The revelation earlier today came from two people close to the investigation, who spoke on condition of anonymity, as the temporary halt on operation of the crucial pipeline – which carries gasoline and other fuel from Texas to the north-east coast of the US – stretched into a third day following Friday’s attack.
US President Joe Biden’s administration says an “all-hands-on-deck” effort is already underway to restore pipeline operations and avoid any disruption to the energy supply.
Experts said that gasoline prices are unlikely to be affected if the pipeline is back to normal in the next few days, but that the incident — the worst cyber attack to date on critical US infrastructure — should serve as a wake-up call to companies about the vulnerabilities they face.
The pipeline, operated by Georgia-based Colonial Pipeline, delivers roughly 45 per cent of all fuel – petrol, diesel, jet fuel and home heating oil – consumed on the East Coast, according to the company, primarily sent from refineries located on the Gulf Coast and then from Texas up to New Jersey.
The line was hit by what Colonial called a ransomware attack, in which hackers typically lock up computer systems by encrypting data, paralysing networks, and then demand a large ransom to unscramble it.
On Sunday, Colonial Pipeline said it was actively in the process of restoring some of its IT systems. It said it remains in contact with law enforcement and other federal agencies, including the Department of Energy, which is leading the federal government response. The company has not yet confirmed what has been demanded or who made the demands.
However, two people close to the investigation, speaking on condition of anonymity, identified the culprit as DarkSide. This criminal organisation is among ransomware gangs that have “professionalised” an illegal hacking industry that has cost Western nations tens of billions of dollars in losses over just the past three years.
DarkSide claims that it does not attack hospitals and nursing homes, educational or government targets and that it donates a portion of its take to charity. It has been active since August 2020 and, typical of the most potent ransomware gangs, is known to avoid targeting organisations in former Soviet bloc nations.
Colonial has not said whether it has paid or is still negotiating any ransom. For its part, DarkSide has neither announced the attack on its dark web site, nor has it responded to queries from Associated Press reporters.
It has previously been observed that such a lack of acknowledgment typically indicates that a victim of a cyber attack is either negotiating with or has already paid the hackers.
On Sunday, Colonial Pipeline said it is developing a “system restart” plan. It said its main pipeline remains offline, but that some smaller lines are now operational. The company said the ransomware attack on Friday affected some of its information technology systems and that the company moved “proactively” to take certain systems offline, halting pipeline operations.
It has also hired a cyber-security firm to investigate the nature and scope of the attack and has contacted law enforcement and federal agencies. In a statement, Colonial Pipeline said it was now “taking steps to understand and resolve this issue”, focused primarily on “the safe and efficient restoration of our service and our efforts to return to normal operation”. It said it was “working diligently to address this matter and to minimise disruption to our customers and those who rely on Colonial Pipeline”.
The attack on a pipeline operator underscored the vulnerabilities of critical infrastructure to cyber attacks, both by criminal hackers and US adversaries. This increasingly popular extortion tactic amongst crooks presents a new challenge for the US, which is still grappling with its response to major hacks from months ago, including a massive breach of government agencies and corporations for which the US sanctioned Russia last month.
Oil analyst Andy Lipow said the impact of the attack on fuel supplies and prices depends on how long the pipeline is down. Speaking to Associated Press, Lipow said an outage of one or two days would have minimal effect, but an outage of five or six days could cause shortages and price hikes, particularly in an area stretching from central Alabama to the Washington, DC, area.
A key concern about a lengthy delay would be the supply of jet fuel needed to keep major airports operating, such as those in Atlanta and Charlotte, North Carolina.
Industrial systems that directly manage a pipeline’s operation have been increasingly connected to computer networks in the past decade, to facilitate easier monitoring. To guard against cyber attack, the companies running such critical infrastructure in the energy and electricity industries have typically invested more heavily in cyber security than other sectors, precisely because of the threat posed by bad actors such as DarkSide.
Experts have posited that if Colonial’s shutdown was mostly precautionary – i.e. if it detected the ransomware attack early and was well-prepared – the impact may not be so great.
Peter Grimmond, head of technology, Veritas Technologies, commented: “The truth of digital transformation is that we’re all much more vulnerable than we used to be. The more that hospitals, traffic management systems, policing or, in this case, fuel supplies, rely on data, the greater the impact that hackers can have by interfering with it. This has driven the explosion in ransomware that we’ve seen over recent months: the more impact that a hacker can have, the more likely their victims are to pay to get their systems back online.
“Veritas has shown how bad the situation has become over the last year, finding that 64 per cent of global businesses have failed to evolve their security policies fast enough to keep pace with their digital transformation projects. As a result, 61 per cent of utilities companies who have experienced an attack have paid at least part of the ransom – that compares with just 44 per cent for the publishing industry, but goes up to 79 per cent for the healthcare sector.
“The only way to break the cycle of ransomware is for businesses managing critical infrastructure to focus on protecting their data, rather than mitigating the cost of paying ransoms. If organisations can bring their protection and availability solutions up to speed with their transformation projects, they’ll be better able to simply spin alternative IT environments, with clean versions of their data, that enable them to quickly return to providing their critical services without the need to engage with the hackers.”
Steve Bradford, senior vice president, at cyber-security firm SailPoint, said: “Governments and businesses alike face the threat of bigger, more sophisticated attacks from ransomware – ones where cyber criminals have worked methodically to develop software to steal vast quantities of data and where they can take advantage of vulnerabilities that come with multiple access points from remote working.
“Ransomware has become so effective that many organisations have simply paid ransom, sometimes to the tune of thousands of dollars. Multiple security controls must be standard best practice for cyber security, to reduce the risk of ransomware along with other malicious malware threats.”
New US President Joe Biden now finds himself caught in a bind over conversations around guaranteeing the US energy supply, having cancelled a controversial permit for TC Energy’s Keystone XL oil pipeline project from Canada on day one of his administration in January.
Meanwhile, a 2019 report noted that a crisis may be looming over expanding US oil and gas infrastructure projects, as boom-fueled optimism runs into increasingly immutable climate realities and fiscal limits. The Biden administration has already laid out its ambitious environmental targets for the US.