Hacking Group Stops Oil Pipeline and Breaks 45% of the United States Oil Supply

When you hear about a cyber attack, generally you assume that some sort of IT infrastructure suffered damage.  Your assumptions might include servers, web applications, or even the business processes that those systems support.  However, ransomware disables the largest pipeline in the United States in a recent attack.  This attack goes to show that as cyber attacks evolve, the cyber world can be used to inflict damage on the physical world and its infrastructure.


The Victim

On May 7, 2021, the Colonial Pipeline suffered a ransomware attack that brought the pipeline’s operations to a temporary stop.  According to their website, the Colonial Pipeline is the largest refined products pipeline in the United States.  It transports more than 100 million gallons of fuel daily.  The pipeline stretches from Houston, Texas to New York Harbor. 

The attack itself shut down 5,500 miles of pipeline and 17 states and the District of Columbia issued regional emergency declarations.  The emergency declaration intends to provide assistance to sites that require immediate supplies of fuel.

Critical infrastructure such as the Colonial Pipeline can be a prime target for an attacker.  An even more prime target for ransomware.  With the need, criticality, and the sheer amount of fuel the pipeline transports on a daily basis, an attacker can assume they might receive a hefty payout from the Colonial Pipeline.


The Attack and Colonial Pipeline’s Response

In a statement on Saturday, May 7, 2021, the Colonial Pipeline confirmed of a cybersecurity attack involving ransomware.  United States Officials confirmed that Darkside ransomware is the culprit.  This group primarily targets corporate agencies and typically exfiltrates their data before encrypting their systems with ransomware.  However, the ransomware disables the largest pipeline in the United States, ceasing the transport of fuel across the Eastern side of the United States.  

In response, Colonial Pipelines took immediate actions to take critical systems offline to prevent further spread of the ransomware.  This decision might be ultimately what temporarily ceased the transport of fuel across the Eastern side of the United States.  Furthermore, Colonial Pipelines brought in a third-party cybersecurity firm to investigate and analyze the scope, sophistication, and full extent of the security incident.  Additionally, Colonial Pipelines contacted law enforcement and other federal agencies to investigate the incident.

On Sunday, May 8, 2021, Colonial Pipelines informed the public that they initiated restart plans to begin the recovery process.


Why Target a Pipeline?

The juiciest targets for any attacker are those who are needed available 24 hours a day and 7 days a week.  With that said, a target who needs constant availability while also delivering a highly critical function creates an even larger target.  These characteristics can work in an attacker’s favor as the extreme need for the critical system can feed into larger payouts.

These characteristics make up critical infrastructure, such as pipelines, and the systems that support them.  With the extreme need in availability and critical functions, critical infrastructure is a prime target.

The Cybersecurity and Infrastructure Security Agency (CISA) released a warning in February of 2020.  This alerted critical infrastructure organizations of the increasing need for increased security due to their targeting of attackers.