The White House was working closely with top U.S. fuel pipeline operator Colonial Pipeline on Sunday to help it recover from a ransomware attack that forced the company to shut a critical fuel network supplying populous eastern states.
The attack is one of the most disruptive digital ransom schemes reported and has prompted calls from American lawmakers to strengthen protections for critical U.S. energy infrastructure from hacking attacks.
Commerce Secretary Gina Raimondo said the pipeline fix was a top priority for the Biden administration and Washington was working to avoid more severe fuel supply disruptions by helping Colonial restart as quickly as possible its more than 5,500-mile (8,850 km) pipeline network from Texas to New Jersey.
"It's an all hands on deck effort right now," Raimondo said on CBS' "Face the Nation" program. "We are working closely with the company, state and local officials, to make sure that they get back up to normal operations as quickly as possible and there aren't disruptions in supply."
NEW YORK: Colonial said on Sunday its main fuel lines remain offline but some smaller lines between terminals and delivery points are now operational. Neither Raimondo nor the company gave an estimate for a restart date and Colonial declined further comment on Sunday.
Colonial transports roughly 2.5 million barrels per day of gasoline and other fuels from refiners on the Gulf Coast to consumers in the mid-Atlantic and southeastern United States.
Its extensive pipeline network serves major U.S. airports, including Atlanta's Hartsfield Jackson Airport, the world's busiest by passenger traffic.
A Charlotte Douglas International Airport spokesperson said the airport had supply on-hand and was "monitoring the situation closely," adding that the complex is supplied by another major pipeline as well as Colonial.
Retail fuel experts including the American Automobile Association said an outage lasting several days could have significant impacts on regional fuel supplies, particularly in the southeastern United States.
Offices of governors in several of the U.S. states most vulnerable to fuel shortages following the Colonial outage - including Tennessee, Georgia and Maryland - were not immediately available for comment.
While the U.S. government investigation is in the early stages, a former U.S. official and three industry sources said the hackers are suspected to be a professional cybercriminal group called DarkSide.
DarkSide is one of many ransomware gangs extorting victims while avoiding targets in post-Soviet states. The groups gain access to private networks, encrypt files using software, and often also steal data.
They demand payment to decrypt the files and increasingly ask for additional money not to publish stolen content.
In the Colonial attack, the hackers took more than 100 gigabytes of data, according to a person familiar with the incident.
As the FBI and other government agencies worked with private companies to respond, the cloud computing system the hackers used to collect the stolen data was taken offline Saturday, the person said.
Colonial's data did not appear to have been transferred from that system anywhere else, potentially limiting the hackers' leverage to extort or further embarrass the company.
Cybersecurity firm FireEye is among those dealing with the attack, industry sources said. FireEye declined to comment. Colonial said it was working with a "leading, third-party cybersecurity firm," but did not name the firm.
Messages left with the DarkSide hackers were not immediately returned. The group's dark website, where hackers regularly post data about victims, made no reference to Colonial Pipeline.
Colonial declined to comment on whether DarkSide hackers were involved in the attack, when the breach occurred or what ransom they demanded.
BIDEN BRIEFED ON HACK
President Joe Biden was briefed on the cyberattack on Saturday morning, the White House said, adding that the government was working to try to help the company restore operations and prevent supply disruptions.
U.S. Senator Bill Cassidy, a Republican from Louisiana who sits on the Energy Committee, said lawmakers are prepared to work more with privately held critical infrastructure companies to guard against cyberattacks.
"The implication for this, for our national security, cannot be overstated. And I promise you, this is something that Republicans and Democrats can work together on," he said on NBC's "Meet the Press."
Another fuel pipeline serving the same regions carries a third of what Colonial does. Any prolonged outage would require tankers to transport fuels from the U.S. Gulf Coast to East Coast ports.
Complicating the fallback plans, according to one industry source familiar with the federal response, was that the ranks of fuel-truck drivers for the main road transportation companies, which could pick up some of the pipeline volume, are down by 25% or more because of coronavirus infections.
The privately held, Georgia-based company is owned by CDPQ Colonial Partners L.P., IFM (US) Colonial Pipeline 2 LLC, KKR-Keats Pipeline Investors L.P., Koch Capital Investments Company LLC and Shell Midstream Operating LLC.
Gasoline futures and diesel futures on the New York Mercantile Exchange rose on Friday after the outage was reported. In previous Colonial outages, retail prices have risen substantially, if briefly.
Oil refining companies contacted by Reuters over the weekend said their operations had not yet been impacted. Some were monitoring developments and working to find alternative transport for customers.
Knowns and unknowns about the hack at Colonial Pipeline
Ransom-seeking hackers have broken into Colonial Pipeline, prompting the company to shut one of America's major arteries for fuel delivery.
Here is a look at what we know, and what we don't, about one of the most disruptive digital shakedown efforts to hit a U.S. company.
WHO IS INVOLVED?
Alpharetta, Georgia-based Colonial Pipeline and the U.S. government have both blamed ransomware for the massive outage, pointing the finger at cybercriminal gangs who routinely hold data and computer networks hostage in exchange for digital currency payments.
There is no official word on which group is believed to have carried out the intrusion - and attributing malicious activity online can be extremely difficult - but a former U.S. official and three industry sources told Reuters a group dubbed "DarkSide" was among the suspects. If so, that would lay the responsibility on a new but professional group of criminals believed to be operating out of the former Soviet republics.
Cybersecurity FireEye is involved with the incident response, according to three industry sources.
HOW BAD IS IT?
Ransomware can deal catastrophic damage to an organization's network by locking away critical data or even wrecking computers beyond repair. But the effect on the actual nuts and bolts of energy companies' operations varies.
A destructive cyberattack on Saudi Aramco in 2012 crippled the oil giant's computer network but left production more-or-less unscathed. By contrast, a more recent ransomware incident at Norsk Hydro temporarily pushed the aluminum maker to switch away from automated production at its smelters.
Experts say the severity of the Colonial case will depend on whether the ransomware made its way into the company's operational technology network, which interfaces with the pipeline itself. Earlier this year, U.S. government officials announced https://us-cert.cisa.gov/ncas/alerts/aa20-049a that an intrusion at an unnamed natural gas compression plant that spilled over into its operational technology network forced a two-day shut down of its entire pipeline.
Colonial has not given any public indication as to the reach of the ransomware outbreak, but Robert M. Lee, chief executive of cybersecurity firm Dragos, said he believed Colonial's operations network was shut down proactively "to make sure that nothing spread into those systems."
He said that will hopefully translate to "a temporary outage versus something that would be more sustained."
WHAT HAPPENS NEXT?
U.S. government officials are working with Colonial to help it recover while scrambling to avoid more severe fuel supply disruptions should the outage continue.
Colonial's pipeline network serves major U.S. airports, including Atlanta's Hartsfield Jackson Airport, the world's busiest by passenger traffic, and experts say regional fuel supplies could be impacted if the pipeline stays shut.
"A one-to-two-day outage is really a minor inconvenience," said Andrew Lipow, president of Lipow Oil Associates. But by day four or five, he said,"we could see a much greater widespread impact through large areas throughout the mid-Atlantic and the southeast."
Whether the pipeline stays shut that long in turn depends on how deeply the hackers penetrated Colonial's network - and how soon cybersecurity experts can pull them out.- Reuters