Top US fuel pipeline operator Colonial Pipeline shut its entire network, the source of nearly half of the US East Coast’s fuel supply, after a cyber attack on Friday that involved ransomware.
The incident is one of the most disruptive digital ransom operations ever reported and has drawn attention to how vulnerable US energy infrastructure is to hackers. A prolonged shutdown of the line would cause prices to spike at gasoline pumps ahead of peak summer driving season, a potential blow to US consumers and the economy.
“This is as close as you can get to the jugular of infrastructure in the United States,” said Amy Myers Jaffe, research professor and managing director of the
Climate Policy Lab. “It’s not a major pipeline. It’s the pipeline.”
Colonial transports 2.5 million barrels per day of gasoline, and other fuels through 5,500 miles (8,850 km) of pipelines linking refiners on the Gulf Coast to the eastern and southern United States. It also serves some of the country’s largest airports, including Atlanta’s Hartsfield Jackson Airport, the world’s busiest by passenger traffic.
The company said it shut down its operations after learning of a cyberattack on Friday using ransomware.
“Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation,” it said.
While the US government investigation is in early stages, one former official and two industry sources said the hackers are likely a professional cybercriminal group.
The former official said investigators are looking at a group dubbed “Dark Side,” known for deploying ransomware and extorting victims while avoiding targets in post-Soviet states. Ransomware is a type of malware designed to lock down systems by encrypting data and demanding payment to regain access.
Colonial said it had engaged a cybersecurity firm to help the investigation and contacted law enforcement and federal agencies.
The cybersecurity industry sources said cybersecurity firm FireEye was brought in to respond to the attack. FireEye declined to comment.
US government bodies, including the FBI, said they were aware of the situation but did not yet have details of who was behind the attack.
President Joe Biden was briefed on the incident on Saturday morning, a White House spokesperson said, adding that the government is working to try to help
the company restore operations and prevent supply disruptions.
The Department of Energy said it was monitoring potential impacts to the nation’s energy supply, while both the US Cybersecurity and Infrastructure Security Agency and the Transportation Security Administration told Reuters they were working on the situation.
“We are engaged with the company and our interagency partners regarding the situation. This underscores the threat that ransomware poses to organizations regardless of size or sector,” said Eric Goldstein, executive assistant director of the cybersecurity division at CISA.
Colonial did not give further details or say how long its pipelines would be shut.
The privately held, Georgia-based company is owned by CDPQ Colonial Partners L.P., IFM (US) Colonial Pipeline 2 LLC,KKR-Keats Pipeline Investors L.P.,
Koch Capital Investments Company LLC and Shell Midstream Operating LLC.
“Cybersecurity vulnerabilities have become a systemic issue,” said Algirde Pipikaite, cyber strategy lead at the World Economic Forum’s Centre for Cybersecurity.
“Unless cybersecurity measures are embedded in a technology’s development phase, we are likely to see more frequent attacks on industrial systems like oil and gas pipelines or water treatment plants,” Pipikaite added.
