Colonial Pipeline Cyberattack: Restoration Expected This Week

The FBI confirmed Monday afternoon that the Darkside ransomware group is responsible for compromising Colonial Pipeline. Darkside was also reportedly behind the huge ransomware attack against CompuCom.

Colonial Pipeline expects to substantially restore operational service by the end of the week following a crippling Darkside ransomware attack that halted all pipeline operations.

The Alpharetta, Ga.-based pipeline giant shut down its 5,500-mile pipeline Friday to contain the ransomware, and resumed operations late Sunday of some smaller lateral lines between terminals and delivery points. But the main pipelines connecting Houston to the New York Harbor and providing refined fuel products to more than 50 million Americans remain offline, according to Colonial.

“Restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time,” Colonial said in a Monday afternoon statement. “This plan is based on a number of factors, with safety and compliance driving our operational decisions.”

[Related: U.S. Pipeline Giant Halts All Operations Following Cyberattack]

Segments of Colonial’s pipeline are being brought back online in a stepwise fashion in close consultation with the Department of Energy to ensure that relevant federal regulations are being observed. Colonial said it’s continuing to evaluate product inventory in storage tanks at its facilities, and is working with its shippers to move this product to terminals for local delivery.

The Department of Transportation issued a temporary hours of service exemption for those transporting gasoline, diesel, jet fuel and other refined petroleum products. The exemption applies to: Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina; Pennsylvania; South Carolina; Tennessee, Texas and Virginia.

Colonial said Friday it had brought in a leading, third-party cybersecurity firm to launch an investigation into the nature and scope of the cyberattack. The Wall Street Journal and others have reported that Colonial brought in Milpitas, Calif.-based threat intelligence vendor FireEye to investigate the attack. FireEye confirmed to CRN that it’s working with Colonial Pipeline, but declined to comment further.

“Our primary focus continues to be the safe and efficient restoration of service to our pipeline system, while minimizing disruption to our customers and all those who rely on Colonial Pipeline,” the company said in Monday’s statement. “We appreciate the patience of the traveling public and the support we have received from the Federal Government and our peers throughout the industry.”

The Federal Bureau of Investigation (FBI) Monday afternoon confirmed media reports that the Darkside ransomware group is responsible for the compromise of the Colonial Pipeline networks. Darkside was also reportedly behind the huge ransomware attack against Fort Mill, S.C.-based CompuCom, No. 41 on the 2020 CRN Solution Provider 500, that’s expected to cost the Office Depot subsidiary $20 million.

Darkside posted a statement to its leak website Monday insisting that the ransomware gang is apolitical and isn’t looking to participate in geopolitics, NBC News and others have reported. But Darkside’s software is coded to not work against computers where Russian or one of several other eastern European languages are set as the default, Emsisoft analyst Brett Callow told NBC News.

“Our goal is to make money, and not creating (sic) problems for society,” Darkside posted to its leak site, according to media reports. “From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

Darkside was launched on Aug. 10, 2020, with the operators pledging not to attack hospitals, schools, nonprofits or government targets, Wired reported in August 2020. The ransomware group also claimed at launch that it’d only attack businesses who can afford to pay a ransom, according to Wired.

“Before any attack, we carefully analyze your accountancy and determine how much you can pay based on your net income,” Darkside wrote in its Aug. 10, 2020, press release.

Then in October, the operators behind Darkside made the puzzling decision to donate $10,000 in Bitcoin from ransom proceeds to charities Children International and The Water Project, BBC News reported at the time. A Children International spokesperson told BBC at the time it wouldn’t be keeping the money since the donation was linked to a hacker.

“We think that it’s far that some of the money the companies have paid will go to charity,” Darkside wrote in an Oct. 13 blog post. “No matter how bad you think our work is, we are pleased to know that we helped changed someone’s life. Today, we sended (sic) the first donations.”