On Sunday, the federal government issued a rare statement of emergency after a cyberattack on a major pipeline in the United States cut off oil transportation to the eastern United States.
The colonial pipeline, which runs the nation’s largest fuel pipeline, halted all operations on Friday after hackers broke into some of its networks. All four of its main lines remain offline.
The Ministry of Transport’s emergency announcement aims to expand alternative routes for transporting oil and gas. It removes regulations for drivers carrying fuel in 17 states in the US Southern and Eastern and the District of Columbia, allowing them to travel between fuel dispensers and local gas stations for more overtime and less sleep than federal restrictions usually allow. The US is already facing a shortage of tank drivers.
The emergency order is valid until June 8 and may be extended. Colonial has yet to announce a date when it is expected to resume operations in full.
In a statement released Monday afternoon, the company indicated that it is working on a phased reopening of operations.
While this situation remains volatile and continues to evolve, the Colonial Operations team is implementing a plan that includes a phased process that will facilitate a phased return to work, the company said in a press release.
Industry experts have already warned that a prolonged pipeline shutdown could drive gas prices higher and cause disruptions in the eastern United States.
On Monday, the FBI confirmed that the culprit is a strain of DarkSide ransomware, which is believed to be operated by the eponymous Russian cybercriminal gang. Like many ransomware gangs, DarkSide makes money by hacking into the victim’s network, encrypting their files so they cannot be accessed, and threatening to publish them online unless they are paid a huge fee.
The cyber attack is believed to have been carried out by the Russian cybercriminal group DarkSide. Like many ransomware gangs, they make money by hacking into the victim’s network, encrypting their files so they can’t be accessed, and threatening to publish them online unless they are paid a huge fee.
In a statement posted on its website, DarkSide echoed the belief prevalent among ransomware gangs – that they are an apolitical group interested only in making money – but appears to have admitted that by discouraging the fuel industry, they may have crossed the line with the United States, which no extortionist gang has crossed before.
We are apolitical, we do not participate in geopolitics, we do not need to associate us with a certain government and look for our other motives, a gang written with errors in the government.
Our goal is to make money, not create problems for society. Starting today, we are introducing moderation and checking every company that our partners want to encrypt in order to avoid social consequences in the future.
This attack is the latest in a recent spike in unrelated ransomware attacks across the country. Another group recently broke into the Washington, DC Metropolitan Police Department and began leaking highly detailed and personal files of officers. A third stole files from a major Taiwan-based supplier, Apple, and published previously proprietary Apple product specifications.
Many Russian cyber groups operate as independent organizations, although they are sometimes hired to work for Russian intelligence – and they usually avoid attacking targets in Russia.
Brett Callow, an analyst at cybersecurity firm Emsisoft that tracks ransomware, said DarkSide malware has indications that it is designed to target targets outside Russia and Eastern Europe. He noted that the program is designed in such a way as not to work with computers on which Russian or one of several other Eastern European languages is installed by default.
“DarkSide doesn’t eat in Russia,” Callow said. It checks the language used by the system and, if it is Russian, exits without encryption.
It will take a while for Colonial to recover from the event, Kellow said. Restoring the system from backups of any large company can take several days. Even if Colonial gets the file decryption program from the gang itself – either through a ransom payment or if DarkSide voluntarily provides it – it will be a slow process due to the way it is encoded, he said.
Remediation and recovery is not necessarily a quick and easy process, he said, and while core functionality can be restored more quickly, organizations can take weeks or even months to fully return to normal operations.