Unless operations are restored by Tuesday at the major US fuel pipeline that a Russian gang of cybercriminals hit with a ransomware attack on Friday, problems are going to start mounting, rapidly. First impacting the Atlanta area as well as Tennessee, and then snowballing all the way up to New York State, according to a worst-case scenario prediction that oil market analyst Gaurav Sharma has shared with the BBC.
In other words, the fallout from the attack on Colonial Pipeline, which runs the largest US fuel pipeline system, could get ugly really fast. By late Sunday evening, word was only just beginning to circulate about the culprits believed to be responsible for this attack against what one official described as no less than the “jugular” of the US pipeline system. “It’s the most significant, successful attack on energy infrastructure we know of in the United States.,” energy researcher Amy Myers Jaffe told Politico. And rather than well-resourced hackers working with the imprimatur and backing of a nation-state (like China or Iran), experts have zeroed in on an outfit called DarkSide, described as a relatively new but experienced band of Russian hackers who have a quasi-professional operation and basically exploded onto the hacking scene.
It was only a little over a week ago now when we last noted that Russian hackers are getting increasingly brazen in their attacks on targets in the US — like the one against the Washington DC Metropolitan Police Department, which was targeted by a ransomware group calling itself Babuk. Unless the cops paid up, the hackers threatened to publicize sensitive information stolen from the department’s computer network.
The Colonial Pipeline attack, of course, is exponentially worse. For one thing, its network carries 45% of the fuel consumed by the US East Coast. Major installations like the Hartsfield-Jackson Atlanta International Airport, which until this year was ranked as the world’s busiest airport, receive fuel from Colonial Pipeline, as do military bases across the pipeline’s footprint.
This should be wake up call to two key risks we’ve long known about: the vulnerability of our energy infrastructure to cyberattack & the dependence of much of the eastern seaboard’s fuel supply on this one pipeline, particularly after the closure of several Northeast refineries. https://t.co/NtdCyeqrDs
— Jason Bordoff (@JasonBordoff) May 8, 2021
Other key facts about Colonial Pipeline, and this security incident:
- Colonial’s 5,500-mile system stretches from Houston, Texas, all the way up to New Jersey, and it transports more than 2.5 million barrels of fuel each day.
- Don’t start looking for an impact on prices at the pump until the pipeline outage has lasted longer than three days, one expert told Reuters. (An important caveat: If Americans start rushing out to buy gas, thinking prices are going to spike soon and they want to beat that upswing, that could help cause the very problem they want to avoid).
- The Southeast US seems to be most vulnerable, as things stand now. Major population centers on the East Coast can source fuel from elsewhere, including Europe if needed (though that brings its own problems). For a bit of additional historical context, when a leak in the Colonial Pipeline system in Georgia required the line to be shut down for more than a week in 2016, that led gas prices to climb by more than 30 cents a gallon.
President Biden on Sunday declared a state of emergency over this ransomware incident, which includes the hackers stealing almost 100GB of data from the pipeline operator’s network prior to locking the system and demanding payment.
On Sunday, Colonial Pipeline released a statement that read, in part: “While our mainlines (Lines 1,2,3, and 4) remain offline, some smaller lateral lines between terminals and delivery points are now operational. We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.”
Cybersecurity-focused journalist Kim Zetter has a fantastic Substack newsletter, Zero Day, that took a closer look at this incident in a new edition over the weekend. Among some of the highlights that jumped out at me in her reporting, she was told by a source who works for “a large midstream oil company that feeds fuel into Colonial’s pipeline” that his own company is having to scramble to figure out what to do with fuel in the meantime that they have sitting in tanks which needs to be delivered to Colonial. “We gotta find storage for refiners (and we) might run out (of storage) if it takes too long,” the source told Zetter. “Then refineries (will have to) cut back. Problem escalates.”
And even though Colonial has said only its corporate IT network was infected by the Russian gang’s ransomware — and that Colonial shut down its operational network out of caution — the unnamed source mentioned above also told Zero Day that he suspects, but doesn’t know for sure, that something Colonial needs in order to restart the pipeline might be locked in the ransomware attack. His guess is Colonial’s system for billing customers.
Yet another example of physical infrastructure getting impacted even when only the IT networks are compromised.
We’ve seen this movie before with NotPetya and other IT attacks. If you can’t bill or figure out who your customers are, you may have no choice but to shut it down https://t.co/NkTJ5ttDwS
— Dmitri Alperovitch (@DAlperovitch) May 10, 2021