Major US oil pipeline shut down after ransomware attack

Finger of suspicion pointed towards DarkSide extortion gang rather than state-sponsored attackers.

Major US oil pipeline shut down after ransomware attack

A ransomware attack has caused the shutdown of one of the largest oil pipelines in the United States.

The 5,500 miles of Colonial Pipeline, which carry over 100 million gallons of fuel every day, from Houston, Texas to the New York Harbor, has been offline since May 7 according to the company which manages it:

On May 7, Colonial Pipeline Company learned it was the victim of a cybersecurity attack and has since determined that the incident involved ransomware. Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring.

Leading, third-party cybersecurity experts were also immediately engaged after discovering the issue and launched an investigation into the nature and scope of this incident. We have remained in contact with law enforcement and other federal agencies, including the Department of Energy who is leading the Federal Government response.

In an update posted on its website yesterday, the Colonial Pipeline Company said that it was developing a system restart plan, and that while its main pipelines remained offline “some smaller lateral lines between terminals and delivery points are now operational.”

The organisation says it will only bring the full system back online when it deems it safe to do so.

Sign up to our free newsletter.
Security news, advice, and tips.

According to the New York Times, Colonial Pipeline has declined to say whether it planned to pay its attackers any ransom. I find it hard to imagine why any company wouldn’t say it had ruled out paying a ransom unless it was still considering the option.

From the sound of things this was not a cyber attack launched with the intention of shutting down the pipeline by attacking critical infrastructure, but more the work of a regular ransomware gang that happened to successfully compromise the network of an organisation that delivered 45% of all fuel needed on the USA’s East Coast.

According to Reuters, the DarkSide ransomware gang is suspected of being responsible for the attack. As we discussed in an episode of the “Smashing Security” podcast a while back, the DarkSide ransomware gang has made headlines not just for its attacks against corporations, but also its claim that it would donate some of the money it made from ransom demands to charity.

Darkside ransom note

Whether we should feel comforted that it was a regular criminal ransomware attack that has managed to disrupt gasoline and jet fuel supplies to the East Coast of the United States – rather than the work of a concerted effort by a state-sponsored hacking group – is debatable.

Further reading: Report: Colonial Pipeline paid ransomware attackers $5 million, but still had to rely on its own backups.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Major US oil pipeline shut down after ransomware attack”

  1. Alex Freeman

    Why would an oil pipeline company need its system to be connected to the Internet in the first place? Why not just use an intranet?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.