Major US fuel pipeline shut down by cybercriminals in ransomware attack

By Robert Scammell

A ransomware attack has forced a major fuel pipeline in the USA to shut down its operations, causing severe disruption to fuel supply on the American East Coast and highlighting the growing threat posed by cyberattacks to critical national infrastructure (CNI).

Colonial Pipeline said it took IT systems offline to “contain the threat” after learning of the attack on Friday. On Sunday evening Colonial Pipeline said some of its “smaller lateral lines between terminals and delivery points are now operational”. However, its main lines remain closed.

Colonial operates one of the largest US pipelines, carrying 45% of the East Coast’s refined gasoline and other fuels from Texas to New York. It transports roughly 2.5 million barrels of fuel per day along 5,500 miles of line.

The company said its corporate computer network had been infected with file-encrypting malware that demands a ransom fee to unlock.

A cybercriminal group with Russian ties known as DarkSide is believed to have infiltrated Colonial’s network on Thursday. Sources told Reuters that DarkSide took 100 gigabytes of data in the attack, threatening to leak it if the ransom fee is not paid.

Colonial has brought in third-party cybersecurity experts to investigate and is working with law enforcement and other federal agencies, including the Department of Energy. The company is in the process of developing a “system restart plan” as experts warned of a rise in fuel prices that could worsen if the attack is not resolved quickly.

In a statement published on Sunday, Colonial said:

“We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with all federal regulations.”

The US government used emergency measures to relax rules on fuel being transported by road in order to help prevent interruptions in supplies.

Calvin Gan, senior manager at cybersecurity company F-Secure’s Tactical Defense Unit, said the strategic importance of the Colonial Pipeline made it an attractive target for ransomware groups. Colonial Pipeline has declined to say whether it would pay the ransom, or give a timeline for returning to full operations. 

“The larger the impact to people or nations, the more pressure there is for these organizations to pay up or act upon the breach,” said Gan. “This serves as motivation for attackers to continuously target them because they know they’ll have the ability to push them ‘into the corner’ of paying up.”

The Colonial Pipeline ransomware attack underscores the increasing risk from digital threats to CNI. In February a malicious hacker took remote control of a water treatment facility in Florida and briefly increased sodium hydroxide levels to dangerous amounts.

John Vestberg, co-founder and CEO of Clavister, said: “Critical National Infrastructure, such as oil and gas, is a prime target for these ransomware gangs – systems are underpinned by a myriad of complex information and operational technology devices and so the consequences if these are infiltrated can be devastating.”

Cybersecurity experts have repeatedly warned that remote working, much more common during the Covid-19 pandemic, makes prevention of cyber attacks much harder. People working from home tend to use machines connected to corporate or organisation networks for other purposes, opening up potential avenues of attack. Home workers are also more likely to make use of remote-assistance tools such as TeamViewer which can in some cases be misused by malicious actors.

Steve Forbes, government cybersecurity expert at Nominet, said the attack is “likely to have a ripple effect across the globe”.

He added: “As we watch the domino effect of this cyberattack, it is very apparent that impact is not limited to systems and software – victims will come in all shapes and sizes, from industries to individuals.”