in

Colonial Pipeline cyberattack: Everything you need to know

(Image credit: Kodda/Shutterstock)

The ransomware attack on Colonial Pipeline, a major pipeline operator that carries gasoline and other fuels from the Gulf Coast to the Eastern Seaboard, may end up being one of the most consequential publicly disclosed cyberattacks on a private company in history.

But is this the first strike of a cyberwar, or just a criminal act? Are the Russians involved? And what kind of impact will this have on gas prices?

  • What to do If you’re infected by ransomware
  • The best Windows 10 antivirus software
  • Plus: Google is finally trying to kill passwords — here’s how

Here’s what we know so far.

What happened with Colonial Pipeline?

Encrypting ransomware has locked up the corporate computer systems of Colonial Pipeline, disrupting fuel deliveries to a large part of the eastern United States. Colonial Pipeline said systems controlling fuel delivery were not infected, but it shut them down too as a precaution.

“We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations,” Colonial Pipeline said.

The Southeast seems to be the most heavily impacted, but Colonial also delivers a lot of fuel to the Northeast, along with other pipeline operators that are not affected.

Who attacked Colonial Pipeline?

A cybercrime group known as DarkSide created and licensed the ransomware, but it’s possible that the actual attack was carried out by a DarkSide “affiliate” that strikes targets on its own.

How long will fuel deliveries be disrupted?

It’s not clear, but Colonial Pipeline said in a statement Monday that it has “the goal of substantially restoring operational service by the end of the week,” or May 14 or 15.

An oil-company source told independent information-security reporter Kim Zetter  that while the Colonial Pipeline pipelines are running fine, the “ticketing” system that keeps track of how much each customer was delivered may be offline. If so, Colonial Pipeline would have to manually keep track of and bill for deliveries.

How will this affect gas prices?

Gas prices are already ticking upwards as a result of this incident, but that may partly be because it’s a convenient excuse to raise prices. 

On Monday, AAA said that the average price per gallon nationwide had gone up 6 cents in the previous week to $2.96, although that data was likely collected before  the news of the attack on Colonial Pipeline could be fully felt. 

On Tuesday, the AAA’s daily survey of gas prices had pushed the average to $2.985. The Southeast, the area most impacted by the Colonial Pipeline shutdown, had the lowest prices, in line with historical trends.

AAA recommended that drivers worried about running out of gas try to avoid high-traffic times of day, run all their errands in one trip, take heavy items out of their cars and roll down their windows instead of using air conditioning.

Will this ransomware attack result in fuel shortages?

It’s not clear how much it will. There are fuel stockpiles in the Northeast, but they might not hold enough fuel to meet demand.

There has been panic buying of gasoline in the Southeast, where some areas have Colonial Pipeline as the primary fuel supplier, and there have been reports of some gas stations running dry. 

Long-haul trucks are making up some of the shortfall by carrying gasoline in tanker trucks to cities in the Southeast. The Northeast is not seeing widespread runs on gas stations, and it may be able to get fuel shipped by oil tanker from Europe. Some fuel distributors in both areas get their fuel from other pipeline operators and won’t be affected.

When was the attack on Colonial Pipeline discovered?

Colonial Pipeline said it discovered the ransomware attack on Friday, May 7. It shut down its main pipeline running up the Gulf Coast and East Coast that evening.

When did the ransomware attack on Colonial Pipeline take place?

Unnamed sources told Bloomberg News that the attack started Thursday, May 6 and resulted in 100GB of Colonial Pipeline data being stolen in about two hours.

What is a ransomware affiliate?

The ransomware business operates a bit like the legitimate software industry. Certain groups can develop and distribute ransomware, and then they may sell licenses to other criminals, who pay a fee plus sometimes a cut of the take to the original ransomware developers. This is often called ransomware-as-a-service (RaaS).

The licensees or “affiliates” are often the ones attacking the targets, independently of the groups that develop the ransomware. It’s not certain what happened in this case.

What has DarkSide said about this?

The DarkSide ransomware managers have tried to distance themselves from the Colonial Pipeline attack, claiming in a statement May 10 that “our goal is to make money, and not creating problems for society.” 

They say that they will “check each company that our partners want to encrypt to avoid social consequences in the future.”

DarkSide #ransomware Leaks Press Center: pic.twitter.com/NNmv0UphQwMay 10, 2021

See moreHow much are the crooks demanding in ransom?

That’s not been disclosed, but it’s bound to be a lot of money, though Colonial Pipeline may have insurance coverage for ransomware payments.

Is the government helping?

The federal government has temporarily waived rules barring smog-creating gasoline from being sold in the mid-Atlantic states.

The Federal Motor Carrier Safety Administration has temporarily waived rules that restrict truck transport of gasoline and other fuels in 17 states and the District of Columbia. 

