Colonial Pipeline, which operates a pipeline responsible for transporting nearly half of the East Coast’s fuel, announced in a statement on Friday that it had been targeted by hackers.
The company stated that it had taken offline several systems tied to the 5,500-mile pipeline as part of a precautionary measure while attempts were made to contain the issue.
In further statements over the weekend, Colonial Pipeline revealed that ransomware, a type of malware that makes a system’s files inaccessible through encryption, had been used.
“On May 7, Colonial Pipeline Company learned it was the victim of a cybersecurity attack and has since determined that the incident involved ransomware,” the company said. “Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring.”
Despite being down since Friday, the pipeline has still not returned to its normal operating capacity, raising concerns that fuel prices could skyrocket throughout the Eastern part of the country.
Colonial Pipeline followed up on Monday by stating that it believed it would “substantially” restore service by the end of the week.
The F.B.I. asserted on Monday what cybersecurity experts had already feared: The hackers responsible for the breach belonged to the Russian ransomware gang known as DarkSide.
Such cybercrime groups work by extorting their victims. After encrypting a target’s system, ransomware gangs demand large sums of money in the form of cryptocurrency in exchange for a key to unlock the files.
No evidence at this time connects the hack to a foreign government.
The targeting of systems connected to critical infrastructure by DarkSide has brought much more attention to the issue than most ransomware incidents. Even DarkSide appears to understand the significance of the shutdown.
In a statement on their dark web site on Monday, the ransomware gang stressed that their only goal was “to make money,” not create “problems for society.”
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives,” the group said in broken English. “Our goal is to make money, and not creating problems for society.”
The group appeared to go on to blame a partner for targeting Colonial Pipeline and claimed it would moderate such actions in the future.
“From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” DarkSide added.
As noted by cybersecurity journalist Kim Zetter, the statement suggests that a hacking group merely using DarkSide’s ransomware could have targeted the pipeline. This means that while DarkSide is responsible for creating the malware, those who infected Colonial Pipeline’s systems may not necessarily be from Russia themselves.
“Reminder that Darkside isn’t a single group. It’s ransomware-as-a-service – so you have the creators of the ransomware and its infrastructure, and then affiliates/partners who conduct attacks using the ‘rented’ ransomware and then share portion of paid ransom w/ Darkside creators,” she tweeted.
It remains unclear how much money the group has requested and whether Colonial Pipeline can remedy the situation without paying DarkSide.
White House Press Secretary Jen Psaki said in a tweet over the weekend that the administration of President Joe Biden was looking into ways to “mitigate potential disruptions to supply.”
One such action taken by the Department of Transportation has eased restrictions on fuel transportation in order to keep gasoline moving.
Biden also noted on Monday that no evidence suggested the Kremlin was involved, but stressed that Moscow bore some responsibility given that DarkSide is believed to operate from Russia.
“So far there is no evidence from our intelligence people that Russia is involved, although there is evidence that the actor’s ransomware is in Russia,” Biden said. “They have some responsibility to deal with this.”
While the federal government has offered to provide Colonial Pipeline with cybersecurity support, the private company has thus far declined.
Up until the past few days, DarkSide had managed to stay relatively unknown among the general public.
The incident has re-raised serious questions about vulnerabilities facing critical infrastructure in the U.S.