The largest refined products pipeline based in the United States, Colonial Pipeline, has been required to shut down operations after it was reportedly hit by threat operators conducting a targeted ransomware strike.
Headquartered in Alpharetta, Georgia in the US, the Colonial Pipeline is tasked with transporting a selection of refined petroleum products including jet fuel, diesel, and gasoline, between a range of refineries situated across the Gulf Coast and established markets based throughout the Eastern and Southern states of America.
According to the company, every day the Colonial Pipeline transports around three million barrels using its pipeline system that extends for 5,500 miles to provide 45% of all the fuel currently consumed on America’s East Coast.
A dedicated attack inflicting disruption
In a recent report, business-leading US network CNBC disclosed that Colonial Pipeline had been the victim of a ransomware assault. The widespread attack forced the firm to shut down the entirety of its infrastructure to ensure that the insidious crypto-malware could not spread across its network.
Colonial Pipeline followed up the television news report with an official statement of its own. It confirmed that it had been hit by a targeted cyberattack and that it had been necessary for it to shut down daily pipeline operations while teams responded to the assault:
“On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”
Regarding the action taken on discovering the raid on its network, the company commented:
“Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have already launched an investigation into the nature and scope of this incident, which is ongoing.”
Ransomware operators behind the cyberattack
In an interview with The Washington Post, an official of the US government stated that the ransomware group known as DarkSide is believed to be behind the recent attack that wreaked havoc on the Colonial Pipeline. IT help site and cybersecurity community BleepingComputer, run by Lawrence Abrams, first reported the activities of DarkSide after it started operating in August last year.
As with many other ransomware operations that specifically target enterprises and organisations, DarkSide’s threat actors will first acquire access to a company’s corporate infrastructure before silently spreading its malware to interconnected devices. As it spreads, the malicious infection steals documents left unencrypted and collects user credentials.
After the threat operators obtain access to domain passwords and usernames in Windows, they will unleash their specific brand of ransomware on the network, effectively encrypting all devices and the data they contain.
If, as reported, DarkSide is responsible for the assault on Colonial Pipeline, it is likely that the group will have attempted to steal information and use it to extort a payment from the company via a ransomware demand. Other attacks attributed to the DarkSide ransomware group include strikes on Brookfield Residential, Discount Car and Truck Rentals, and CompuCom.