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12dbf169b7146bd015dbb22659df4a48e5357167.pdf", "text": "https://archive.orkl.eu/12dbf169b7146bd015dbb22659df4a48e5357167.txt", "img": "https://archive.orkl.eu/12dbf169b7146bd015dbb22659df4a48e5357167.jpg" } }