Supplies of gasoline, diesel and jet fuel are slowly returning to normal along the eastern seaboard of the United States after days of disruption caused by a cyber-attack.
A hacking group called Darkside claimed responsibility for an attack which locked the company's payment records. Darkside said it had also targeted four other companies including a Toshiba subsidiary in Germany.
Reminder, the hackers did not do anything that stopped the pipeline, they locked the payment records and Colonial pipeline shut the pipe down so nobody would get free gas. https://t.co/yFnjane6KG— Feef (@Feefers) May 14, 2021
Bloomberg News and the New York Times said the owners of the Colonial pipeline paid a ransom of around US$5 million to Darkside.
The pipeline carries 100 million gallons of fuel each day to the East Coast from Texas and more than 16,000 gas stations suffered interruptions to their supplies because Colonial was not prepared to keep pumping when it was not sure it would get paid by customers.
Colonial said the pipeline would resume normal operations on Monday, 17 May but some gasoline shipments are now 10 days behind schedule.
Biden continues to think pallets of cash are the answer. You can never become the mark when ransom is the cost of doing business. We know the consequences: if you pay them, there will be more of them.https://t.co/aoJHQF7mPL— Mike Pompeo (@mikepompeo) May 14, 2021
Steve Boyd, managing director at fuel delivery firm Sun Coast Resources, told Reuters it could take 12 to 20 days for new deliveries from Gulf Coast refineries to reach the end of the pipeline in Linden, New Jersey.
Sun Coast has resorted to using 75 trucks to taking supplies from terminals in Alabama and Georgia to customers further north.
Herein is the crux of the challenge: while the attention may be on DarkSide ransomware, the harsh reality is that equal concern should be placed at Ryuk, or REVIL, or Babuk, or Cuba, etc. https://t.co/GHVCtLNMog RT @McAfee— 780th Military Intelligence Brigade (Cyber) (@780thC) May 14, 2021
But the Darkside incident has highlighted the fragility of US infrastructure and its vulnerability to cyber-attacks.
In 2005 Israel deployed the Stuxnet computer virus against Iran in an attempt to derail their nuclear industry.
But the Colonial incident is not the first cyber-attack by individuals on infrastructure using ransomware.
In her book about the Stuxnet affair, Kim Zetter wrote about an incident in 2000 in Maroochy Shire in Australia’s Queensland state.
Colonial Pipeline paid $5 million ransom to Darkside hackers within hours after attack last week. Once paid, the hackers provided a decrypting tool to restore the company's disabled network. Tool was very slow to work though. https://t.co/7IKQ0czmbp— Kim Zetter (@KimZetter) May 13, 2021
She wrote: "In early 2000 Maroochy Shire’s beauty took an ugly turn when, over the course of four months, a hacker caused more than 750,000 gallons of raw sewage to spill from a number of wells and pour into public waterways."
An investigation later identified a vengeful former employee called Vitek Boden as the culprit and found he had been sending “malicious commands” to the sewage wells using two-way radio signals.
He was arrested one night and a laptop in his car was found with proprietary software on it.
Zetter wrote: “Boden’s case was the first cyberattack against a critical infrastructure system to come to light, but it likely wasn’t the first to occur.”
She said it should have been a “wake-up call” to many industries but it appears many are still vulnerable.
President Biden promised a US response to DarkSide yesterday and right now something very bad appears to be happening to DarkSide, which hacked the Colonial Pipeline.— Eamon Javers (@EamonJavers) May 14, 2021
On 10 May US President Joe Biden said of the Dark Side attack: “It’s a criminal act, obviously. We have efforts under way with the FBI and DoJ (Department of Justice) to disrupt and prosecute ransomware criminals.”
Late last week it appeared the operator of the Darkside ransomware have themselves been ripped off.
Darksupp, one of the ransomware’s operators, were reported by Recorded Future threat intelligence analyst Dmitry Smilyanets as having posted: “A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. CDN servers.”
The Record reported that cryptocurrency funds had been withdrawn from the group’s payment server.
The Record wrote: “The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said.”