Disclaimer

This lab uses public incident reporting and sanitized synthetic artifacts for defensive OSINT training. Real incidents are referenced for educational context only. The interactive data is fictionalized and must not be used to identify, contact, expose, or accuse real people.

Case 04 / Ransomware / Critical Infrastructure2021

Colonial Pipeline / DarkSide Ransomware

Analyze the public communications, threat actor claims, and official reports of the Colonial Pipeline ransomware incident.

Source Assessment

High. Leverages verified incident timelines compiled by the US Department of Energy and joint intelligence security agency advisories.

Last Audited:2026-05-23

Incident Brief & Analytical Mission

In May 2021, a devastating ransomware attack hit the Colonial Pipeline, the largest refined oil pipeline system in the United States. The attack, attributed to the DarkSide ransomware group, targeted the company's billing networks. Fearing operational cross-contamination, Colonial Pipeline preemptively shut down the physical pipeline operations, triggering widespread panic, fuel shortages, and spikes in gasoline prices across the East Coast.

Investigative Mission

Reconstruct the timeline of business disruption, evaluate sanitized threat actor declarations, compare social media claims against official Department of Energy reports, and assess the downstream impact.

Evidence Console#01 / 03

Provided Artifacts

Disruption Timeline & Operational Milestones

Reconstructed chronology showing business decision flows vs physical pipeline impact.

May 7, 2021IT Exposure

Ransomware executed on Colonial Pipeline corporate IT network; billing systems encrypted.

May 7, 2021OT Isolation

Preemptive manual shutdown of entire pipeline operations (5,500 miles) to prevent OT network spread.

May 9, 2021Federal Action

Department of Energy issues regional emergency declarations regarding fuel transportation.

May 12, 2021Recovery

Colonial Pipeline announces restart of operations; full restoration takes several days.

Investigative Checklist Tasks

01
Identify the primary driver behind the physical pipeline shutdown (preemptive IT network isolation vs direct OT infection).
02
Contrast the sanitized threat actor claim (purely commercial, apolitical) with the geopolitical emergency declarations issued by the government.
03
Pinpoint the timeline milestones representing maximum public disruption.
04
Summarize the lesson on how public panic amplifies cyber incident impact.

Analyst Notebook

Evidence Notebook

Use this panel to log individual threads of evidence. Your entries are saved locally in this browser only.

No evidence records logged yet.

Report Desk

Report Drafting Board

Research Question

Summary

Source Reliability

Information Validity

Missing Context

Limitations

REPORT PREVIEW

# CSINT Incident Lab Report

## Research Question
What was the operational relationship between the IT ransomware encryption and the physical shutdown of Colonial Pipeline?

## Summary
No analyst summary provided yet.

## Fact
- No forensic facts recorded in the notebook.

## Signal
- No analytical signals logged.

## Inference
- No alternative explanations recorded.

## Recommendation
- No next-pivot recommendations recorded.

## Confidence
Low

## Limitations
No limitation notes entered.

## Source reliability
Not assessed. Annotate each source with its reliability tier before publishing.

## Information validity
Not assessed. Confirm whether each item is directly observed, reported, or inferred.

## Missing context
Not recorded. List what data is missing or could not be verified from public sources.

## Next safe steps
- No next safe steps specified.

## Sources used
- No source references listed.

---
Generated at: 2026-06-09T20:13:46.482Z

Official Advisory Channels

Official Advisories:

CISA Alert AA21-131A (DarkSide)Department of Energy Incident Update Log

Secondary Forensics Reports:

CSIS Colonial Pipeline Post-Incident Report

Strict outbound security controls enforced. Only verified public alerts are linked. Clickable indicators or active malicious URLs are entirely excluded for developer environment safety.

Status Desk

Analyst Readiness

Not started0/100

Flag submission requires at least 2 populated evidence records, each with a claim, evidence, source, and confidence level.

Claim / hypothesis0/0

Evidence detail0/0

Source / reference0/0

Observation timestamp0/0

Confidence level0/0

Alternative explanation0/0

Next safe step0/0

This case is not ready to close. Fill the missing evidence fields and update the report draft.

2D Pixel Analyst Profile

Set analyst name

Level 1 / Analyst Trainee

0Score

0/5Solved

0%Evidence

Analyst name

The profile token is stored in this browser. The leaderboard only shows nickname, score and solved count.

After the first save, solves are written to the backend leaderboard.

Public profile link

Create a nickname first to get a shareable profile link.

Badges

Starter Badge

Guidance

Progressive Hint System

Each unlocked hint reduces the solve score by 10 points (never below half the case value). Hint usage is recorded as a summary only; the flag value is never stored.

Hint · Lv 1Locked

Unlock this progressive hint level to get analytical direction.

Hint · Lv 2Locked

Unlock this progressive hint level to get analytical direction.

Hint · Lv 3Locked

Unlock this progressive hint level to get analytical direction.

Verification

Incident Analysis Verification

Submit the investigation flag resolved from your findings here. Format: CSINT-INCIDENT{keyword}

How do I find the flag?

Read the brief, timeline, and evidence cards.
Create at least two sourced findings in the Evidence Notebook.
Turn the final hint's core finding into the CSINT-INCIDENT{...} format.

The correct flag is not stored in the public site; it is verified by the Worker.

Evidence not yet sufficientFill the core fields in the Evidence Notebook first. This lab is for self-paced validation; the correct flag is not stored in the public site.

Investigative Evaluation

Flag Submission: Valid analysis flag key verification (+50pts).
Evidence Logging: Notebook claims are explicitly referenced and timestamped (+30pts).
Defensive Voice: Findings are annotated with facts vs analytical inferences (+20pts).
PENALTY CRITERIA:
Overclaiming vulnerabilities or attributing threat profiles without forensically validated logs (-30pts). Personal privacy breaches (-50pts).