Major US oil pipeline shut down after ransomware attack

Finger of suspicion pointed towards DarkSide extortion gang rather than state-sponsored attackers.

Graham Cluley
@gcluley

Major US oil pipeline shut down after ransomware attack

A ransomware attack has caused the shutdown of one of the largest oil pipelines in the United States.

The 5,500 miles of Colonial Pipeline, which carry over 100 million gallons of fuel every day, from Houston, Texas to the New York Harbor, has been offline since May 7 according to the company which manages it:

On May 7, Colonial Pipeline Company learned it was the victim of a cybersecurity attack and has since determined that the incident involved ransomware. Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring.

Leading, third-party cybersecurity experts were also immediately engaged after discovering the issue and launched an investigation into the nature and scope of this incident. We have remained in contact with law enforcement and other federal agencies, including the Department of Energy who is leading the Federal Government response.

In an update posted on its website yesterday, the Colonial Pipeline Company said that it was developing a system restart plan, and that while its main pipelines remained offline “some smaller lateral lines between terminals and delivery points are now operational.”

The organisation says it will only bring the full system back online when it deems it safe to do so.

Sign up to our newsletter
Security news, advice, and tips.

According to the New York Times, Colonial Pipeline has declined to say whether it planned to pay its attackers any ransom. I find it hard to imagine why any company wouldn’t say it had ruled out paying a ransom unless it was still considering the option.

From the sound of things this was not a cyber attack launched with the intention of shutting down the pipeline by attacking critical infrastructure, but more the work of a regular ransomware gang that happened to successfully compromise the network of an organisation that delivered 45% of all fuel needed on the USA’s East Coast.

According to Reuters, the DarkSide ransomware gang is suspected of being responsible for the attack. As we discussed in an episode of the “Smashing Security” podcast a while back, the DarkSide ransomware gang has made headlines not just for its attacks against corporations, but also its claim that it would donate some of the money it made from ransom demands to charity.

Whether we should feel comforted that it was a regular criminal ransomware attack that has managed to disrupt gasoline and jet fuel supplies to the East Coast of the United States – rather than the work of a concerted effort by a state-sponsored hacking group – is debatable.

Further reading: Report: Colonial Pipeline paid ransomware attackers $5 million, but still had to rely on its own backups.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One comment on “Major US oil pipeline shut down after ransomware attack”

  1. Why would an oil pipeline company need its system to be connected to the Internet in the first place? Why not just use an intranet?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.