US declares emergency after ransomware shuts oil pipeline that pumps 100 million gallons a day

Updated One of the USA’s largest oil pipelines has been shut by ransomware, leading the nation's Federal Motor Carrier Safety Administration to issue a regional emergency declaration permitting the transport of fuel by road.

The Colonial Pipeline says it carries 100 million gallons a day of refined fuels between Houston, Texas, and New York Harbor, or 45 percent of all fuel needed on the USA’s East Coast. The pipeline carries fuel for cars and trucks, jet fuel, and heating oil.

It’s been offline since May 7, according to a company statement, due to what the outfit described as “… a cybersecurity attack [that] involves ransomware.”

It added: “In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”

Third-party experts were engaged to probe and remediate the situation and by Saturday the company said it was “actively in the process of restoring” its technology operations.

The Federal Motor Carrier Safety Administration's emergency declaration was issued on Sunday evening, US time, and states it is necessary to relieve shortages.

Reuters reports that the DarkSide ransomware gang is thought to be behind the attack. DarkSide is thought to both encrypt victims’ data and exfiltrate it to gain leverage in ransom negotiations. The gang has also shared evidence that it has made charitable donations, and said it feels an obligation to share some of the ransoms it wins.

At the time of writing the pipeline remained closed, although a Sunday evening (US time) update to Colonial’s announcement said some “smaller lateral lines between terminals and delivery points” have been restored.

• Malware attack that crippled Mumbai's power system came from China, claims infosec intel outfit Recorded Future
• REvil ransomware gang publishes 'Elexon staff's passports' after UK electrical middleman shrugs off attack
• 'Critical' Israel power grid attack was just boring ransomware
• World's electrical grids open to attack

Exactly what the incident will mean for supply is not known. The Register has encountered conflicting reports, some saying reserves should mean little disruption, others suggesting shortages may be imminent.

Whatever comes next, the incident validates the many predictions that attacks on critical infrastructure have the potential for enormous disruption and harm.

Despite such warnings not being novel, Colonial Pipeline appears not to have worked towards short recovery time objectives.

The US Justice Department two weeks ago established a Ransomware and Digital Extortion Task Force to fight the scourge. ®

Updated to add

In a statement on May 10 fingering the culprits of the attack, the FBI said "the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation."

Meanwhile, on its Tor-hidden website, the Darkside crew seems to regret the attention it has drawn from Uncle Sam. "From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future," it wrote.