Colonial Pipeline, a leading US fuel pipeline operator that supplies around 45% of all fuel in the east coast region, suffered a ransomware attack late last week that forced it to shut all pipeline operations and take urgent steps to restore operations.
Colonial Pipeline is the largest refined products pipeline company in the United States, transporting more than 2.5 million barrels of fuel every day to fourteen states via 5,500 miles of pipe and also directly servicing seven airports. Raised in 1962, the company serves over 50 million Americans and delivers various grades of gasoline, diesel fuel, home heating oil, jet fuel, and fuels for the U.S. military.
On Saturday, Colonial Pipeline announced via a press release that it suffered a ransomware attack and had to take certain systems offline to contain the threat which, in turn, halted all pipeline operations and rendered some IT systems non-functional.
In a more detailed note on Sunday, the company said it engaged third-party cybersecurity experts to investigate the incident and is now working on a system restart plan to restore operations in a phased manner. “While our mainlines (Lines 1, 2, 3 and 4) remain offline, some smaller lateral lines between terminals and delivery points are now operational. We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.
“At this time, our primary focus continues to be the safe and efficient restoration of service to our pipeline system, while minimizing disruption to our customers and all those who rely on Colonial Pipeline. We appreciate the patience and outpouring of support we have received from others throughout the industry,” the company said.
Earlier today, the company issued further updates about the ransomware attack, stating that it is dedicating vast resources to restoring pipeline operations quickly and safely and is bringing back some of its pipelines online in a phased manner. “Restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time.
“While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach. This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week,” it added.
While the company is yet to name the ransomware variant which was used to target its pipeline operations, the FBI has confirmed that the DarkSide ransomware was the culprit. “The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation,” the agency says.
According to cyber security firm Varonis, the Darkside ransomware group is known for its professional operations and large ransoms and its attacks reveal a deep knowledge of victims’ infrastructure, security technologies, and weaknesses.
“They provide web chat support to victims, build intricate data leak storage systems with redundancy, and perform financial analysis of victims prior to attacking. They have publicly stated that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can afford to pay large ransoms.
“Our reverse engineering revealed that Darkside’s malware will check device language settings to ensure they don’t attack Russia-based organizations. They have also answered questions on Q&A forums in Russian and are actively recruiting Russian-speaking partners,” the firm says.
Commenting on the DarkSide ransomware attack targeting Colonoal Pipeline, Lewis Jones, Threat Intelligence Analyst at Talion, says that attack appears to be one of the most disruptive ransomware attacks ever reported, highlighting the vulnerabilities in the energy sector and why it is often targeted by attackers. A long-term ransomware negotiation within the energy sector could cause mass disruption and increase the likelihood of payment.
“The fact that US government has quickly issued emergency legislation to relax rules on road fuel transportation highlights how concerning this attack is. A longer term implication of the attack could create a delay in delivery and disruption of the supply chain. This would cause an increase in price at a time when the economy is already fragile due to the current pandemic.”
According to Andy Norton, European Cyber Risk Officer at Armis, what’s troubling is the lack of progress critical infrastructure providers seem to be making in being resilient to these attacks. Both the NIST Cyber Security Framework and the International Society for Automation published ISA 99, now IEC 62443, have been available for several years as the compliance measures for cyber resilience in ICS and critical infrastructure providers.
“However, it would appear that many of the requirements outlined in the frameworks are not being adhered to because the infection methods of the crime gangs, expected to be DarkSide, are well known and provisioned for in both frameworks. So, it would appear to be missing in practice,” he adds.