Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Colonial Pipeline Restarts Operations Following Attack

Company Says It Will Take Several Days to Restore Supply Chain
Colonial Pipeline Restarts Operations Following Attack
Photo: Pete D via Flickr/CC

Colonial Pipeline Co. announced Wednesday that it had restarted its operations following a ransomware attack last Friday that forced the company to shut down its IT systems to keep the malware from spreading throughout its infrastructure.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The company says it restarted its operations around 5 p.m. EDT on Wednesday. Before the announcement, Colonial Pipeline had set a goal to bring some of its pipeline operations back online by week's end.

Following the Wednesday announcement, President Joe Biden signed an executive order designed to help strengthen the government's response to cyberattacks.

"President Biden signed an executive order to chart a new course to improve the nation’s cybersecurity. This incident demonstrates that federal agencies and the private sector must work collaboratively to learn the lessons of this incident, strengthen cybersecurity practices, and deploy technologies that increase resilience against cyberattacks," White House press secretary Jen Psaki said.

Days Needed to Return to Normal

Colonial Pipeline noted it would take several more days to restore all of its supply chain operations. The Georgia-based company connects refineries in the Gulf Coast to customers throughout the southern and eastern U.S. through a pipeline system of more than 5,500 miles. This pipeline carries gasoline, diesel, jet fuel and home heating oil as well as fuel for the military. Colonial Pipeline transports about 45% of all the fuel consumed on the East Coast.

"Following this restart, it will take several days for the product delivery supply chain to return to normal," the company said in a statement. "Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during the start-up period. Colonial will move as much gasoline, diesel and jet fuel as is safely possible and will continue to do so until markets return to normal."

Colonial Pipeline has not commented on the ransomware attack that led it to shut down its IT infrastructure as a precaution on May 7. The company noted that as part of the startup process: "Colonial will conduct a comprehensive series of pipeline safety assessments in compliance with all federal pipeline safety requirements."

And while Colonial Pipeline has restarted operations, The Washington Post reports that several states in the southeast U.S. are reporting gasoline and fuel shortages due to the pipeline outage. As a result, the governors of Florida, North Carolina, Georgia and Virginia have all declared states of emergency.

Ransomware Attack Investigation

The ransomware attack that caused the disruptions of Colonial Pipeline is being investigated by the FBI, with assistance from the Cybersecurity and Infrastructure Security Agency. The FBI and the White House have attributed the attack to a strain of ransomware called DarkSide, which was developed by a ransomware-as-a-service group of the same name (see: FBI: DarkSide Ransomware Used in Colonial Pipeline Attack).

Although it's a relatively new ransomware group that first appeared in Russian-speaking forums in August 2020, DarkSide and its affiliates have already made a significant impact. They are part of a group of cybercriminals known for "big game hunting" attacks against large companies, and they demand big ransoms as part of double-extortion tactics that include not only encrypting data but stealing information and then demanding payment from victims in exchange for not leaking it (see: Rise of DarkSide: Ransomware Victims Have Been Surging).

In a report released this week, FireEye's Mandiant research team said that DarkSide's affiliate model has proven successful. Sophos notes the crime group's malicious code can target and encrypt Windows as well as Linux systems.

On Wednesday, CNBC reported that the DarkSide group and its affiliates claim to have targeted three other organizations within the past several days.

Colonial Pipeline has not confirmed if it's in contact with the attackers or if it has received any ransom demands. The FBI advises ransomware victims not to pay ransoms because that could encourage other attacks (see: DarkSide's Pipeline Ransomware Hit: Strictly Business?).

Government Effort

In addition to the response to the attack by law enforcement officials, the Biden administration deployed the Energy, Transportation, Homeland Security, Treasury and Defense departments to respond to the attack and work on keeping fuel shortages to a minimum and preventing price spikes.

On Tuesday and Wednesday, lawmakers from both parties started to propose new laws to address ransomware and other cyberattacks, and hearings are expected to be held to examine how the oil and gas industry conducts its security operations and how it can respond to cybersecurity incidents (see: Colonial Pipeline Attack Leads to Calls for Cyber Regs).

Sam Curry, chief security officer at Cybereason, which has conducted its own research into DarkSide, notes that once the pipeline becomes fully operational and Colonial Pipeline's IT systems return to normal, the company and CISA will be able to get a better understanding of what happened.

"The most important thing is to get them operational again and then in the cool light of day to understand what happened," Curry says. "We have to avoid bayoneting the wounded and give Colonial a chance to recover, to work with authorities and to share data and lessons learned when they can. Transparency will help here and, collectively, there will no doubt that lessons will be learned."

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.