Colonial Pipeline Hit with A Cyberattack Involving Ransomware [Updated]
The Top U.S. Fuel Pipeline Operator Shut Its Entire Network, The Source of Nearly Half of the U.S. East Coast’s Fuel Supply.
Update – Colonial Pipeline paid the hackers nearly $5 million in cryptocurrency in return for a decryption key to restore its systems. Since the tool was too slow, the pipeline operator used its backups to restore the systems. This contradicts earlier reports that the company had no intention of paying any ransom to help restore the U.S.’ largest fuel pipeline.
Colonial Pipeline, the largest fuel pipeline operator in the U.S., carries refined gasoline and jet fuel all the way from Texas to New York. Over the weekend, the company was forced to shut down after being hit by ransomware in a clear demonstration of the vulnerability of energy infrastructure to this type of cyberattacks.
Image Source: Jay Reeves/Associated Press
After learning it was “the victim of a cybersecurity attack,” the pipeline operator took some systems offline, temporarily halting pipeline operations and several IT systems. It also contacted an outside cybersecurity firm to conduct an investigation.
The company released an official statement on Friday saying that in an effort to contain the breach, it had shut down its 5,500 miles of pipeline, which carries 45% of the East Coast’s fuel supplies.
On May 7, Colonial Pipeline Company learned it was the victim of a cybersecurity attack and has since determined that the incident involved ransomware. Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring.
Since pipelines play a central role in so many parts of the U.S. economy, they are a specific concern.
The attack on Colonial Pipeline comes as the USA’s energy industry prepares for summer travel and stronger fuel demand as COVID-19 economic restrictions are eased. At the same time, it is an unpleasant reminder of how a cyberattack brought down the communications systems of several U.S. natural gas pipelines operators in 2018, including Energy Transfer Partners LP and TransCanada Corp.
As per a research note from ClearView Energy Partners, when Colonial is running, fuel travels between 3-5 miles per hour through it. A long-term shutdown could leave the Northwest more dependent on supplies delivered by tankers. And it could take those cargoes 10 to 14 days to make the voyage to the New York harbor.
In a statement over the weekend, the White House announced that President Biden had been briefed on the ransomware attack and its consequences and that federal officials were working to “assess the implications of this incident, avoid disruption to supply and help the company restore pipeline operations as quickly as possible.”
Colonial Pipeline System Map
Image Source: Reuters
Like other similar threats utilized in targeted cyberattacks, DarkSide not only encrypts the user’s information but also withdraws data from the affected servers.
In general, ransomware attacks involve threat actors seeding networks with malicious software that encrypts the data and leaves the machines locked until the victims pay the extortion fee, which can range from a few hundred dollars to millions of dollars in cryptocurrency.
If the victims fail to pay the requested ransom, the hackers threaten to make public all data, keep it saved for at least six months and inform the media, clients, and partners of the attack.
At this time, our primary focus continues to be the safe and efficient restoration of service to our pipeline system, while minimizing disruption to our customers and all those who rely on Colonial Pipeline. We appreciate the patience and outpouring of support we have received from others throughout the industry.
The attack on Colonial Pipeline follows a string of high-profile breaches. SolarWinds, a Texas-based IT firm, was the victim of a cyberattack that went undetected for months. The attackers injected malware into some routine software updates, as these were being rolled out to as many as 18,000 government entities and Fortune 500 companies, all clients of SolarWinds.