This article is more than 1 year old
Colonial Pipeline suffers server gremlins, says it's not due to another ransomware infection
Just dealing with the aftermath
The Colonial Pipeline is in a bit of trouble again. The oil conduit that shut down this month after its operators were hit with ransomware suffered glitches with its technology on Tuesday while trying to sort out its IT woes.
The temporary computer outage was, so the Colonial Pipeline company said on Twitter, “not related to the ransomware or any reinfection,” but instead "due to some of the hardening efforts that are ongoing and part of our restoration process."
"Our internal server that runs our nomination system experienced intermittent disruptions this morning due to some of the hardening efforts that are ongoing and part of our restoration process," the biz said a couple of hours ago.
"We are working diligently to bring our nomination system back online and will continue to keep our shippers updated. The Colonial Pipeline system continues to deliver refined products as nominated by our shippers."
The affected ordering system is said to be back online now after falling over earlier today.
As we reported, the Colonial Pipeline was shut down as a precautionary measure on May 7 when ransomware knocked out the operator's IT systems. The suspension stopped about 100 million gallons per day of refined oil (petroleum products, diesel, aviation kerosene, etc) from being conveyed along the US East Coast, forcing supplies into road tankers instead.
Though the pipeline was operational again by May 12, fuel shortages persist in the region as the supply chain catches up.
“It’s not uncommon for companies to fail to remediate properly and for threat actors to be able to remain in the network or to step through the (back)doors they created when previously inside the network," Brett Callow, a threat analyst at anti-ransomware firm Emsisoft, told The Register.
"That said, given the teams that would’ve been involved in the response to this incident, that seems unlikely. Recovering from an attack isn’t easy and it can take multiple months for companies to get their systems fully operational, and hiccoughs during those multiple months are not unusual.”
- Ransomware victim Colonial Pipeline paid $5m to get oil pumping again, restored from backups anyway – report
- Colonial Pipeline was looking to hire cybersecurity manager before ransomware attack shut down operations
- US declares emergency after ransomware shuts oil pipeline that pumps 100 million gallons a day
- South Korea orders urgent review of energy infrastructure cybersecurity
Last week it was speculated in the media that the pipeline was switched off because its billing systems were rendered unusable by the ransomware infection. If those news reports are correct and were referring to the pipeline’s nominations system, that means the malware prevented the fuel provider's staff from knowing precisely who wanted oil, where they wanted it pumped to, and meeting that demand in a timely manner.
Nomination systems allow buyers to update their orders, check the latest fuel flow rates, and reserve more material as needed.
In other words, the ransomware was able to force a shutdown by affecting business administration systems; some people might assume the software nasty was able to take out industrial control systems, jump over air gaps and what have you, but that level of sophistication wasn't needed – scrambling the files of the computers keeping score of customer demand and usage was enough.
Colonial reportedly paid a $5m equivalent ransom in Bitcoin for the decryptor but then opted to restore from its own backups anyway, publicly saying the decryption tool was too slow in operation. ®