More on the Colonial Pipeline Shutdown
Added 2021-05-11 17:41:43 +0000 UTCBy Shannon Morse, ThreatWire
Over the weekend, Colonial Pipeline started alerting the public that they’d halted all pipeline operations and took their networks offline, but didn’t tell reporters whether or not it was a cybersecurity issue until a few hours later. At about noon on Saturday, we learned that it was a cyberattack from their own press release. Colonial Pipeline learned it was targeted in an attack on May 7. They stated this incident involves ransomware, and they proactively took systems offline for threat containment, which in turn affected their operations and IT systems. A third party cybersecurity firm is working with Colonial Pipeline to conduct an investigation, and law enforcement has been notified.
On Sunday evening, the company again issued a press release, stating they were developing a system restart plan, but all their mainlines remained offline. On Monday at noon, they made another update stating pipelines will be brought back online in a stepwise fashion.
Colonial Pipeline Co supplies the east coast with 45% of liquid gasoline and diesel fuel, and it’s the largest fuel pipeline in the US, transporting 2.5 million barrels per day through 5500 miles of pipeline. They supply gas and diesel as well as jet fuel, heating oil, and they serve military facilities. It wasn’t immediately known if the shutdown was a response just to ransomware, or if a safety concern had come up in their industrial control systems as well. According to Wall Street Journal, two people who were briefed on the attack stated it was limited to information systems, not the ICS.
A huge concern from analysts and the public in the know is if this would affect gas prices, and it would, if the pipes stayed offline for several days. But since they’re starting to come back online as of recording time, this probably won’t be the case. Also, the US Department of Transportation issued temporary hours of service exemptions in response to avoid any disruptions to supply. This allows drivers carrying fuel to specific states affected by the Colonial Pipeline shutdown more flexibility in terms of servicing hours.
On Monday, the FBI tweeted that Darkside ransomware was behind the attack and the Darkside hacking group also released a statement saying, “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives (I’m quoting directly here). Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
But because of the consequences of attacking infrastructure as huge as a pipeline, that could really put this group in the US government's crosshairs for investigation. We don’t know if Darkside will turn over the decryption keys to Colonial Pipeline for their ransomware or if they’re still demanding payment, nor do we know if Colonial has paid a ransom.
Colonial Pipeline is hoping to have operations substantially restored by the end of this week.
Support ThreatWire! https://www.patreon.com/threatwire
Links:
https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption
https://threatpost.com/pipeline-crippled-ransomware/165963/
https://twitter.com/FBI/status/1391783864016703493
https://twitter.com/darktracer_int/status/1391735232991092738
