According to reports, Colonial Pipeline paid the ransom in cryptocurrency soon after cyber-attackers locked down its IT systems late last week

Colonial Pipeline storage tanks

(Credit: Colonial Pipeline)

Colonial Pipeline says “substantial progress” has been made in resuming fuel deliveries, six days after it was held to ransom by cyber-attackers and forced to shut down its operations.

“Product delivery has commenced in a majority of the markets we service,” the company said in an update, adding that it expected to be servicing each market along its 5,500-mile route by 12pm Eastern Time today (13 May).

Georgia-based Colonial Pipeline was forced to take its entire system offline last Friday (7 May) following a ransomware attack that has since been linked by the FBI to a hacking group known as DarkSide.

Reports have emerged today from Bloomberg that the company paid a $5m bounty to the hackers soon after the security breach was noticed, in return for regaining control of its IT systems.

The article cites two people familiar with the transaction, which was apparently paid in cryptocurrency, and says a third source was able to confirm US government officials are aware that a payment was made.

According to the report, hackers provided decryption tools to the pipeline operator upon receiving the payment, but the tools were so slow that Colonial’s own backups were used to fully restore the computer system.

Colonial Pipeline did not immediately respond to a request for comment.

In a televised address earlier today, President Biden confirmed fuel is now flowing through the pipeline, but warned “we will not feel the effects at the pump immediately”.

“This is not like flicking on a light switch,” he said. “It’s going to take some time and there may be some hiccups along the way. We expect to see a region by region return to normalcy beginning this weekend and continuing into next week.”

He added that security agencies do not believe the Russian government was involved in the ransomware attack, but there is “strong reason to believe that the criminals who did the attack are living in Russia”.

 

Disruption of Colonial Pipeline ransom attack shows need for better cyber-resilience in the energy sector

Colonial Pipeline supplies around 45% of the fuel products consumed along the US East Coast, pumping gasoline, diesel and jet fuel produced in Gulf Coast refineries through the system from Texas up to New Jersey.

Several south-eastern US states – particularly North and South Carolina, Georgia and Virginia – have been affected by shortages at fuel stations this week due to the outage, a situation exacerbated by panic buying among consumers concerned about pumps running dry.

Operations were restarted yesterday evening, although several days of continued disruption are expected as the pipeline, which normally pumps around 2.5 billion barrels of fuel products each day, is brought back to full operating capacity.

US energy secretary Jennifer Granholm posted on Twitter that the pipeline’s restart overnight went well, adding “that should mean things will return to normal by the end of the weekend”.


The incident has cast a spotlight on the vulnerabilities of critical energy infrastructure to cyber-attacks, and the need for governments and private companies to make their IT systems more resilient against cybercriminals.

DarkSide is known among cybersecurity experts as a supplier of ransomware-as-a-service – meaning it sells encryption tools enabling others to hack into IT systems with the intention of locking out the user and collecting a ransom for returning control.

The group is reported to have released a statement after the attack on Friday claiming to be “apolitical” and only interested in making money, “not creating problems for society”.

It added that it would “introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future”.