NEW YORK (AP) — The shutdown of a vital U.S. pipeline because of a ransomware attack stretched into a third day Sunday, with the Biden administration saying an “all-hands-on-deck” effort is underway to restore operations and avoid disruptions in gasoline supply.
Experts said that gas prices are unlikely to be affected if normal operations at Alpharetta-based Colonial Pipeline resume in the next few days but that the incident — the worst cyberattack to date on critical U.S. infrastructure — should serve as a wake-up call to companies about the vulnerabilities they face.
The pipeline carries gasoline and other fuel from Texas to the Northeast. It delivers roughly 45% of fuel consumed on the East Coast, according to the company.
In a response to emailed questions from The Atlanta Journal-Constitution, a spokesperson for the fuel distributor said no further details were available on the incident Saturday.
In a statement released Sunday afternoon, the company said its operations team “is developing a system restart plan. While our mainlines (Lines 1, 2, 3 and 4) remain offline, some smaller lateral lines between terminals and delivery points are now operational.”
The Washington Post reported Saturday the attack appears to have been carried out by an Eastern European-based criminal gang called DarkSide. On Sunday, a person close to the investigation told The Associated Press that the attack was carried out by DarkSide, which cultivates a Robin Hood image of stealing from corporations and giving a cut to charity.
Commerce Secretary Gina Raimondo said Sunday that this kind of incident “is what businesses now have to worry about,” and that she will work “very vigorously” with the Homeland Security secretary to address the problem of cyberattacks, calling them a top priority for the administration.
“Unfortunately, these sorts of attacks are becoming more frequent. They’re here today. We have to work in partnership with business to secure networks to defend ourselves against these attacks,” she said on CBS’ Face the Nation.
She said President Joe Biden was briefed on the attack.
“Its an all-hands-on-deck effort right now,” Raimondo said. “And we are working closely with the company, state and local officials to make sure that they get back up to normal operations as quickly as possible and there aren’t disruptions in supply.”
Ransomware attacks are typically carried out by hackers who lock up computer systems by encrypting data and then demand a large ransom to release it. Colonial Pipeline has not said what was demanded or who made the demand.
However, the person close to the investigation, speaking on condition of anonymity, identified the culprit as DarkSide. It is among ransomware gangs that have “professionalized” a criminal industry that has cost Western nations tens of billions of dollars in losses in the past three years.
DarkSide claims that it does not attack medical, educational or government targets — only large corporations — and that it donates a portion of its take to charity. It has been active since August and, typical of the most potent ransomware gangs, is known to avoid targeting organizations in former Soviet bloc nations.
Colonial did not say whether it has paid or was negotiating a ransom, and DarkSide neither announced the attack on its dark web site nor responded to an AP reporter’s queries. The lack of acknowledgment usually indicates a victim is either negotiating or has paid.
David Kennedy, founder and senior principal security consultant at TrustedSec, said that once a ransomware attack is discovered, companies have little recourse but to completely rebuild their infrastructure, or pay the ransom.
“Ransomware is absolutely out of control and one of the biggest threats we face as a nation," Kennedy said. “The problem we face is most companies are grossly underprepared to face these threats."
The cyberextortion attack presents a new challenge for a Biden administration still dealing with its response to major hacks from months ago, including a huge breach of government agencies and corporations for which the U.S. sanctioned Russia.
Colonial Pipeline said that the ransomware attack Friday affected some of its information technology systems and that the company halted pipeline operations.
The company transports gasoline, diesel, jet fuel and home heating oil from refineries on the Gulf Coast through pipelines running from Texas to New Jersey. Its pipeline system spans more than 5,500 miles, transporting more than 100 million gallon a day.
Patrick De Haan, head of petroleum analysis for GasBuddy.com, told The Atlanta Journal-Constitution that a shutdown lasting one or two days likely won’t impact fuel prices, especially since oil refineries along the Gulf Coast are still churning out gasoline.
Debnil Chowdhury at the research firm IHSMarkit said that if the outage stretches to one to three weeks, gas prices could begin to rise. The last time there was a major outage, because of a broken pipeline in 2016, gas prices went up after about 10 days.
“I wouldn’t be surprised, if this ends up being an outage of that magnitude, if we see 15- to 20-cent rise in gas prices over next week or two,” he said.
The private cybersecurity firm FireEye said it has been hired to manage the investigation.
The Justice Department has a new task force dedicated to countering ransomware attacks.
Such attacks, mostly by criminal syndicates operating out of Russia and other safe havens, reached epidemic proportions last year, costing hospitals, medical researchers, businesses, state and local governments and schools tens of billions of dollars.
Average ransoms paid in the U.S. jumped nearly threefold to more than $310,000 last year. The average downtime for victims of ransomware attacks is 21 days, according to the firm Coveware, which helps victims respond.
___
Atlanta Journal-Constitution staff writers Asia Simone Burns and Shaddi Abusaid contributed to this report. AP writer Frank Bajak reported from Boston. AP writers Alan Suderman in Richmond, Virginia, and Martin Crutsinger and Michael Balsamo in Washington contributed to this report.
