EXPLAINER: Why the Colonial Pipeline hack matters

NEW YORK (AP) — A cyberattack on a critical U.S. pipeline is sending ripple effects across the economy, highlighting cybersecurity vulnerabilities in the nation's aging energy infrastructure. The Colonial Pipeline, which delivers about 45% of the fuel used along the Eastern seaboard, shut down Friday after a ransomware attack by gang of criminal hackers that calls itself DarkSide. Depending on how long the shutdown lasts, the incident could impact millions of consumers.

WHAT HAPPENED TO THE COLONIAL PIPELINE?

Colonial Pipeline, the owner, halted all pipeline operations over the weekend, forcing what the company called a precautionary shutdown. U.S. officials said Monday that the “ransomware” malware used in the attack didn’t spread to the critical systems that control the pipeline’s operation. But the mere fact that it could have done so alarmed outside security experts.

WILL THERE BE GASOLINE SHORTAGES?

It depends on how long the shutdown lasts. Colonial said it's likely to restore service on the majority of its pipeline by Friday.

There’s no imminent shortfall, and thus no need to panic buy gasoline, said Richard Joswick, head of global oil analytics at S&P Global Platts. If the pipeline is restored by Friday, there won’t be much of an issue. “If it does drag on for two weeks, it’s a problem,” Joswick added. “You’d wind up with price spikes and probably some service stations getting low on supply. And panic buying just makes it worse.”

SO WHAT’S HAPPENING WITH GASOLINE PRICES?

The average gasoline price jumped six cents to $2.96 over the past week, and it’s expected to continue climbing because of the pipeline closure, according to AAA. Mississippi, Tennessee and the East coast from Georgia to Delaware are the most likely to experience limited fuel availability and higher prices, and if the national average rises by three more cents, these would be the highest prices since November 2014, according to AAA.

WHAT’S RANSOMWARE AGAIN?

Ransomware scrambles data that can only be decoded with a software key after the victim pays off the criminal perpetrators. An epidemic of ransomware attacks has gotten so bad that Biden administration officials recently deemed them a national security threat. Hospitals, schools, police departments and state and local governments are regularly hit. Ransomware attacks are difficult to stop in part because they’re usually launched by criminal syndicates that enjoy safe harbor abroad, mostly in former Soviet states.

WHO IS BEHIND THE ATTACK AND WHAT MOTIVATES THEM?

The hackers are Russian speakers from DarkSide, one of dozens of ransomware gangs that specialize in double extortion, in which the criminals steal an organization’s data before encrypting it. They then threaten to dump that data online if the victim doesn’t pay up, creating a second disincentive to trying to recover without paying.

Ransomware gangs say they are motivated only by profit. Colonial has not said how much ransom DarkSide demanded or whether it has paid. So far this year, ransomware gangs’ demands have reached as high as $50 million.

U.S. officials say there’s is no evidence the Kremlin directly benefits from ransomware though Russian security services tolerate and sometimes even employ these cybercriminals. It’s not clear whether DarkSide has such Russian affiliations. President Joe Biden said Monday in answer to reporters' questions that there is no evidence so far that the Russian government is involved but there is evidence that DarkSide is Russia-based.

WHAT MAKES THIS DIFFERENT FROM OTHER RECENT HACKS?

Two big recent hacking campaigns — Solar Winds and the compromise of Microsoft Exchange — are viewed by U.S. officials as state-backed espionage. In the former, elite Russian hackers infiltrated U.S. government and corporate networks for months until their discovery in December. In the latter hack, first detected in late January, the U.S. blamed Chinese cyberspies. Biden has already announced sanctions against Russia for the SolarWinds hack and U.S. election interference, although many experts don’t believe them adequate to deter Russian President Vladimir Putin. Biden said he planned to raise the issue of Russia’s providing safe haven for cybercriminals when he meets with Putin, reportedly next month.

DarkSide posted a statement on its dark web site on Monday seeking to blame the Colonial attack on affiliates who rented out its ransomware, which is how such business operate. DarkSide claims it is apolitical and does not attack hospitals, nursing homes, schools or government agencies.

WHY WASN’T COLONIAL ABLE TO PREVENT OR CONTAIN THE ATTACK?

Neither Colonial nor federal officials have explained how the attackers breached the company’s network and went undetected. Cybersecurity experts believe that Colonial may not have employed state-of-the-art defenses, in which software agents actively monitor networks for anomalies and are programmed to detect known threats such as DarkSide’s infiltration tools.

WHAT DOES COLONIAL NEED TO RESTORE ITS NETWORK AND HOW LONG WILL THAT TAKE?

That depends on how extensively Colonial was infected, whether it paid the ransom and, if it did, when it got the software decryption key. The decryption process could take several days at least, experts say. Colonial has not responded to questions on these issues, although it said only its IT network was affected.

DO PIPELINES FACE A GREATER RISK OF RANSOMWARE ATTACKS?

They're not necessarily at greater risk, but they do pose unique challenges. The Colonial Pipeline structure is a vast piece of critical infrastructure that provides fuel supply to states along the East Coast. Such a large network is bound to have different control systems along its path where it connects with distributors or customers.

“Every single time you connect something, you run the risk that you’re going to infect something,” said Kevin Book, managing director at Clearview Energy Partners. That variability can also make it harder for hackers to know where to find vulnerabilities, he said.

Over time, as pipelines expand, companies can end up with a mix of technology — some parts built within the company and others brought in from outside, said Peter McNally, global sector lead at Third Bridge. Many large energy companies have been under pressure from investors to limit reinvestment in such assets, which can be decades old, he added. That can be a problem when dealing with modern criminals.

WHAT CAN BE DONE TO HALT RANSOMWARE ATTACKS?

Previous attempts to put ransomware operators out of business by attacking their online infrastructure have amounted to internet whack-a-mole. The U.S. Cyber Command, Microsoft and cross-Atlantic police efforts with European partners have only been able to put a temporary dent in the problem.

Last month, a public-private task force including Microsoft, Amazon the FBI and the Secret Service gave the White House an 81-page urgent action plan that said considerable progress could be possible in a year if a concerted effort is mounted with U.S. allies, who are also under withering attack.

Some experts advocate banning ransom payments. The FBI discourages payment, but the task force said a ban would be a mistake as long as many potential targets remain “woefully unprepared,” apt to go bankrupt if they can’t pay. Neuberger said Monday that sometimes companies have no real choice but to pay a ransom.

The task force said ransomware actors need to be named and shamed and the governments that harbor them punished. It calls for mandatory disclosure of ransom payments and the creation of a federal “response fund” to provide financial assistance to victims in hopes that, in many cases, it will prevent them from paying ransoms.

Bg pattern light

UPGRADE TO PREMIUM

Subscribe to Samoa Observer Online

Enjoy access to over a thousand articles per month, on any device as well as feature-length investigative articles.

Ready to signup?