Who is helping Colonial Pipeline clean up its computer systems?

The incident-response team from the cybersecurity firm FireEye has been brought in.

What exactly is Colonial Pipeline?

Colonial Pipeline is a privately held pipeline operator founded in 1961 and based in Alpharetta, Georgia, near Atlanta. It says it supplies about 45% of the petroleum-based fuel — gasoline, jet fuel, home heating oil, diesel fuel — used on the East Coast. 

The company’s main pipeline runs from eastern Texas to northern New Jersey, with branch lines running into Tennessee. The pipeline has had several spills in the past two decades, and in 2016 a construction worker was killed when a backhoe dug into the pipeline at the site of a spill in Alabama, causing an explosion.

How did the ransomware get into Colonial Pipeline’s computer systems?

That’s not been disclosed. There are several ways the ransomware could have entered the systems, including a phishing email, a misconfigured website, or through a connected company’s own systems. 

Can Colonial Pipeline move fuel without the computer systems?

The company has said that the technology operating the pipeline is running normally, but that much of those systems have been taken offline as a precaution. 

As mentioned above, it’s possible that the ticketing system is not functioning properly. If that’s true, it would mean that the company might not be able to accurately measure how much fuel is delivered and hence might not be able to properly bill its customers.

Are the Russians involved in this cyberattack?

The DarkSide group appears to be based in Russia, but that doesn’t mean the Russian government has anything to do with it. Most ransomware groups are white-collar criminals, not spies. The White House has called this a “criminal act.” 

President Biden said during a press conference May 10 that “there is no evidence from our intelligence people that Russia is involved, though there is evidence the actors, the ransomware, is in Russia.”

“They have some responsibility to deal with this,” he added.

You could argue that the Russian government does bear some responsibility for this. That’s because for at least two decades, the Russian domestic authorities have let cybercriminals operate openly on Russian soil as long as they don’t attack other Russians. 

“Just don’t ever work against your country and businesses in this country,” is how one Russian security expert speaking to the Associated Press described Moscow’s attitude. “If you steal something from Americans, that’s fine.”

Many strains of malware, including the DarkSide ransomware, won’t activate if they detect that the computer they’ve infected is set to use Russian or another former-Soviet-bloc language as the language default. 

Which federal agencies have been brought into this case?

The FBI is involved, but it’s not clear if it’s leading the investigation, although it presumably would be. The bureau on Monday (May 10) released a brief statement: “The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation.”

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has said it is also involved.

Who are the DarkSide ransomware group?

There’s the DarkSide ransomware, and then the DarkSide group that develops, distributes and licenses the ransomware. Licensees subscribe to the ransomware but can use it on their own. 

The DarkSide ransomware, which attacks computers and servers running Windows or Linux, will copy data from an infected system and sent it up to a command-and-control server, and after that encrypt the data on the server. It will also try to delete the target’s backups of the data. 

If the target does not pay the ransom to free the data, the licensee of the DarkSide ransomware may threaten to release the stolen copies of the data online — a tactic experts call “double extortion.” Bloomberg News said Colonial Pipeline received such a warning.

DarkSide’s managers have even said they’d be willing to sell a company’s stolen data to a rival company or investors before making it public.

One expert from CrowdStrike told Wired that DarkSide’s managers were former credit-card thieves who graduated to ransomware after they saw how lucrative it could be.

How can I protect myself from DarkSide ransomware?

If you’re a home computer user, DarkSide and other top ransomware groups aren’t as interested in you as they would have been a couple of years ago. 

The big money now is in attacking large and medium-sized companies and other organizations — school systems, town governments, medical facilities, universities, police departments — that need to get their data back and can (often) afford to pay for it.

The DarkSide managers have stated in press releases(yes, they have press releases) that they will not attack hospitals, schools, universities or government organizations. 

“We only attack companies that can pay the requested amount, we do not want to kill your business,” the group said in one of its first press releases after they declared their existence last August. 

It’s not clear how they can control which organizations their affiliates attack, though.

The DarkSide managers have even tried to donate some of their ill-gotten gains to charity, but their donations were rejected.

Can you decrypt files encrypted by the DarkSide ransomware?

Information-security firm Bitdefender released a DarkSide decryption tool in January, but it may not work on files encrypted in DarkSide attacks since then.

  • The best electric cars you can buy today

Today’s best solar panel deals2 Amazon customer reviews☆☆☆☆☆Ring Solar Panel Black -…AmazonPrime$49.99ViewSolar PanelVerizon Wireless$49.99ViewRing – Solar Panel for Stick…Best Buy$99.99ViewRing – Solar Panel for Stick…Best Buy$99.99ViewWe check over 130 million products every day for the best prices

(Image credit: Kodda/Shutterstock)


Reference