May 11, 2021

Cyberattack: Pipeline officials hope most service back by weekend

Posted May 11, 2021 9:00 AM
 The pipeline system spans more than 5,500 miles between Houston, Texas and Linden, New Jersey-image courtesy Colonial Pipeline
 The pipeline system spans more than 5,500 miles between Houston, Texas and Linden, New Jersey-image courtesy Colonial Pipeline

WASHINGTON (AP) — Hit by a cyberattack, the operator of a major U.S. fuel pipeline said it hopes to have services mostly restored by the end of the week as the FBI and administration officials identified the culprits as a gang of criminal hackers.

U.S. officials sought to soothe concerns about price spikes or damage to the economy by stressing that the fuel supply had so far not experienced widespread disruptions, and the company said Monday that it was working toward “substantially restoring operational service” by the weekend.

The White House said in a statement late Monday that it was monitoring supply shortages in parts of the Southeast and that President Joe Biden had directed federal agencies to bring their resources to bear.

Colonial Pipeline, which delivers about 45% of the fuel consumed on the East Coast, halted operations last week after revealing a ransomware attack that it said had affected some of its systems.

Nonetheless, the attack underscored the vulnerabilities of the nation’s energy sector and other critical industries whose infrastructure is largely privately owned. Ransomware attacks are typically carried out by criminal hackers who scramble data, paralyzing victim networks, and demand large payments to decrypt it.

The Colonial attack was a potent reminder of the real-world implications of the burgeoning threat. Even as the Biden administration works to confront organized hacking campaigns sponsored by foreign governments, it must still contend with difficult-to-prevent attacks from cybercriminals.

“We need to invest to safeguard our critical infrastructure,” Biden said Monday. Energy Secretary Jennifer Granholm said the attack “tells you how utterly vulnerable we are” to cyberattacks on U.S. infrastructure.

The attack came as the administration, still grappling with its response to massive breaches by Russia of federal agencies and private corporations, works on an executive order aimed at bolstering cybersecurity defenses. The Justice Department, meanwhile, has formed a ransomware task force designed for situations just like Colonial Pipeline, and the Energy Department on April 20 announced a 100-day initiative focused on protecting energy infrastructure from cyber threats. Similar actions are planned for other critical industries, such as water and natural gas.

Despite that, the challenge facing the government and the private sector remains immense.

In this case, the FBI publicly assigned blame Monday by saying the criminal syndicate whose ransomware was used in the attack is named DarkSide. The group’s members are Russian speakers, and the syndicate’s malware is coded not to attack networks using Russian-language keyboards.

Anne Neuberger, the White House deputy national security adviser for cyber and emerging technology, said at a briefing that the group has been on the FBI’s radar for months. She said its business model is to demand ransom payments from victims and then split the proceeds with the ransomware developers, relying on what she said was a “new and very troubling variant.”

---------

WASHINGTON (AP) — Hit by a cyberattack, the operator of a major U.S. fuel pipeline said Monday it hopes to have services mostly restored by the end of the week as the FBI and administration officials identified the culprits as a gang of criminal hackers.

Colonial Pipeline, which delivers about 45% of the fuel consumed on the East Coast, halted operations last week after revealing a ransomware attack that it said had affected some of its systems. On Monday, U.S. officials sought to soothe concerns about price spikes or damage to the economy by stressing that the fuel supply had so far not been disrupted, and the company said it was working toward “substantially restoring operational service” by the weekend.

Nonetheless, the attack underscored the vulnerabilities of the nation’s energy sector and other critical industries whose infrastructure is largely privately owned. Ransomware attacks are typically carried out by criminal hackers who scramble data, paralyzing victim networks, and demand large payments to decrypt it.

The Colonial attack was a potent reminder of the real-world implications of the burgeoning threat. Even as the Biden administration works to confront organized hacking campaigns sponsored by foreign governments, it must still contend with difficult-to-prevent attacks from cybercriminals.

“We need to invest to safeguard our critical infrastructure,” President Joe Biden said Monday.

The attack came as the administration, still grappling with its response to massive breaches by Russia of federal agencies and private corporations, works on an executive order aimed at bolstering cybersecurity defenses. The Justice Department, meanwhile, has formed a ransomware task force designed for situations just like Colonial Pipeline, and the Energy Department on April 20 announced a 100-day initiative focused on protecting energy infrastructure from cyber threats. Similar actions are planned for other critical industries.

Despite that, the challenge facing the government and the private sector remains immense.

In this case, the FBI moved with unusual speed to pinpoint blame, saying the criminal syndicate whose ransomware was used in the attack is named DarkSide. The group’s members are Russian speakers, and the syndicate’s malware is coded not to attack networks using Russian-language keyboards.

