Colonial Pipeline Confirms Ransomware Causing DisruptionsCompany Has Taken Systems Offline as a Precaution; Investigation Ongoing
See the latest update on this story.
Colonial Pipeline, which oversees more than 5,500 miles of pipeline that supplies fuel throughout the U.S. East Coast, confirmed Saturday that a ransomware attack has disrupted its services, and the company has taken some of its IT systems offline as a precaution, the company noted in a statement posted to its website.
The company provided only scant details of the incident, which was first reported on Friday. In its statement, the company did not indicate what type of ransomware was used during the attack or if the company had been contacted by a criminal gang. Colonial Pipeline noted that it continues to investigate the cyber incident along with a third-party security firm, while certain IT systems remain offline.
"We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems," according to the company's updated statement. "Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies."
On Saturday, a company spokeswoman told Information Security Media Group that Colonial had no additional information to share at this point.
Because Colonial Pipeline operates refineries and pipelines that supply fuel and other petroleum products throughout the eastern and southern U.S., the company is considered part of the nation's critical infrastructure. So officials from the Cybersecurity and Infrastructure Security Agency, along with the FBI, are investigating the attack.
Eric Goldstein, CISA's executive assistant director of the Cybersecurity Division, tells ISMG: "We are engaged with the company and our interagency partners regarding the situation. This underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats."
The Washington Post, citing two unnamed U.S. officials, first reported that ransomware was the likely source of the attack. The officials did not indicate what specific ransomware variant or cybercriminal group might have been responsible for the incident.
Former CISA Director Christopher Krebs took to Twitter on Saturday to declare that as these types of ransomware attacks have gotten out of control, more comprehensive approaches are needed. Over the past several months, Krebs has been advocating for more funds for his former agency, as well as state and local governments, to address incidents involving these types of crypto-locking malware attacks (see: Krebs: States Need a Cyber Funding Boost).
Ransomware shuts down one of the most critical regional pipelines. This has gotten out of control. https://t.co/xvRNQ0GAIO— Chris Krebs (@C_C_Krebs) May 8, 2021
Chris Pierson, CEO and founder of the security firm BlackCloak, says that following an attack like this, the entire U.S. energy sector, not just Colonial Pipeline, needs to rethink its approach to cybersecurity.
"This attack, if initial details are accurate, emphasizes that our nation's energy sector has a long way to go to ensure a higher level of resilience against cyberattacks and disruption, which are a part of everyday business life," Pierson tells ISMG. "Let's figure out what was missed and get the right information into the hands of those that govern and lead our critical infrastructure so they can build cybersecurity into their enterprise risk governance more effectively."
In April, the Institute for Security and Technology's Ransomware Task Force published a framework that included 48 recommendations for better addressing ransomware attacks, including more regulations of cryptocurrency markets and better sharing of information (see: Fighting Ransomware: A Call for Cryptocurrency Regulation).
Mike Hamilton, the former CISO of Seattle, says the Colonial Pipeline ransomware attack might be more than a cybercriminal gang looking to extort a ransom from a company that's been successfully breached.
"If Colonial is not being extorted, this may be a pure disruption for the purpose of creating further chaos in the American economy," says Hamilton, now the CISO for CI Security. "This is a strategic interest of some countries, especially those that depend on energy for a good portion of their GDP; it is likely that energy prices will spike as a result of this action."
Hamilton also notes that this incident might also be a case of "cyberactivism," because pipelines are typically sources of protest. No matter what the cause, this incident shows how ransomware has escalated into an even greater cyberthreat.
"There is one implication that is significant," Hamilton says. "These pipelines have been designated critical infrastructure. Intentionally disrupting or damaging these systems can be considered an act of terrorism. As more is learned about the event, and as the motivation of the actor or actors becomes clear, we'll find out if this event has taken us from a cold to a much warmer cyber conflict."
Critical Infrastructure Attacks
Founded in 1962, Colonial Pipeline Co. is based in Georgia and connects refineries in the Gulf Coast to customers throughout the southern and eastern U.S. through a pipeline system of more than 5,500 miles. This pipeline carries gasoline, diesel, jet fuel and home heating oil as well as fuel for the military, according to the company's website.
Colonial Pipeline transports about 45% of all the fuel consumed on the East Coast and serves almost 50 million U.S. customers, the company notes.
The attack against the company is the second major incident this year in which a critical infrastructure facility has been targeted.
In February, attackers targeted the water treatment facility in Oldsmar, Florida. At the time, local officials and law enforcement agencies reported that an intruder had gained remote access to a system to increase the amount of lye in the city's water system, but the attack was immediately thwarted (see: Florida City's Water Hack: Poor IT Security Laid Bare).
The initial investigation showed that the plant's employees reportedly used TeamViewer for remote access and that computers at the Florida plant reportedly were network-connected to the supervisory control and data acquisition - aka SCADA - system and were running outdated 32-bit versions of Windows 7 (see: Water Treatment Hack Prompts Warning From CISA).
The breach in Florida, combined with the ongoing investigations into the SolarWinds supply chain attack and attacks targeting vulnerable on-premises Microsoft Exchange email servers have prompted calls by lawmakers on both sides of the aisle for additional funding for CISA and more expansive breach notification when attacks occur (see: Senators Push for Changes in Wake of SolarWinds Attack).
Pierson says that these types of attacks, whether they involve nation-state groups or criminal gangs wielding ransomware, should prompt companies and government agencies to rethink their approaches to protecting critical infrastructure.
"Ensuring the protection, resiliency and fast repair of cyber damage is key, and the fact that lower-level malware attacks can be successfully launched against it are problematic," Pierson says. "It potentially means that operators of these vast systems are not spending on the right types of cybersecurity controls; supporting their cyber teams with the right education, tools and personnel to do their jobs; and are not reacting to cyber risk in a way that is well governed from the top down."