By Stephanie Kelly and Christopher Bing
NEW YORK (Reuters) -Top U.S. fuel pipeline operator Colonial Pipeline shut its entire network, the source of nearly half of the U.S. East Coast’s fuel supply, after a cyber attack that involved ransomware.
The incident is one of the most disruptive digital ransom operations ever reported and has drawn attention to how critical U.S. energy infrastructure is vulnerable to hackers. A prolonged shutdown would cause prices to spike at gasoline pumps ahead of peak summer driving season.
Colonial transports 2.5 million barrels per day of gasoline, diesel, jet fuel and other refined products through 5,500 miles (8,850 km) of pipelines linking refiners on the Gulf Coast to the eastern and southern United States. It serves some of the country’s largest airports, including Atlanta’s Hartsfield Jackson Airport, the world’s busiest by passenger traffic.
“This is as close as you can get to the jugular of infrastructure in the United States,” said Amy Myers Jaffe, research professor and managing director of the Climate Policy Lab. “It’s not a major pipeline. It’s the pipeline.”
Colonial said it shut down systems to contain the threat after learning of the attack on Friday. That action also temporarily halted operations and affected some of its IT systems, the company said.
While the U.S. government investigation is in early stages, one former official and two industry sources said the hackers are likely a professional cybercriminal group. The former official said investigators are looking at a group dubbed “DarkSide,” known for deploying ransomware and extorting victims while avoiding targets in post-Soviet states.
Colonial and the Cybersecurity and Infrastructure Security Agency (CISA) said the incident involved the use of ransomware, a type of malware designed to lock down systems by encrypting data and demanding payment to regain access.
Colonial has engaged a cybersecurity firm to launch an investigation and contacted law enforcement and federal agencies, it said.
Cybersecurity company FireEye has been brought in to respond to the attack, the cybersecurity industry sources said. FireEye declined to comment.
U.S. government bodies said they were aware of the situation. President Joe Biden was briefed on the incident on Saturday morning, a White House spokesperson said, adding that the government is working to try to help the company restore operations and prevent supply disruptions.
The Department of Energy said it was monitoring potential impacts to the nation’s energy supply, while both CISA and the Transportation Security Administration told Reuters they were working on the situation.
“We are engaged with the company and our interagency partners regarding the situation. This underscores the threat that ransomware poses to organizations regardless of size or sector,” said Eric Goldstein, executive assistant director of the cybersecurity division at CISA.
Colonial did not give further details or say how long its pipelines would be shut. The privately held, Georgia-based company is owned by CDPQ Colonial Partners L.P., IFM (US) Colonial Pipeline 2 LLC, KKR-Keats Pipeline Investors L.P., Koch Capital Investments Company LLC and Shell Midstream Operating LLC.
“Cybersecurity vulnerabilities have become a systemic issue,” said Algirde Pipikaite, cyber strategy lead at the World Economic Forum’s Centre for Cybersecurity.
“Unless cybersecurity measures are embedded in a technology’s development phase, we are likely to see more frequent attacks on industrial systems like oil and gas pipelines or water treatment plants,” Pipikaite added.
If the system is shut for four or five days, the market could see sporadic outages at fuel terminals that depend on the pipeline for deliveries, said Andrew Lipow, president of consultancy Lipow Oil Associates.
After the shutdown was first reported on Friday, gasoline futures on the New York Mercantile Exchange gained 0.6% while diesel futures rose 1.1%, both outpacing gains in crude oil. Gulf Coast cash prices for gasoline and diesel edged lower on prospects that supplies could accumulate in the region.
“As every day goes by, it becomes a greater and greater impact on Gulf Coast oil refining,” said Lipow. “Refiners would have to react by reducing crude processing because they’ve lost part of the distribution system.”
Gulf Coast prices could weaken further, while prices in New York Harbor could rise, one market participant said – gains that could portend increases at the Northeast pumps.
The American Petroleum Institute, a top oil industry trade group, and the American Automobile Association both said they were monitoring the situation.
Kinder Morgan Inc said its Products (SE) Pipe Line Corporation (PPL) remains in full service. PPL is currently working with customers to accommodate additional barrels during Colonial’s downtime, it said. PPL can deliver about 720,000 bpd of fuel through its pipeline network, which originates in Louisiana and ends in the Washington, D.C., area.
Ben Sasse, a Republican senator from Nebraska and a member of the Senate Select Committee on Intelligence, said the cyberattack was a warning of things to come.
“This is a play that will be run again, and we’re not adequately prepared,” he said, adding lawmakers should pass an infrastructure plan that hardens sectors against these attacks.
Colonial previously shut down its gasoline and distillate lines during Hurricane Harvey, which hit the Gulf Coast in 2017. That contributed to tight supplies and gasoline price rises in the United States after the hurricane forced many Gulf refineries to shut down.
(Reporting by Stephanie Kelly, Devika Krishna Kumar, Christopher Bing and Raphael Satter; Additional reporting by Trevor Hunnicutt, Gary McWilliams, Laura Sanicola; Editing by Simon Webb, Alistair Bell and Daniel Wallis)