Anne Neuberger, the White House deputy national security adviser for cyber and emerging technology, said at a briefing that the group emerged just months ago. She said the group’s business model is to demand ransom payments from victims and then split the proceeds, relying on what she said was a “new and very troubling variant.”

She declined to say if Colonial Pipeline had paid any ransom, and the company has not given any indication of that one way or the other. Though the FBI has historically discouraged victims from making payments for fear of promoting additional attacks, she acknowledged “the very difficult” situation that victims face and said the administration needs to look “thoughtfully at this area” of how best to deter ransomware.

The U.S. sanctioned the Kremlin last month for a hack of federal government agencies that officials have linked to a military intelligence unit and described as an intelligence-gathering operation. In this case, though, the hackers are not known to be working at the behest of any foreign government.

The group posted a statement on its dark web site describing itself as apolitical. “Our goal is to make money, and not creating problems for society,” DarkSide said.

Asked Monday whether Russia was involved, Biden said, ”“I’m going to be meeting with President (Vladimir) Putin, and so far there is no evidence based on, from our intelligence people, that Russia is involved, although there is evidence that the actors, ransomware, is in Russia.

“They have some responsibility to deal with this,” he added.

U.S. officials have sought to head off anxieties about the prospect of a lingering economic impact and disruption to the fuel supply, especially given Colonial Pipeline’s key role in transporting gasoline, jet fuel, diesel and other petroleum products through 10 states between Texas and New Jersey.

Colonial is in the process of restarting portions of its network. It said Monday that it was evaluating the product inventory in storage tanks at its facilities. Administration officials stressed that the company proactively took some of its systems offline, as opposed to hackers doing it, and that its operating systems were spared.

In response to the attack, the administration loosened regulations for the transport of petroleum products on highways as part of an “all-hands-on-deck” effort to avoid disruptions in the fuel supply.

“The time of the outage is now approaching critical levels and if it continues to remain down we do expect an increase in East Coast gasoline and diesel prices,” said Debnil Chowdhury, IHS Markit Executive Director. The last time there was an outage of this magnitude was in 2016, he said, when gas prices rose 15 to 20 cents per gallon. But the Northeast had significantly more local refining capacity at that time, potentially intensifying any impact.

If the pipeline outage persists, the industry may want to turn to barges to transport fuel, but that could require a waiver of the Jones Act, a U.S. maritime law that requires products shipped between U.S. ports to be moved by American-flagged ships.

The pipeline utilizes both common and custom technology systems, which could complicate efforts to bring the entire network back online, according to analysts at Third Bridge.

Gasoline futures ticked higher Monday. Futures for crude and fuel, prices that traders pay for contracts for delivery in the future, typically begin to rise anyway each year as the driving season approaches. The price you pay at the pump tends to follow.

The average U.S. price of regular-grade gasoline has jumped 6 cents over the past two weeks, to $3.02 per gallon, which is $1.05 higher than a year ago. The year-ago numbers are skewed somewhat because the nation was going into lockdown due to the pandemic.

The attack on the Colonial Pipeline could exacerbate the upward pressure on prices if it is unresolved for a period of time.

----------

NEW YORK (AP) — The cyberextortion attempt that has forced the shutdown of a vital U.S. pipeline was carried out by a criminal gang known as DarkSide that cultivates a Robin Hood image of stealing from corporations and giving a cut to charity, two people close to the investigation said Sunday.

Click here to read the emergency declaration from the Department of Transportation.

The shutdown, meanwhile, stretched into its third day, with the Biden administration loosening regulations for the transport of petroleum products on highways as part of an “all-hands-on-deck” effort to avoid disruptions in the fuel supply.

Experts said that gasoline prices are unlikely to be affected if the pipeline is back to normal in the next few days but that the incident — the worst cyberattack to date on critical U.S. infrastructure — should serve as a wake-up call to companies about the vulnerabilities they face.

The pipeline, operated by Georgia-based Colonial Pipeline, carries gasoline and other fuel from Texas to the Northeast. It delivers roughly 45% of fuel consumed on the East Coast, according to the company.

It was hit by what Colonial called a ransomware attack, in which hackers typically lock up computer systems by encrypting data, paralyzing networks, and then demand a large ransom to unscramble it.

On Sunday, Colonial Pipeline said it was actively in the process of restoring some of its IT systems. It says it remains in contact with law enforcement and other federal agencies, including the Department of Energy, which is leading the federal government response. The company has not said what was demanded or who made the demand.

