The US government declared a state of emergency on Sunday after the largest fuel pipeline in the United States came under a cyberattack by the ransomware virus.
The Colonial pipeline transports 2.5 million barrels per day, or 45% of the East Coast’s supply of diesel, gasoline and jet fuel.
An online gang shut down completely on Friday, and work is still underway to restore the service.
The state of emergency allows the transportation of fuel by road.
Experts say fuel prices are likely to rise 2-3% on Monday, but the effect will be much worse if it continues for longer.
Multiple sources confirmed that the ransomware attack was carried out by a cyber gang called “Darkside” that infiltrated the “Colonial” network on Thursday and seized nearly 100 gigabytes of data.
After grabbing the data, hackers locked the data on some computers and servers, demanding a ransom on Friday. If not paid, they threaten to leak it online.
Colonial said it is working with law enforcement, cybersecurity experts and the Department of Energy to restore service.
On Sunday evening it said that although its four major lines are still not connected to the internet, some of the smaller side lines between terminals and delivery points are now operating.
“Shortly after learning of the attack, Colonial Inc. has shut down some systems preemptively to contain the threat. These measures have temporarily halted all pipeline operations and affected some of our IT systems, which we are actively working to restore,” the company said.
“We are in the process of restoring service to other side parties and we will not fully restart our system again until we believe it is safe to do so, in full compliance with agreeing to all federal regulations,” she added.
Gaurav Sharma, an independent oil market analyst, told the BBC that there was a lot of stranded fuel in Texas refineries.
He warned that an emergency amendment to the Jones Act would allow oil products to be shipped by tanker to New York, but that this would not be close enough to match the pipeline’s capacity.
“Unless the order is arranged by Tuesday, they are in big trouble,” Sharma said. “The first areas to be affected will be Atlanta and Tennessee, and then the domino effect will rise to New York,” he added.
He said that oil futures traders are now “scrambling” to meet demand, at a time when US stocks are declining, and demand – especially for vehicle fuel – is rising as consumers return to the roads and the US economy tries to get rid of the effects of the epidemic.
While Darkside is not the largest such gang in the field, the incident highlights the growing threat that ransomware poses to critical national industrial infrastructure, and not just to businesses.
It also points to the emergence of a sly, criminal IT ecosystem valued at tens of millions of pounds, unlike anything the cybersecurity industry has seen before.
In addition to a notification on their computer screens, victims of the Darkside attack receive an information packet informing them that their computers and servers are encrypted.
The gang lists all kinds of data that it has stolen, and sends to the victims the link address of the “personal leakage page” where the data is actually uploaded, waiting for it to be published automatically, in case the company or institution does not pay before the deadline expires.
Darkside also informs victims that it will provide evidence of the data it has obtained, and is prepared to remove it all from the victim’s network.
According to Digital Shows, a London-based cybersecurity company that tracks global cyber criminal groups to help companies reduce their exposure to them online, Darkside operates as a business.
The gang develops software used to encrypt and steal data, and then it trains “associates,” who receive a toolkit that contains the program, and the ransomware model requests an email, and training on how to carry out the attacks.
Then Darkside cybercriminals pay a percentage of their profits from any successful ransomware attacks.
It also works with “access brokers” – malicious hackers who collect login details for as many user accounts working on the various services they can find.
Instead of breaking into these accounts and alerting users or service providers, these intermediaries hide usernames and passwords and sell them to the highest bidder – the cybercriminal gangs that want to use them to carry out much larger crimes.
Digital Shadows says the cyber attack on the Colonial pipeline was caused by the Corona epidemic – and the high number of engineers remotely accessing control systems for the pipeline from home.
James Chappell, co-founder and chief innovation officer at Digital Shadows, believes that Darkside has purchased account login details related to remote desktop programs such as Team Viewer and Microsoft Remote Desktop.
The gang even has a website on the dark web where it brags about its work in detail, and displays a list of all the companies that have hacked and what has been stolen, and there is an “ethics” page in which it defines the organizations that will not attack it.
When it released a new program in March that could encrypt data faster than before, the gang issued a press release and invited journalists for interviews.
“We see a lot of victims now, and this is a seriously big problem,” Chappelle said.
He added, “Every day there are new victims. The volume of small businesses that fall victim to this is large, and it has become a big problem for the global economy.”
Chappell added that Digital Shadows’ research showed that the gang of cybercriminals is likely to be based in a Russian-speaking country, as it appears to avoid attacking companies in the Commonwealth of Independent States – an organization affiliated with Russia, Ukraine, Belarus, Georgia, Armenia, Moldova, Azerbaijan, Kazakhstan, Kyrgyzstan, Tajikistan and Turkmenistan. And Uzbekistan.