The US government has issued an emergency legislation following a ransom ware cyber-attack on the largest fuel pipeline in the country.
In response to this, the US government has relaxed rules on fuel being transported by road, meaning drivers in 18 states can work extra or more flexible hours when transporting refined petroleum products.
A temporary waiver was issued by the Department of Transportation to enable oil products to be shipped in tankers up to New York, although it would not be anywhere near enough to match the pipeline’s capacity.
The Colonial Pipeline conveys 2.5 million barrels a day – 45% of the East Coast’s supply of diesel, petrol and jet fuel.
The operator went offline on Friday after the cyber-attack and they are working to work to restore service.
Sources said the ransom ware attack was likely to have been caused by a cyber-criminal gang called DarkSide, who infiltrated Colonial’s network and locked the data on some computers and servers, demanding a ransom on Friday.
The gang tried to take almost 100 gigabytes of data hostage, threatening to leak it onto the internet, but the FBI and other government agencies worked with private companies to respond. The cloud computing system the hackers used to collect the stolen data was taken offline on Saturday, Reuters reported.
Digital Shadows, a London-based cyber-security firm, said the Colonial attack was helped by the coronavirus pandemic, with more engineers remotely accessing control systems for the pipeline from home.
The attack had little or no impact on the US fuel prices at the pump on Monday, but there are fears that prices could change if the shutdown is prolonged.
Independent oil market analyst Gaurav Sharma told the BBC that a lot of fuel was now stranded at refineries in Texas. “Unless they sort it out by Tuesday, they’re in big trouble. The first areas to be hit would be Atlanta and Tennessee, then the domino effect goes up to New York,” said Mr Sharma.
He said oil futures traders were now “scrambling” to meet demand, at a time when US inventories are declining, and demand – especially for fuel for cars – is on the rise as consumers return to the roads and the economy recovers.
Colonial reported its four main pipelines remain offline while some smaller lines between terminals and delivery points were now operational. “Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring,” the firm said.
It added it would resume the full operation of its system back online “only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations”.
According to Digital Shadows, DarkSide operates like a business. Victims of a DarkSide attack receive an information pack informing them that their computers and servers are encrypted, in addition to a notice on their computer screens.
The gang lists all the types of data it has stolen, and sends victims the URL of a “personal leak page” where the data is already loaded, waiting to be automatically published, should the company or organisation not pay before the deadline is up.
DarkSide also tells victims it will provide proof of the data it has obtained, and is prepared to delete all of it from the victim’s network.
The latest incident highlights the risk ransom ware can pose to critical national industrial infrastructure, not just businesses.
The gang develops the software used to encrypt and steal data from companies.
It also provides ransom ware to “affiliates” who pay DarkSide a percentage of their earnings from any successful attacks.
In March, the gang reportedly released new software that could encrypt data faster than before, to which they issued a press release and invited journalists to interview it.
It even has a website on the dark web where it lists all the companies it has hacked and what was stolen, and an “ethics” page where it lists organisations exempted from their attack.
Discussion about this post