However, two people close to the investigation, speaking on condition of anonymity, identified the culprit as DarkSide. It is among ransomware gangs that have “professionalized” a criminal industry that has cost Western nations tens of billions of dollars in losses in the past three years.

DarkSide claims that it does not attack hospitals and nursing homes, educational or government targets and that it donates a portion of its take to charity. It has been active since August and, typical of the most potent ransomware gangs, is known to avoid targeting organizations in former Soviet bloc nations.

Colonial did not say whether it has paid or was negotiating a ransom, and DarkSide neither announced the attack on its dark web site nor responded to an Associated Press reporter’s queries. The lack of acknowledgment usually indicates a victim is either negotiating or has paid.

On Sunday, Colonial Pipeline said it is developing a “system restart” plan. It said its main pipeline remains offline but some smaller lines are now operational.

“We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations,” the company said in a statement.

Commerce Secretary Gina Raimondo said Sunday that ransomware attacks are “what businesses now have to worry about,” and that she will work “very vigorously” with the Department of Homeland Security to address the problem, calling it a top priority for the administration.

“Unfortunately, these sorts of attacks are becoming more frequent,” she said on CBS’ “Face the Nation.” “We have to work in partnership with business to secure networks to defend ourselves against these attacks.”

She said President Joe Biden was briefed on the attack.

“It’s an all-hands-on-deck effort right now,” Raimondo said. “And we are working closely with the company, state and local officials to make sure that they get back up to normal operations as quickly as possible and there aren’t disruptions in supply.”

The Department of Transportation issued a regional emergency declaration Sunday, relaxing hours-of-service regulations for drivers carrying gasoline, diesel, jet fuel and other refined petroleum products in 17 states and the District of Columbia. It lets them work extra or more flexible hours to make up for any fuel shortage related to the pipeline outage.

One of the people close to the Colonial investigation said that the attackers also stole data from the company, presumably for extortion purposes. Sometimes stolen data is more valuable to ransomware criminals than the leverage they gain by crippling a network, because some victims are loath to see sensitive information of theirs dumped online.

Security experts said the attack should be a warning for operators of critical infrastructure — including electrical and water utilities and energy and transportation companies — that not investing in updating their security puts them at risk of catastrophe.

Ed Amoroso, CEO of TAG Cyber, said Colonial was lucky its attacker was at least ostensibly motivated only by profit, not geopolitics. State-backed hackers bent on more serious destruction use the same intrusion methods as ransomware gangs.

“For companies vulnerable to ransomware, it’s a bad sign because they are probably more vulnerable to more serious attacks,” he said. Russian cyberwarriors, for example, crippled the electrical grid in Ukraine during the winters of 2015 and 2016.

Cyberextortion attempts in the U.S. have become a death-by-a-thousand-cuts phenomenon in the past year, with attacks forcing delays in cancer treatment at hospitals, interrupting schooling and paralyzing police and city governments.

Tulsa, Oklahoma, this week became the 32nd state or local government in the U.S. to come under ransomware attack, said Brett Callow, a threat analyst with the cybersecurity firm Emsisoft.

Average ransoms paid in the U.S. jumped nearly threefold to more than $310,000 last year. The average downtime for victims of ransomware attacks is 21 days, according to the firm Coveware, which helps victims respond.

David Kennedy, founder and senior principal security consultant at TrustedSec, said that once a ransomware attack is discovered, companies have little recourse but to completely rebuild their infrastructure, or pay the ransom.

“Ransomware is absolutely out of control and one of the biggest threats we face as a nation,” Kennedy said. “The problem we face is most companies are grossly underprepared to face these threats.”

Colonial transports gasoline, diesel, jet fuel and home heating oil from refineries on the Gulf Coast through pipelines running from Texas to New Jersey. Its pipeline system spans more than 5,500 miles, transporting more than 100 million gallons (380 million liters) a day.

Debnil Chowdhury at the research firm IHSMarkit said that if the outage stretches to one to three weeks, gas prices could begin to rise.

“I wouldn’t be surprised, if this ends up being an outage of that magnitude, if we see 15- to 20-cent rise in gas prices over next week or two,” he said.

The Justice Department has a new task force dedicated to countering ransomware attacks.

While the U.S. has not suffered any serious cyberattacks on its critical infrastructure, officials say Russian hackers in particular are known to have infiltrated some crucial sectors positioning themselves to do damage if armed conflict were to break out. While there is no evidence the Kremlin benefits financially from ransomware, U.S. officials believe President Vladimir Putin savors the mayhem it wreaks in adversaries’ economies.

Iranian hackers have also been aggressive in trying to gain access to utilities, factories and oil and gas facilities. In one case in 2013, they broke into the control system of a U.S. dam.

-------