The largest fuel pipeline in the United States has been forced to shut down due to a ransomware attack, with the United States declaring a state of emergency over the attack.
Colonial Pipeline confirmed the cyberattack occurred over the weekend. The decision was taken to take its systems offline to contain the threat, which has resulted in a temporary halt to all pipeline operations. The 5,500-mile fuel pipeline passes through 12 states and carries approximately 2.5 million barrels of fuel a day, which is around half of the supply of gasoline, diesel, and jet fuel to the east coast.
Colonial Pipeline issued a statement confirming that its mainlines currently remain offline, although some small lateral lines between terminals and delivery points are now back online. Other services will only be brought back online when the company determines it is safe to do so.
The government’s emergency declaration is intended to limit disruption to fuel supplies and eases the restrictions in place covering fuel delivery via the road network. The emergency declaration covers Alabama, Arkansas, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, Virginia, and the District of Columbia. The emergency declaration will remain in effect until 11:59 P.M. ET on June 8, 2021, or until the state of emergency is declared over, whichever comes first.
The attack is believed to have involved Darkside ransomware. Darkside ransomware first appeared in mid-2020, with the threat group behind the attacks specializing in attacks on corporate targets. As with many other ransomware variants, prior to the use of ransomware to encrypt files and cripple systems, data are exfiltrated and threats are issued to publish or sell the stolen data if the ransom payment is not made.
The operator of Darkside ransomware is believed to be a financially motivated Russian cybercriminal group. However, an attack of this nature on critical infrastructure would be in the strategic interests of certain countries, especially oil producing nations as disruption to the fuel supply is likely to see oil prices rise. At this stage however, there is no indication that the attack is linked to any nation state.
Update May 11, 2021
The FBI has issued a statement confirming the Darkside ransomware gang was behind the Colonial Pipeline ransomware attack.
The Darkside ransomware gang has also issued a statement on its website confirming its ransomware attacks are financially motivated and are not conducted to cause chaos. On the Darkside website, the group did not reference the Colonial Pipeline attack directly, but said “About the latest news… our goal is to make money, and not creating problems for society.”
The group also said “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment and look for other our motives… From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”