The cybersecurity firm FireEye Inc. said its Mandiant incident response division is assisting with the investigation. President Joe Biden, who’s spending the weekend at Camp David, was briefed on the incident Saturday morning, the White House said.
Colonial is a key artery for the eastern half of the U.S. It’s the main source of gasoline, diesel and jet fuel for the East Coast with capacity of about 2.5 million barrels a day on its system from Houston as far as North Carolina, and another 900,000 barrels a day to New York.
The attack appeared to use a ransomware group called DarkSide, according to Allan Liska, senior threat analyst at cybersecurity firm Recorded Future.
Hacking threats to critical infrastructure have been growing, prompting the White House to respond last month with a plan to try to increase the security of utilities and their suppliers. Pipelines are a specific concern because they play a central role in so many parts of the U.S. economy.
The latest attack comes as the nation’s energy industry gears up for summer travel and stronger fuel demand as pandemic economic restrictions are eased. It’s also an unpleasant reminder of how a cyber-attack brought down the communications systems of several U.S. natural gas pipelines operators in 2018.
The federal government is assessing the implications of the incident, including how to avoid disruptions to supply and help the company restore operations as quickly as possible, a White House spokesperson said.
The U.S. Department of Energy said it’s “monitoring any potential impacts” to supplies, while the Federal Energy Regulatory Commission said it’s in “communication with other federal agencies, and we are working closely with them to monitor developments” following the cyber-attack.
The federal government is also working with state and local authorities on potential additional steps.
When Colonial is running, fuel travels between three and five miles per hour through it. But a long-term shutdown could leave the Northwest more dependent on supplies delivered by tanker. And it could take those cargoes 10 to 14 days to make the voyage to the New York harbor, according to a research note from ClearView Energy Partners.
Other options, such as tapping an emergency federal stockpile of refined products in the Northeast, are “little more than a Band-Aid,” ClearView said. That gasoline supply reserve holds just 1 million barrels of gasoline in New York, Boston and Maine, the analysts noted.
Ransomware cases involve hackers seeding networks with malicious software that encrypts the data and leaves the machines locked until the victims pay the extortion fee, which can range from a few hundred dollars to millions of dollars in cryptocurrency.
Utilities’ information technology networks, which run email and other routine functions, and operational technology networks, which control the actual functioning of the delivery of electricity or natural gas, are typically kept mostly separate, which is what makes Colonial’s decision to temporarily shut down both so unusual.
|More on cyber-attacks:|
|SolarWinds Believes Russian Group Took Data During Cyber-Attack|
|U.S., U.K. Reveal Code Flaws Abused by SolarWinds Hackers|
|White House Urged to Address Surge in Ransomware Attacks|
An April 2 blog by the cybersecurity firm Cybereason said the people behind DarkSide follow the “double extortion” trend in ransomware, meaning they not only encrypt user data but exfiltrate it and make it public if a ransom payment isn’t made.
Many companies pay the fees and recover their data. But even when that occurs, they may shut down large parts of their networks as a precaution while they restore essential services and hunt for any signs that the hackers had accessed sensitive systems for other reasons including espionage or further destructive attacks.
The Cybersecurity & Infrastructure Security Agency is “engaged with the company and our interagency partners regarding the situation,” said Eric Goldstein, executive assistant director of CISA’s cybersecurity division. “This underscores the threat that ransomware poses to organizations regardless of size or sector,” he said.
Officials at the Federal Bureau of Investigation and the Department of Justice didn’t respond to requests for comment.
Senator Edward Markey, a Massachusetts Democrat, said the U.S. had been left vulnerable by “an understaffed, under-prepared Transportation Security Administration.”
“We cannot ignore the longstanding inadequacies that allowed for, and enabled, cyber intrusions into our critical infrastructure,” Markey said in a statement.
GOP Senator Ben Sasse of Nebraska said the latest intrusion showed that an infrastructure spending package soon to be considered by Congress, should put “the hardening of critical infrastructure” front and center.
Colonial gave an indication during Friday trading that it was having network issues, while two people familiar said they were having a hard time submitting refined product batches, updates or changes to batch deliveries and nominations using their Colonial Pipeline website access. The Colonial website went offline whenever the people tried.
At the time, Colonial staff informed customers by phone about the technical issues but didn’t say what was causing them.
The disruption could roil fuel markets Monday if it’s not fixed. The refining margin for a combined barrel of gasoline and diesel, the so-called 321 crack spread, rose 2% Friday after the Colonial interruption. Nymex gasoline futures rose 1.32 cents to settle at $2.1269 per gallon.
The main two Colonial lines out of the Houston refining hub — Lines 1 and 2 from Pasadena, Texas, to Greensboro, North Carolina — have not been full for months with U.S. fuel demand falling to its lowest in decades during the pandemic. That means fuel markets served by the line might be spared supply shortages.
The Colonial system is managed from suburban Atlanta and is jointly owned by Koch and several other energy and investor interests. East Coast fuel markets also are supplied by the Plantation pipeline jointly owned by Kinder Morgan and Exxon; East Coast refineries; and fuel shipments from Eastern Canada and Europe.