Breaking News

The Colonial pipeline ransomware cyberattack: How a major oil pipeline got held for ransom

A major oil pipeline is coming back online after a several-day outage resulting from a cyberattack that caused gas prices to surge and gas stations in multiple states to experience shortages. After nearly a week of being shut down, the Colonial Pipeline Company announced on May 12 that it was restarting pipeline operations and that the supply chain would “return to normal” within the next several days.

“Colonial Pipeline initiated the restart of pipeline operations today at approximately 5 p.m. ET,” the company said in a statement. “Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during the start-up period. Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal.”

A ransomware attack from what appears to be a criminal hacker group based in Eastern Europe took the pipeline down, causing the Biden administration to declare a regional state of emergency to keep some of the oil supply moving until pipeline service was restored. The cyberattack looks to be the largest ever on an American energy system, and yet another example of cybersecurity vulnerabilities that President Joe Biden has promised to address.

The Colonial Pipeline Company reported on May 7 that it was the victim of a “cybersecurity attack” that “involves ransomware,” forcing the company to take some systems offline and disabling the pipeline. The Georgia-based company says it operates the largest petroleum pipeline in the United States, carrying 2.5 million barrels a day of gasoline, diesel, heating oil, and jet fuel on its 5,500-mile route from Texas to New Jersey.

The pipeline provides nearly half of the East Coast’s fuel supply, and a prolonged shutdown would have caused price increases and shortages to ripple across the industry. That appears to have been averted with the restart, but price increases and shortages happened anyway, largely due to panic rather than supply. Five days after the hack was announced, the national average price for a gallon of regular gas had pushed past $3 for the first time since 2014 (though gas prices were already on an upswing before the pipeline shutdown), with bigger jumps in some states the pipeline serves, including Georgia, the Carolinas, and Virginia. Georgia Gov. Brian Kemp has temporarily suspended the state’s gas tax to compensate for the increased prices. Other states have put price gouging laws into effect.

Gas stations running out of fuel has been another issue, though it’s believed those shortages are due to panic buying rather than a lack of supply. Despite various officials assuring that the shutdown will not significantly affect the gas supply and urging the public not to hoard it, gas stations — mostly in Southern states — have been swarmed by desperate customers until their tanks ran dry.

“It’s more likely that fuel shortages will be a result of panic buying from consumers watching the headlines unfold, as opposed to shortages directly caused by the attack,” Marty Edwards, former director of industrial control systems for CISA, and vice president of operational technology security for Tenable, told Recode. “This is something we saw with Covid and grocery stores selling out of household items. Regardless, it shows the impact cybersecurity has on our everyday lives.”

“It’s much easier to understand the impact of a cyberattack if it directly impacts your day-to-day life,” he added.

The FBI has confirmed that the ransomware used is linked to the hacker group called DarkSide, believed to be based in Eastern Europe. DarkSide does not appear to be linked to any nation-states, saying in a statement that “our goal is to make money, [not to create] problems for society” and that it is apolitical.

According to cybersecurity company Check Point, however, DarkSide supplies its ransomware services to its partners. “This means we know very little on the real threat actor behind the attack on Colonial, who can be any one of the partners of DarkSide,” Lotem Finkelstein, Check Point’s head of threat intelligence, told Recode. “What we do know is that to take down extensive operations like the Colonial pipeline reveals a sophisticated and well-designed cyber attack.”

Reports varied on whether Colonial paid the ransom or not until May 19, when Colonial acknowledged that it did indeed pay $4.4 million worth of bitcoin (which may not be worth $4.4 million anymore). CEO Joseph Blount told the Wall Street Journal that it was a difficult decision, but one that he felt was “the right thing to do for our country.”

Blount added that it will cost Colonial far more — tens of millions of dollars — to completely restore its systems over the next several months.

Ransomware attacks generally use malware to lock companies out of their own systems until a ransom is paid. They’ve surged in the past few years and cost billions of dollars in ransoms paid alone — not counting those that aren’t reported, or any associated costs with having systems offline until the ransom is paid. Ransomware attacks have targeted everything from private businesses to the government to hospitals and health care systems. The latter are especially attractive targets, given how urgent it is to get their systems back up as soon as possible.

Energy systems and suppliers have also been a target of ransomware and cyberattacks. The cybersecurity of America’s energy infrastructure has been a particular concern in recent years, with the Trump administration declaring a national emergency in May 2020 meant to secure America’s bulk power system with an executive order that would forbid the acquisition of equipment from countries that pose an “unacceptable risk to national security or the security and safety of American citizens.”

Details on how the hackers were able to gain access to Colonial’s systems haven’t been made public yet, but Bloomberg reports that the attack began on May 6, with nearly 100 gigabytes of data stolen before Colonial’s computers were locked up. A ransom was demanded, both to stop the data from being leaked on the internet and to unlock the affected systems.

The company and its fuel suppliers hoped that fuel trucks and possibly tankers would make up for some of the shortage. Emergency waivers were given by the Department of Transportation to extend driver hours for trucks and some companies were looking into chartering tankers to deliver the fuel by ship. The latter option would likely mean waiving the Jones Act, a 1920 law that requires domestic shipping to be done on ships that are built, owned, and operated by American citizens or permanent residents. This has been done for other temporary fuel crises; for example, in the wake of Hurricanes Katrina, Rita, and Sandy. With the pipeline resuming operations, however, this step almost certainly won’t have to be taken.

Concern over the attack underscores two of the Biden administration’s stated priorities: improving American infrastructure, and cybersecurity. The large-scale Russian SolarWinds hack, disclosed in December 2020, was shown to have affected several federal government systems. Biden said then that as president, “my administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office. … I will not stand idly by in the face of cyber assaults on our nation.”

Biden has also unveiled a $2 trillion infrastructure plan that includes $100 billion to modernize the electrical grid, which cybersecurity experts hoped would include improved cybersecurity measures. Biden also suspended the Trump bulk power system executive order to roll out his own plan.

And Biden has signed an executive order meant to strengthen the federal government’s cybersecurity standards for software and technology services it uses, which a senior administration official described as a fundamental shift in the federal government’s approach to cybersecurity incidents — away from spot responses and toward trying to prevent them from happening in the first place. The order has been in the works since shortly after Biden took office, the official said.

But these measures are more focused on preventing another SolarWinds-like attack. Federal officials told the New York Times they don’t think the order does enough to prevent a sophisticated attack, nor would it apply to a privately held company like Colonial. The oil pipeline attack might strengthen demands for cybersecurity standards for companies that play an important role in Americans’ lives. As it stands, it’s often left up to them which security measures they use to protect critical systems.

“Ransomware is about extortion and extortion is about pressure,” James Shank, chief architect of community services at cybersecurity company Team Cymru, told Recode. “Impacting fuel distribution gets peoples’ attention right away. … This emphasizes the need for a coordinated effort that bridges public and private sector capabilities to protect our national interests.”

Assuming the pipeline’s services are fully restored soon, it shouldn’t cause a major or prolonged disruption to the fuel supply chain or hit consumers’ wallets too hard. But the next one — and many cybersecurity experts fear there will be a next one, or several next ones — could be a lot worse if measures aren’t taken at the highest levels to prevent it.

“The shutdown of the Colonial Pipeline by cyber-criminals highlights a massive problem — many of the companies running our critical infrastructure have left their systems vulnerable to hackers through dangerously negligent cybersecurity,” Sen. Ron Wyden (D-OR) said in a statement. “Congress must take action to hold critical infrastructure companies accountable and force them to secure their computer systems.”

Source link