Ransomware cyberattack shuts down major US pipeline, company says

Colonial Pipeline was targeted with a cyberattack Friday night.

May 9, 2021, 6:42 PM

A cyberattack has forced the shutdown of a major gas pipeline in the U.S. that supplies 45% of all fuel consumed on the East Coast.

The cyberattack against Colonial Pipeline, which runs from Houston to Linden, New Jersey, began 7 p.m. on Friday night, according to a Federal Emergency Management Agency report reviewed by ABC News.

"We proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems," the company said in a statement.

Colonial Pipeline said in an update Saturday the attack involved ransomware.

Colonial's network supplies fuel from U.S. refiners on the Gulf Coast to the eastern and southern U.S. and transports 2.5 million barrels a day of gasoline, diesel, jet fuel and other products through 5,500 miles of pipelines, the company said.

PHOTO: Traffic on I-95 passes oil storage tanks owned by the Colonial Pipeline Company in Linden, N.J., Sept. 8, 2008.
Traffic on I-95 passes oil storage tanks owned by the Colonial Pipeline Company in Linden, N.J., Sept. 8, 2008.
Mark Lennihan/AP, FILE

It's not clear how long the pipelines would be shut down. The shutdown will affect other pipeline operations such as the Buckeye and Twin Oaks Pipeline, which runs through the New York City-Long Island area and Maine, FEMA said.

The company, based in Alpharetta, Georgia, said it hired an outside cybersecurity firm to investigate the nature and scope of the attack and has also contacted law enforcement and federal agencies.

"Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline," the company said.

President Joe Biden has been briefed on the situation, according to a White House spokesperson.

"The federal government is working actively to assess the implications of this incident, avoid disruption to supply, and help the company restore pipeline operations as quickly as possible," the spokesperson said.

The official said the administration is proactively reaching out across the sector to ensure that they have protections in place that can detect similar attacks.

The FBI said it is working with Colonial Pipeline on the ransomware attack.

"FBI was notified of a network disruption at Colonial Pipeline on May 7, 2021 and is working closely with the company and government partners," the FBI said. "We have nothing additional to share at this time."

The Cybersecurity and Infrastructure Security Agency released a statement saying they are "engaged" with the company.

"We are engaged with the company and our interagency partners regarding the situation," Eric Goldstein, CISA's executive assistant director of the Cybersecurity Division said. "This underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats."

Preliminary results of the investigation at this point suggest the attack was the handiwork of the so-called DarkSide criminal organization that operates in Eastern Europe, according to two officials briefed on the probe. Federal officials are continuing to firm up their findings and are actively trying to determine whether a foreign nation could either be behind the attack or working together with the criminals.

Cybersecurity firm Fireye confirmed to ABC News Sunday that it is helping Colonial Pipeline with its systems in the wake of the attack.

Colonial Pipeline said it is "developing a system restart plan" in a statement Sunday. While the company said its mainline remains offline, smaller, "lateral" lines between terminals and delivery points are operational.

"We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations," the company said.

In addition, the U.S. Department of Transportation’s Federal Motor Carrier Administration said it is temporarily lifting certain rules for truck drivers who transport gasoline, diesel, jet fuel and petroleum products in states affected by the pipeline shutdown.

Last year, Fireye discovered the massive SolarWinds hack which affected nine government agencies.

Department of Homeland Security Secretary Alejandro Mayorkas spoke about the dangers of ransomware earlier this week given the recent spate of ransomware attacks, including the hack of the Washington, D.C., Metropolitan Police Department and the Illinois Attorney General's Office.

ABC News' Molly Nagle, Joshua Hoyos, Sam Sweeney and Luke Barr contributed to this report

Related Topics