By Sarosh Bana, Correspondent
Colonial Pipeline, that operates the US’s largest fuel network, paid a ransom of 75 Bitcoin, or roughly $5 million, to DarkSide, the cybercrime organisation said to operate out of East Europe, that helped reopen its arterial pipeline on 12 May, five days after the cyberattack.
The closure of the Georgia-headquartered company’s 8,850-km pipeline – as long as the Great Wall of China, with all its branches and trenches – had spurred a hike in petroleum prices in the US and panic buying of fuel by consumers.
The American Automobile Association reported that gas prices in the US hit an average of $3.03 on 13 May, the highest level since 2014. Petroleum futures rose 1.4 per cent to $2.16 per gallon (3.79 litres), while heating oil futures rose 0.9 per cent to $2.03.
News of the ransom in the hard-to-trace cryptocurrency was first reported by Bloomberg on 13 May, but Colonial, which had initially announced it would spurn any ransom demand, declined to comment. It, however, maintained on 13 May that while it had made “substantial progress” restarting the pipeline system, it will take “several days for the product delivery supply chain to return to normal”.
President Joe Biden too stated that the pipeline was in the process of restoring service, adding that it would take time before everything was fully operational and for the stabilisation in supply to be felt at the gas pump. “We will not feel the effects at the pump immediately,” he said at the White House on 12 May. “This is not like flicking on a light switch.”
Industry watchers too believed that it could take days to weeks for fuel prices and availability to return to normal. They also felt that a $5 million ransom for a pipeline was trifling, and surprising since the ransom demand was made by a cybercrime syndicate that targets high net worth companies. They reasoned that a demand of $25 million to $35 million would have been more expected for such a company.
Trend Micro Research indicates that the ransomware used by the group is of the same name, DarkSide, which is a relatively new family first spotted last August. Apart from locking Colonial Pipeline’s computer systems, DarkSide also stole over 100 GB of corporate data. “This data theft is all the more relevant in light of the fact that the group has a history of doubly extorting its victims — not only asking for money to unlock the affected computers and demanding payment for the captured data, but also threatening to leak the stolen data if the victims do not pay,” notes Trend Micro.
DarkSide publicised on 12 May that it had three additional victims, namely, a Scottish construction company, a Brazilian renewable energy product reseller, and a technology services reseller in the US. The organisation claimed to have stolen a cumulative 1.9 GB of data from these companies, including sensitive information such as client data, financial data, employee passports, and contracts.
Another report calculated that cyberattack victims paid $350 million in cryptocurrency last year, a 311 per cent increase over the previous year. It assessed the average ransom paid by organisations in 2020 at $312,493. Upon receiving the payment, the hackers provide the operator a decrypting tool to restore their disabled computer network. The tool was painfully slow in the case of Colonial, forcing the company to deploy its own backups to help restore the system.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” indicated DarkSide in a statement provided to CNBC by Cybereason on 10 May. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Founded in 1962, Colonial Pipeline delivers about 380 million litres of petroleum, diesel, jet fuel, home heating oil, and military fuels per day to cities and businesses across the eastern and southern US. Its pipeline system transports 45 per cent of all fuel used by more than 50 million people from Houston, Texas, to Linden, in New Jersey. This serves more than 270 marketing terminals near major urban centres in the Southeast and along the Eastern Seaboard.
With $421 million in net income last year, the company also provides a portfolio of information and logistics management services to its customers. It resulted from the coming together of nine energy behemoths, including Texaco, Phillips Petroleum, Continental Oil and Mobil, to build what was then the country’s largest-ever privately-funded construction project. The pipeline cost $370 million, $3.3 billion in today’s prices.
Colonial Pipeline is owned by a consortium of companies, including that of billionaire brothers Charles and David Koch, Kohlberg, Kravis Roberts-Keats Pipeline Investors, L.P., Canadian fund manager Caisse de dépôt et placement du Québec, IFM Investors, Colonial Pipeline 2, and Shell Midstream Operating.
To deal with the hack, the Biden administration legislated an emergency order that allows for fuel transportation drivers to take longer shifts without sleep than what regulations normally allow. The emergency order will last until 8 June and can be extended, if required, its aim being to sustain fuel supplies to the South and Eastern US without disruption.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) officially affirmed that they were aware of the “ransomware attack affecting a critical infrastructure (CI) entity – a pipeline company – in the United States”, adding that “malicious cyber actors deployed DarkSide ransomware against the pipeline company’s information technology (IT) network”.
They urged CI asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of the Joint Cybersecurity Advisory, including implementing robust network segmentation between IT and OT networks, regularly testing manual controls, and ensuring that backups are implemented, regularly tested, and isolated from network connections. “These mitigations will help CI owners and operators improve their entity’s functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware,” their statement concluded.