The blitz that caused Colonial Pipeline to shut down the biggest US gasoline pipeline on Friday began with hackers launching a cyber-attack against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, Bloomberg reported on Sunday morning citing people familiar with the matter.
The intruders, part of a cybercrime gang called DarkSide, took nearly 100 gigabytes of data out of the Alpharetta, Georgia-based company’s network in just two hours on Thursday, two people involved in Colonial’s investigation said.
The move was part of a double-extortion scheme that is one of the group’s hallmarks. Colonial was threatened that the stolen data would be leaked to the internet while the information that was encrypted by the hackers on computers inside the network would remain locked unless it paid a ransom, said the people, who asked not to be identified because the information isn’t public, Bloomberg added.
The company said that it “proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”
“This is as close as you can get to the jugular of infrastructure in the United States,” said Amy Myers Jaffe, research professor and managing director of the Climate Policy Lab. “It’s not a major pipeline. It’s the pipeline.” The White House said that Biden was briefed on the incident Saturday morning.
Colonial’s decision late Friday to shut down a pipeline that is the main source of gasoline, diesel and jet fuel for the East Coast, without saying when it would reopen, represents a dangerous new escalation in the fight against ransomware, which President Joe Biden’s administration has identified as a priority.
It’s not clear how much money the attackers demanded or whether Colonial has paid. Ransomware demands can range from several hundred dollars to millions of dollars in cryptocurrency. Many companies pay, often facilitated by their insurers.
The White House was working closely with Colonial Pipeline on Sunday to help it recover from the ransomware. The attack is one of the most disruptive digital ransom schemes reported and has prompted calls from American lawmakers to strengthen protections for critical US energy infrastructure from hacking attacks, a Reuters news report said.
Commerce Secretary Gina Raimondo said the pipeline fix was a top priority for the Biden administration and Washington was working to avoid more severe fuel supply disruptions by helping Colonial restart as quickly as possible its more than 5,500-mile (8,850 km) pipeline network from Texas to New Jersey, Reuters added.
“It’s an all hands on deck effort right now,” Raimondo said on CBS’ “Face the Nation” program. “We are working closely with the company, state and local officials, to make sure that they get back up to normal operations as quickly as possible and there aren’t disruptions in supply.”
Colonial said on Sunday its main fuel lines remain offline but some smaller lines between terminals and delivery points are now operational. There has been no conclusive comment on an estimate for a full restart date.
US gasoline futures jumped more than 3% to $2.217 a gallon, the highest since May 2018, as trading opened for the week and market participants reacted to the closure.
Colonial transports roughly 2.5 million barrels per day of gasoline and other fuels from refiners on the Gulf Coast to consumers in the mid-Atlantic and southeastern United States. Its extensive pipeline network serves major US airports, including Atlanta’s Hartsfield Jackson Airport, the world’s busiest by passenger traffic.
The company website says: “Colonial Pipeline Company connects refineries with customers and markets throughout the Southern and Eastern United States through a pipeline system that spans more than 5,500 miles between Houston, Texas and Linden, New Jersey.”
Cyber-attacks have disrupted the operations of other energy assets in the US in recent years. Last year, the Department of Homeland Security revealed that an attack brought down an unnamed natural gas compressor facility for two days. In April 2018, several natural gas pipeline operators had service interruptions because of the hack of a third-party provider whose technology enables electronic communications between the entities, the Bloomberg report added providing context.
The theft of Colonial’s data, coupled with the detonation of ransomware on the company’s computers, highlights the leverage that hackers often have over their victims in such cases. The company said FireEye Inc.’s Mandiant digital forensics division is assisting with the investigation.
A series of major cyber-attacks in recent weeks also underscored the brazenness of the attackers and the challenges of tackling the problem of ransomware.