Colonial Pipeline, targeted by ransomware attack, says service could be ‘substantially’ restored by week’s end

Source: By Will Englund, Ellen Nakashima and Taylor Telford, Washington Post • Posted: Monday, May 10, 2021

Fallout from the massive cyberattack may have regional repercussions in the Southeast if repairs drag on.

Image without a caption

The Colonial fuel pipeline running from Houston to New Jersey could be “substantially” restored to service by the end of the week after a ransomware attack caused it to be shut down, the company that runs it said Monday.

“While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach,” a statement posted on the company’s website said.

The closure of the country’s largest fuel pipeline on Friday afternoon threatened gasoline and jet fuel supplies for much of the Eastern Seaboard. A full week offline could put pressure temporarily on prices as storage supplies dwindle, but would be unlikely to cause a major disruption.

The Colonial Pipeline cyberattack — believed to be the biggest on U.S. oil infrastructure — prompted the White House to pull together a task force and the Department of Transportation to temporarily relax rules to allow greater flexibility on fuel transport. Fuel price futures climbed more than 1 percent in anticipation of a possible shortage, but as of Monday, the average price for a gallon of gas was still $2.96, according to AAA.

The FBI is investigating the attack as a criminal matter, and on Monday issued an official statement confirming DarkSide was responsible. The Washington Post reported Saturday that federal officials believed DarkSide, a criminal ransomware group based in Eastern Europe, was behind the attack.

“So far there is no evidence from our intelligence people that Russia is involved,” President Biden said Monday. “Although there is some evidence that the actors’ ransomware is in Russia. They have some responsibility to deal with this.”

Some 5,500 miles of Colonial pipeline moves fuel from Gulf Coast refineries to customers in the southern and eastern United States. It says it transports 45 percent of the fuel consumed on the East Coast, reaching 50 million Americans and several major airports, including Hartsfield-Jackson in Atlanta.

On Monday, Colonial Pipeline said that maintaining the pipeline’s operational security and getting systems safely back online were its highest priorities.

“We continue to evaluate product inventory in storage tanks at our facilities and others along our system and are working with our shippers to move this product to terminals for local delivery,” the company said.

On Sunday it had reported that it had restored operations on some of its smaller lateral lines.

It is unlikely the shutdown will translate to major shortages or price increases, but it could have some regional effects in the Southeast if repairs drag on, said Patrick De Haan, head of petroleum analysis at Gas Buddy. Panic-buying will “prolong outages and price spikes,” he warned.

“It is true that if the pipeline remains out of service into the early part of next week, roughly Tuesday or so, that some gas stations may run low on gasoline,” De Haan said in commentary Sunday. “Tank farms that take the gasoline from the pipeline are likely starting to see supply run low, so it is vital that motorists do not overwhelm the system by filling their tanks.”

Repairs taking a week or so would hamper oil production in the East, according to analysis by Roger Read, a securities analyst at Wells Fargo. After more than 10 days disruption, “expect significant fuel shortages in the interior Southeast of the U.S.,” Read said in a Sunday research note.

In 2016, gas prices in Georgia soared 30 cents when a major leak forced the Colonial Pipeline offline for more than 10 days, Reuters reported.

There are just two major refineries on the East Coast, in Delaware City, Del., and Linden, N.J. Crude oil is delivered to them by sea and by rail, but together they produce about 345,000 barrels of various products a day, or about 14 percent of the Colonial Pipeline capacity.

Reuters reported Monday that traders have provisionally booked at least six additional tankers to carry petroleum products from Europe to U.S. ports on the East Coast. The trip typically takes 10 to 11 days with another four days needed for loading and discharging, said Peter Sands, an analyst with the Denmark-based international shipping association Bimco.

One step the Biden administration could take would be to waive the Jones Act, which would allow foreign-flagged tankers to operate between U.S. ports, carrying petroleum products from the Gulf Coast refineries to the Mid-Atlantic and Northeast. Sands said that there are plenty of available ships, and rates are still quite low because of the global slowdown caused by the pandemic.

