Colonial Restarts Operations Following Ransomware Attack
Critical Infrastructure Security
,
Cybercrime
,
Cybercrime as-a-service
Company Says It Will Take Several Days for Supply Chain to Return to Normal
Colonial Pipeline Co. announced Wednesday that the company had restarted its operations following a ransomware attack last Friday that had forced the firm to shut down its IT systems to keep the malware from spreading throughout its infrastructure.
See Also: Live Webinar | Software Security: Prescriptive vs. Descriptive
The company says it restarted its operations around 5 p.m. Eastern Daylight Time on Wednesday. Before the announcement, Colonial had set a goal of week’s end to bring some of its pipeline operations back online.
Following the announcement from Colonial, President Joe Biden signed an executive order Wednesday night that is designed to help strengthen the government’s response to attacks such as this, as well as those involving SolarWinds and Microsoft Exchange servers.
Days Needed to Return to Normal
Colonial did note that it would take several more days to restore its supply chain operations to normal. The Georgia-based company connects refineries in the Gulf Coast to customers throughout the southern and eastern U.S. through a pipeline system of more than 5,500 miles. This pipeline carries gasoline, diesel, jet fuel and home heating oil as well as fuel for the military. Colonial Pipeline transports about 45% of all the fuel consumed on the East Coast.
“Following this restart, it will take several days for the product delivery supply chain to return to normal. Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during the start-up period. Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal,” according to Colonial’s statement.
Latest Update – Colonial Pipeline Return to Service: https://t.co/WkosDxQ0CV pic.twitter.com/mWTuJBVHVM
— Colonial Pipeline (@Colpipe) May 12, 2021
While Colonial is working toward restoring service to its customers, the company has not commented on the ransomware attack that forced it to shut down its IT infrastructure as a precaution on May 7. The company did note that as part of the startup process: “Colonial will conduct a comprehensive series of pipeline safety assessments in compliance with all Federal pipeline safety requirements.”
And while Colonial Pipeline has restarted operations, the Washington Post reports that several states in the Southeast U.S. are reporting gasoline and fuel shortage due to the pipeline outage. Governors in Florida, North Carolina, Georgia and Virginia have all declared states of emergency.
Ransomware Attack
Meanwhile, the ransomware attack that caused the disruptions with Colonial remains under investigation by the FBI with assistance from the U.S. Cybersecurity and Infrastructure Security Agency. Both the bureau and the White House have attributed the attack to a strain of ransomware called DarkSide, which was developed by a ransomware-as-a-service group of the same name (see: FBI: DarkSide Ransomware Used in Colonial Pipeline Attack).
While a relatively new ransomware group that first appeared in Russian-speaking forums in August 2020, DarkSide and its affiliates have already made a significant impact and are part of a group of cybercriminals known for “big-game hunting” attacks against companies and firms and asking for million in ransomware as part of double-extortion tactics that included not only encrypting data but stealing information and then demanding payment from victims (see: Rise of DarkSide: Ransomware Victims Have Been Surging).
In a report released this week, FireEye’s Mandiant research team found that the DarkSide’s affiliate model has proven successful in the time the group started attacking organizations, and Sophos notes that the group’s malicious code can target and encrypt Windows as well as Linux systems.
On Wednesday, CNBC reported that the DarkSide group and its affiliates have targeted another three organizations within the past several days.
And while DarkSide and its affiliates are known for their extortion tactics and ransom demands, Colonial Pipeline has not confirmed if it’s in contact with the attackers or if any demands have been received. The FBI advises ransomware victims not to pay as it may encourage other attacks (see: DarkSide’s Pipeline Ransomware Hit: Strictly Business?).
Government Effort
The attack against Colonial Pipeline not only spurred a law enforcement response, but the Biden administration also deployed the Energy, Transportation, Homeland Security, Treasury and Defense departments to respond to the attack as well as keep gas storage to a minimum and prevent price spikes.
On Tuesday and Wednesday, lawmakers from both parties started to propose new laws to address ransomware and other attacks, and hearings are expected to be held to consider how the oil and gas industry conducts its security operations and how it can respond to cybersecurity incidents (see: Colonial Pipeline Attack Leads to Calls for Cyber Regs).
Sam Curry, chief security officer at Cybereason, which has conducted its own research into DarkSide, notes that once the pipeline becomes operational again and IT systems return to normal, Colonial and CISA can then gain a better understanding of what happened.
“The most important thing is to get them operational again and then in the cool light of day to understand what happened,” Curry says. “We have to avoid bayoneting the wounded and give Colonial a chance to recover, to work with authorities, and to share data and lessons learned when they can. Transparency will help here, and collectively there will no doubt that lessons will be learned.”
