Hackers have used a ransomware attack to shut a major American oil pipeline down for several days, forcing the Biden administration to declare a regional state of emergency to keep some of the oil supply moving until the pipeline can function again. The cyberattack looks to be the largest ever on an American energy system, and yet another example of cybersecurity vulnerabilities that President Biden has promised to address.
The Colonial Pipeline Company reported on May 7 that it was the victim of a “cybersecurity attack” that “involves ransomware,” forcing the company to take some systems offline and disabling the pipeline. The Georgia-based company says it operates the largest petroleum pipeline in the United States, carrying 2.5 million barrels a day of gasoline, diesel, heating oil, and jet fuel on its 5,500-mile route from Texas to New Jersey.
The pipeline provides nearly half of the East Coast’s fuel supply, and a prolonged shutdown could cause price increases and shortages to ripple across the industry. Colonial said on Monday that it hoped to “substantially restore” its operations by the end of the week and minimize disruption caused by the shutdown. According to the Washington Post, a weeklong stoppage could cause a small, temporary increase in gas prices.
The FBI has confirmed that the ransomware used is linked to the hacker group called DarkSide, believed to be based in Eastern Europe. DarkSide does not appear to be linked to any nation-states, saying in a statement that “our goal is to make money, [not to create] problems for society” and that it is apolitical.
According to cybersecurity company Check Point, however, DarkSide supplies its ransomware services to its partners. “This means we know very little on the real threat actor behind the attack on Colonial, who can be any one of the partners of DarkSide,” Lotem Finkelstein, Check Point’s head of threat intelligence, told Recode. “What we do know is that to take down extensive operations like the Colonial pipeline reveals a sophisticated and well-designed cyber attack.”
It’s not known how much money the hackers are demanding, nor how much, if anything, Colonial has paid — assuming it’s willing to pay anything.
Ransomware attacks generally use malware to lock companies out of their own systems until a ransom is paid. They’ve surged in the past few years and cost billions of dollars in ransoms paid alone — not counting those that aren’t reported and any associated costs with having systems offline until the ransom is paid. Ransomware attacks have targeted everything from private businesses to the government to hospitals and health care systems. The latter are especially attractive targets, given how urgent it is to get their systems back up as soon as possible.
Energy systems and suppliers have also been a target of ransomware and cyberattacks. The cybersecurity of America’s energy infrastructure has been a particular concern in recent years, with the Trump administration declaring a national emergency in May 2020 meant to secure America’s bulk power system with an executive order that would forbid the acquisition of equipment from countries that pose an “unacceptable risk to national security or the security and safety of American citizens.”
Details on how the hackers were able to gain access to Colonial’s systems haven’t been made public yet, but Bloomberg reports that the attack began on May 6, with nearly 100 gigabytes of data stolen before Colonial’s computers were locked up. A ransom was demanded, both to stop the data from being leaked on the internet and to unlock the affected systems.
With the pipeline down, the company and its fuel suppliers are hoping that fuel trucks and possibly tankers will make up for some of the shortage. Emergency waivers were given by the Department of Transportation to extend driver hours for trucks and some companies are looking into chartering tankers to deliver the fuel by ship. The latter option would likely mean waiving the Jones Act, a 1920 law that requires domestic shipping to be done on ships that are built, owned, and operated by American citizens or permanent residents. This has been done for other temporary fuel crises, for example in the wake of Hurricanes Katrina, Rita, and Sandy. But these measures won’t be enough to fully replace the oil that the pipeline delivers.
Concern over the attack underscores two of the Biden administration’s stated priorities: improving American infrastructure and cybersecurity. The large-scale Russian SolarWinds hack, disclosed in December 2020, was shown to have affected several federal government systems. Biden said then that as president, “my administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office. … I will not stand idly by in the face of cyber assaults on our nation.”
Biden has also unveiled a $2 trillion infrastructure plan that includes $100 billion to modernize the electrical grid, which cybersecurity experts hoped would include improved cybersecurity measures. Biden also suspended the Trump bulk power system executive order to roll out his own plan. And he reportedly plans to unveil an executive order soon that will strengthen cybersecurity at federal agencies and for federal contractors.
But these measures are more focused on preventing another SolarWinds-like attack. Federal officials told the New York Times that they don’t think the order does enough to prevent a sophisticated attack, nor would it apply to a privately held company like Colonial. The oil pipeline attack might strengthen demands for cybersecurity standards for companies that play an important role in Americans’ lives. As it stands, it’s often left up to them about the security measures they use to protect critical systems.
“Ransomware is about extortion and extortion is about pressure,” James Shank, chief architect of community services at cybersecurity and threat intelligence company Team Cymru, told Recode. “Impacting fuel distribution gets peoples’ attention right away. … This emphasizes the need for a coordinated effort that bridges public and private sector capabilities to protect our national interests.”
Assuming the pipeline is back up by the end of the week, it shouldn’t cause a major or prolonged disruption to the fuel supply chain or hit consumers’ wallets too hard. But the next one — and many cybersecurity experts fear there will be a next one, or several next ones — could be a lot worse if measures aren’t taken at the highest levels to prevent it.
“We cannot think of these attacks as impacting private companies only — this is an attack on our country’s infrastructure,” Shank added.