The Colonial Pipeline attackers used ransomware — which locks up computer systems usually by encrypting data — while hackers demanded payment to free up the system. Such attacks have become a global scourge, impacting banks, hospitals, universities and municipalities in recent years. Almost 2,400 organizations in the United States were victimized last year alone, one security firm reported. But the attackers are increasingly targeting industrial sectors because these firms are more willing to pay up to regain control of their systems, experts say.

DarkSide, the Eastern European-based criminal gang suspected of carrying out the attack, said in a notice that its motivation was purely financial. Cybersecurity researchers believe that DarkSide operates mostly out of Russia, which U.S. officials and cybersecurity experts have accused of harboring cyber criminals

“Our goal is to make money and not creating problems for society,” the message said. “From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

Indeed, it went so far as to say it was introducing a system of “moderation” to “check each company that our partners want to encrypt to avoid social consequences in the future.”

Deputy National Security Adviser for Cyber Anne Neuberger said that the FBI has been investigating DarkSide since October. She said DarkSide operates using a “ransomware-as-a-service” model, in which a criminal group develops the ransomware and then allows an affiliate to deploy it for a fee or a cut of the proceeds. In this case, DarkSide developed the ransomware, private sector researchers said.

The group appears to have emerged fairly recently. Cybereason, a private security firm, first took note of DarkSide only last year — in August. “They became very active very quickly in a very organized manner,” said Lior Div, Cybereason CEO. “This leads us to believed that these are experienced people who know exactly what they’re doing.”

Citing circumstantial evidence, analysts say DarkSide operates mostly from Russia. The group refrains from hitting targets in Russia. The group’s spokesman, Darksupp, speaks Russian. And it does not hire English-speakers, according to Dmitry Smilyanets, a cyber threat intelligence expert from cybersecurity firm Recorded Future.

“If they see a Russian keyboard, they steer clear,” Div said. “This is usually a strong indication that you’re working from Russia or former Soviet countries and you don’t want to anger the government there.”

Neuberger said that so far the U.S. government has not seen a connection to any foreign government. But, she added, “our intelligence community is looking for any ties to any nation state actors.”

Moscow has long been known to harbor criminal cyber hackers, who for their part avoid targeting victims inside Russia.

Researchers have noted that DarkSide has engaged in “double extortion,” or threatening to release a victim’s data unless a ransom is paid. This technique, Cybereason has noted, effectively renders moot the strategy of backing up data as a precaution.

Sometimes, Smilyanets said, the threat to release data is more effective than the encryption itself in coercing a victim to pay a ransom.

In April, he said, the group posted on its blog that it was willing to provide breach information related to companies publicly traded on NASDAQ and other stock exchanges to interested parties who wanted to short the stock and profit off the insider information.

Neuberger acknowledged that the FBI has traditionally advised companies not to pay the ransom to avoid encouraging further activity. “We recognize, though,” she said, “that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data.”

That is why, she said, “we need to look thoughtfully at this area, including with our international partners, to determine what we do, in addition to actively disrupting infrastructure and holding perpetrators accountable to ensure that we’re not encouraging the rise of ransomware.”

The administration learned of the shutdown on Friday night, Sherwood Randall said. Since then, the White House has convened an interagency team including the lead incident response agency, the Department of Energy; as well as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, the Treasury Department, Pentagon and other agencies. She said Energy has been in contact with state and local agencies to assess impacts and convened a group that includes the oil, natural gas and electric sectors to share details about the ransomware attack.

Last year, the Cybersecurity and Infrastructure Security Agency warned pipeline operators about the threat of ransomware. CISA responded to a ransomware attack on a natural gas compression facility in which the attacker gained access to the corporate network and then pivoted to the operational network, where it encrypted on various devices. As a result, the firm shut down operations for about two days, CISA said.

Colonial Pipeline poses specific issues in defending against cyberattacks, said Peter McNally, of the analytical firm Third Bridge.

“This pipeline has mixed both off the shelf and custom [technology] systems, which could complicate potential solutions to the current issue,” he wrote in a note. “There is a tremendous amount of technology involved in this operation, all the way from the inspection of the pipeline to the accounting and financial systems.”

A further complication, he wrote, is that Colonial hires thousands of outside contractors in addition to its own employees.