Colonial Pipeline says it is the victim of a cyberattack that forced the major provider of liquid fuels to the East Coast to temporarily halted all pipeline operations.
A ransomware attack has halted pipeline activities for the Colonial Pipeline Co., which supplies the East Coast with roughly 45 percent of its liquid fuels.
In a statement released on Saturday, Colonial Pipeline said it has temporarily halted pipeline operations in response to a cyberattack impacting the company starting Friday.
“On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware,” the company wrote in the Saturday statement.
As a precaution, the company took key systems offline to avoid further infections, it said.
“In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems,” the company stated. “Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing.”
The company, which delivers gasoline and diesel fuel to the East Coast from Texas, said it has also contacted law enforcement and other federal agencies. “Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation,” according to the statement.
The states of Alabama, Arkansas, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia, plus the District of Columbia, have all been affected by the shutdown.
What We Know About the Colonia Pipeline Attack
Many questions are still unknown such as, was the pipeline shut down as a precaution or as a result of the cyberattack? Who was behind the attack and how sophisticated were the attackers when it came to targeting and infecting critical systems?
“It’s not yet clear whether they shut down the pipeline out of an abundance of caution to stop the spread of the ransomware payload, or they can’t operate the pipeline because either operational technology (OT) systems have been impacted, or they are dependent on IT systems,” wrote Dave White, president of Axio, in an email to Threatpost.
Ang Cui, CEO of Red Balloon Security, who does advanced threat research on embedded devices and industrial control systems (ICS) for the Department of Defense and the Department of Homeland Security, said it was likely a criminal, not nation-state, attack.
“Although Colonial shut down its operations, it doesn’t necessarily mean the ICS was compromised,” wrote Cui in an email. “It could be that they didn’t have enough separation between the IT and OT systems, so they pulled the plug before the attackers realized they had access to those sensitive systems — which would have significantly increased the cost of the ransom, in addition to jeopardizing physical controls.”
Ransomware: A Persistent Problem
The attack comes as ransomware attacks have reached near-epidemic proportions. Last year alone, the number of ransomware attacks grew more than 150 percent, according to a Group-IB report. The scourge has also prompted coordinated global efforts to combat ransomware.
Last month, a coalition of 60 global entities, which included the U.S. Department of Justice, proposed a sweeping plan and a ransomware task force to hunt down and disrupt ransomware gangs by going after their financial operations.
Bullseye on Critical Infrastructure
In February 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning that critical infrastructure targets, such as pipelines, were increasingly being targeted by hackers. The warning was sparked by a ransomware attack that hit a natural gas compression facility in the U.S. that caused a two-day shutdown of an unnamed victim.
The initial compromise to the IT network led to the cyberattacker deploying a “commodity ransomware” to encrypt data on both the IT and the OT networks. The ability to pivot was thanks to a lack of network segmentation between the IT and the OT portions of the infrastructure, CISA said at the time.
“The U.S. economy is critically dependent on energy-pipeline infrastructure. It is important for all energy-critical asset owners and the federal government undertake risk analysis and economic-quantification studies to understand the scale of impact from events like this, and support investment in appropriate protections,” Axio’s White told Threatpost.
Red Balloon’s Cui said he believes a key part of the problem in critical-infrastructure attacks is that operators often do not isolate or secure these systems. “The vendors aren’t securing these ICS devices to begin with, and patching is difficult,” he wrote.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!