The US government declared emergency measures Sunday, May 9, after malware crippled the large pipeline network operated by Colonial Pipeline. This network is an essential artery in American infrastructure: it transports more than 2.5 million barrels of oil per day, refined products to gas stations and airports throughout the Eastern United States. The transport department announced in a statement an exceptional lifting of certain restrictions to allow the company to transport its fuels by alternative routes, while part of its pipelines remains at a standstill.
Page Contents
What happened
A group of hackers succeeded, as of Thursday, May 6, to break into the computer networks of Colonial Pipeline, and to steal more than one hundred gigabytes of data. The next day, the hackers paralyzed some of the company’s computers with software and demanded a ransom from Colonial Pipeline, the amount of which remains unknown, so that they could use their pipeline network again.
Very quickly, the company announced that it had proactively closed its distribution, in order to be able to react effectively to the situation affecting its computer networks. Colonial Pipeline claims that many systems have been taken offline just to prevent the initial infection from spreading, but that the virus has not hit the systems that directly control pipelines and fuel distribution.
According to several internal sources contacted by American media such as the Washington post and Bloomberg, Colonial Pipeline has been hit with ransomware. It is malicious software that locks down the computers and computer networks of the companies affected by it. All the files of the affected computers are then encrypted, that is to say they are unreadable and unusable by the user. The operators of this malware then demand a ransom by leaving a note on the computers of the victims: in exchange for this ransom, which can amount to millions of dollars, they promise to send the victims a decryption key supposed to allow them to recover the use of their network.
What consequences in terms of petroleum?
Can this virus have an impact on the oil market? Monday morning, US and European oil prices, WTI and Brent indicators, jumped 4.2%, before gradually falling. For now, traders seem to be waiting to learn more about the company’s ability to restart operations. This event comes as US demand is on the rise again, with the progression of vaccination and the strong economic recovery, and while the world oil market has not yet fully recovered from the blockage of the Suez Canal in April.
Without a rapid restart of operations, the United States will find itself confronted with two problems, at both ends of the pipeline: the regions of Atlanta and then New York risk having to face a fuel shortage as well as a very sharp price increases at gas stations. The Texas refineries, on the other hand, risk not knowing what to do with their stock: the tanks do not have an infinite capacity, and this type of situation has never arisen in the long term. Traders and shipowners are already looking for alternative solutions to evacuate oil by ship – a path difficult to implement given US regulatory constraints.
Who are the suspects?
According to several American media outlets, DarkSide, a well-known criminal group behind numerous ransomware attacks, is suspected of being behind the operation that targeted Colonial Pipeline. Practical DarkSide generally what is called the “Double extortion” : In addition to demanding a ransom from their victims, these cybercriminals dribble stolen data on a site from targeted companies. This practice aims to put pressure on victims by posting a countdown after which all stolen confidential data will be released to the public. As of Monday morning, however, the DarkSide site did not yet mention Colonial Pipeline, according to the findings of the World.
The DarkSide group is a “Ransomware as a service”, that is, the operators of the malware rent it out to other hackers, called “Affiliates”, who carry out the attacks themselves, and may pay part of their profits to the creators of the ransomware.
DarkSide announced creation in August 2020, branding itself as a bunch of cybercrime veterans. “We have made millions of dollars in profit working in partnership with known ransomware. We created DarkSide because we had not yet found the perfect product: now we have it ”, then explained the group of pirates in a press release. DarkSide today claims dozens of victims, including many American companies, such as the publicly traded company The Dixie Group.
A nebulous but experienced group
DarkSide bears a striking resemblance to many other criminal groups practicing computer extortion. Today there are more than a dozen major ransomware operators in the world, and like the vast majority of them, DarkSide does not seem to target companies located in Russia and in the countries of the former union. Soviet. The group also ensures that it does not attack hospitals, schools and NGOs, common claims from ransomware operators, which are mostly denied by the facts. In the case of DarkSide, the Kaspersky company has exposed a case of attempted extortion targeting schools and linked to the criminal group, and while DarkSide claims not to attack hospitals, the site claims US health insurance in its list of victims.
While little is known about DarkSide, several experts interviewed by the specialist site Bleeping Computer in the summer of 2020 had discovered technical elements in the ransomware code similar to the code and methods used by other well-known operators. , like GandCrab and REvil.
As recalled by the specialized site MagIT, the computer security company Bitdefender had published, at the beginning of the year, a software of decryption intended for the victims of DarkSide. The group immediately responded, assuring that the ransomware code had been updated to prevent these decryption keys from working.
Several attacks on energy infrastructure
The energy sector has been under close scrutiny for several years due to fears about the risks of cyber attacks. In February 2020, an American pipeline system, the name of which had not been released, was forced to cease operations for two days due to ransomware that had hit its computer network.
On the sites of the major ransomware operators, several attacks against companies in the energy sector have been claimed recently. Going back a few years earlier, the global wave created by the WannaCry ransomware in 2017 had notably hit companies in this sector in several countries, including India and Spain. In a recent article by Wall Street Journal, several experts believe that energy companies, especially in the United States, were not yet ready to face large-scale computer attacks.
