A critical pipeline that runs from refineries on the U.S. Gulf Coast to terminals as far north as New York was shut down over the weekend after being hit by a massive ransomware attack.
The company announced Monday evening that its Line 4 between Greensboro, N.C., to Woodbine, Md., was operating under manual control, although its main lines were still shut down.
In remarks Monday at the White House, President Biden said the federal government is investigating the attack. “My administration takes this very seriously,” he said.
Here’s what we know so far:
Colonial Pipeline Co., which operates a 5,500-mile pipeline that delivers 45% of the gasoline and jet fuel supplied to the U.S. East Coast, said Friday that it had been the victim of a ransomware attack.
In response to the attack, the company quickly “took certain systems offline to contain the threat,” it said in a statement. Colonial said those actions “temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring.”
The BBC reported that Colonial’s network was compromised on Thursday and almost 100 gigabytes of data were taken hostage. The hackers reportedly locked the data on some computers and servers and are threatening to leak it to the internet if the undisclosed ransom is not paid.
At a White House media briefing Monday, homeland security adviser Elizabeth Sherwood-Randall said that Colonial had shut down the pipeline as a “precautionary measure” to “ensure that ransomware could not transfer from business systems to those that control and operate the pipeline.”
Who is responsible for the attack?
Suspicion quickly landed on a relatively new but shadowy group of hackers and veteran cybercriminals who have developed ransomware software known as DarkSide. On Monday, the FBI in a brief statement said that it “confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks.”
At Monday’s White House briefing, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, described the attack as “ransomware as a service variant” in which “criminal affiliates conduct attacks and then share proceeds with the ransomware’s developers.”
She called this type of attack “new and troubling” and said that the FBI had been investigating DarkSide since October.
The website Bleeping Computer, which covers computer technology, published an article in August introducing DarkSide and saying that the group had begun attacks that month.
The website published a “press release” purporting to be from DarkSide that said the group “will only attack companies that can pay the requested amount, we do not want to kill your business.”
“Based on our principles,” it continued, “we will not attack” hospitals, schools and universities, nonprofit organizations and the government sector.
DarkSide, in the purported press release, threatened to publish data it locks and send notification of the leak to “the media and your partners and customers” and to “NEVER provide you decryptors” unless the ransom is paid.
At the time, DarkSide’s ransom demands ranged from $200,000 to $2 million.
Reuters reported that like many other such groups, DarkSide “seems to spare Russian, Kazakh and Ukrainian-speaking companies, suggesting a link to the former Soviet republics.”
Biden suggested that the hackers who targeted Colonial Pipeline are in Russia, though “so far there is no evidence from our intelligence people that Russia is involved.”
Biden said, “There is evidence that the actor’s ransomware is in Russia. They have some responsibility to deal with this.” The president said he would raise the matter with Russian President Vladimir Putin at a proposed meeting now under discussion.
Last month, the Biden administration imposed new sanctions on Russia, specifically targeting technology companies that support efforts by the Kremlin’s intelligence services to target the U.S. with cyberattacks. The sanctions came after hackers, believed to be directed by Russia’s SVR foreign intelligence service, used a routine software update to slip malicious code into software produced by SolarWinds and then used it as a vehicle for a massive cyberattack.
Russia has denied any involvement in the SolarWinds attack.
What will be the impact?
Gas prices are sensitive to sudden disruptions, and the results of the cyberattack could be felt at the gas pump.
Patrick De Haan, the head of petroleum analysis at GasBuddy, tweeted, “The challenges brought on by the Colonial Pipeline [shutdown] would likely not appear for several days or longer.”
The average price of gasoline in the U.S. on Monday is $2.967 per gallon, up just a fraction of a cent from Sunday, according to AAA.
Spot shortages of diesel and jet fuel could also occur, according to Natural Gas Intelligence, a provider of data and news on North American energy markets.
At the White House, Sherwood-Randall said that “right now there is not a supply shortage.”
“We are preparing for multiple possible contingencies because that’s our job, especially on the homeland security team,” she said.
How long will it be shut down?
We don’t know yet. Colonial Pipeline said its return to service will take time.
“While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach,” it said.
Homeland security adviser Sherwood-Randall said: “Thus far, Colonial has told us that the pipeline has not suffered damage and can be brought back online relatively quickly,” but she said the company stressed the need for safety “given that it has never before taken the whole pipeline down.”
What is being done to mitigate the disruption?
There are smaller pipelines that serve some areas of the country but none as big as the one run by Colonial — so a long-term shutdown could be significant.
The Biden administration sought over the weekend to “mitigate potential disruptions to supply,” White House press secretary Jen Psaki said in a tweet. The Department of Transportation issued a temporary easing of some restrictions on drivers hauling fuel “to allow flexibility for truckers in 17 states,” she said.
Meanwhile, Reuters, quoting data from the analytics firm Refinitiv Eikon, reported that traders have provisionally booked at least six tankers to ship gasoline from Europe to the United States.
Should we have expected this?
Ransomware attacks have become increasingly common in recent years, with several municipalities, such as the city of Atlanta, having their data or computer systems held hostage by hackers.
In testimony last week before the House Subcommittee on Cybersecurity, Infrastructure Protection & Innovation, Christopher Krebs, the former top cyber official in the Department of Homeland Security, told lawmakers that the ransomware emergency in the U.S. was a “digital dumpster fire.”
“Even if software and services were more secure, the allure of a quick buck and no real repercussions means the forward-looking prospects for ransomware actors are quite good,” he said.
Late last year, Krebs tried to correct disinformation about election fraud and was subsequently fired by then-President Donald Trump.
In 2018, the Government Accountability Office issued an audit concluding that the Department of Homeland Security wasn’t doing enough to protect natural gas and oil pipelines. It said such pipelines “are vulnerable to accidents, operating errors, and malicious physical and cyber-based attack or intrusion.”
A previous version of this story incorrectly said that a purported press release from DarkSide claimed the group is prepared to attack hospitals, schools and universities, nonprofit organizations and the government sector. The press release in fact said DarkSide would not attack such targets, because of “our principles.”