US fuel supply company hit by ransomware, government steps in to restore services - updated

Attackers also stole over 100 gigabytes of data from Colonial Pipeline's networks

The Biden administration is working closely with fuel pipeline operator Colonial Pipeline to help it restart operations as quickly as possible, following last a cyber attack last week that forced the company to shut down its IT systems, halting critical pipeline operations.

Update 10/5/21: The Department of Transportation has invoked emergency powers in response to the attack, to make it easier to transport fuel by road.

Update 11/5/21: Darkside has apologised for the attack and promised to vet its targets more closely in the future. The group posted on its darkweb site: "We are apolitical. We do not participate in geopolitics. Our goal is to make money and not creating [sic] problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."

The original story continues below.

US Commerce Secretary Gina Raimondo said on Sunday that resolving the issue quickly was a top priority for the government, and that all measures were being taken to prevent more severe disruptions to fuel supply.

"It's an 'all hands on deck' effort right now," Raimondo said on CBS's Face the Nation programme.

"We are working closely with the company, state and local officials, to make sure that they get back up to normal operations as quickly as possible and there aren't disruptions in supply."

Biden was briefed on the issue on Saturday morning, according to Reuters.

US Senator Bill Cassidy, a Republican from Louisiana, said on NBC's Meet the Press programme that lawmakers were prepared to work closely with private firms to protect critical infrastructure from cyber attacks.

"The implication for this, for our national security, cannot be overstated. And I promise you, this is something that Republicans and Democrats can work together on," Cassidy said.

Colonial Pipeline disclosed the security incident on Saturday, confirming that it involved ransomware.

The company said its main fuel lines remain offline but that some smaller lines are now operational.

It did not give details on who might have been behind the attacks, but revealed that it was being assisted by a "leading, third-party cybersecurity firm" to investigate the attack.

"At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation," the company said.

Colonial Pipeline is the largest refined products pipeline operator in the US, transporting about 45 per cent of all fuel consumed on the East Coast.

The firm's pipeline spans nearly 8,850 kilometres from Houston, Texas to the New York area, transporting more than 100 million gallons of petrol, diesel and other fuels daily.

The attackers stole over 100 gigabytes of data from Colonial Pipeline's networks during the attack and have reportedly threatened the company with leaking stolen data online if they are not paid.

While the investigation into the cyber attack is still in early stages, a former US official and other sources told Reuters that the hackers were thought to be the members of DarkSide ransomware gang, believed to be based in Russia.

It is not yet clear whether the firm has paid any money to the attackers.

Security experts have repeated warned in recent year that cyber attacks against critical infrastructure in the US are on the rise.

In February, some unidentified hackers were able to compromise the computer systems at a water treatment plant in Oldsmar, Florida, and alter the chemical levels in the plant's water.

Following an investigation, a federal official said that weak network security measures and an obsolete version of Windows allowed the attackers to infiltrate treatment plant's computer systems and launch the attack.

In 2013, a Congressional report claimed that American utility providers were under constant assaults from hackers, with one electricity firm reporting 10,000 attempted cyber attacks in a single month.

In December, suspected Russian hackers breached the computer networks of the US Treasury Department and other federal agencies in a SolarWinds cyber-espionage campaign that also targeted dozens of private firms in the US.

The same group of hackers also allegedly breached email accounts belonging to the former acting head of the Department of Homeland Security (DHS) and senior members of the DHS's cybersecurity division (CSD).

The attack led to the US Treasury Department sanctioning six Russian technology firms that it said were aiding government hackers engaged in "dangerous and disruptive cyber attacks".

The Department added that the Russian firms had been developing infrastructure and tools and carrying out malicious cyber activities on behalf of the Kremlin.