Colonial Pipeline Restarts System Five Days After Cyberattack

Colonial Pipeline cautioned that it’ll still be several more days before the product delivery supply chain returns to normal after a Darkside ransomware attack Friday forced the pipeline giant to halt operations.

Colonial Pipeline restarted operations on its 5,500-mile pipeline at around 5 p.m. ET today five days after being hit with a crippling Darkside ransomware attack.

The Alpharetta, Ga.-based pipeline giant cautioned that it’ll still be several more days before the product delivery supply chain returns to normal, with some markets experiencing intermittent service interruptions during the start-up period. More than 10,000 gas stations across the Southeast were out of fuel Wednesday as a result of Colonial Pipeline shutting down its system following the cyberattack.

“Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal,” the company said in a statement released at 5:11 p.m. ET Wednesday.

[Related: Colonial Pipeline Cyberattack: Restoration Expected This Week]

Colonial said Tuesday it has prioritized getting gas to markets experiencing supply constraints and/or not serviced by other fuel delivery systems. Since Colonial took its pipeline system offline, the company has delivered some 967,000 barrels – or 41 million gallons – of gas to markets including Atlanta; Belton and Spartanburg, S.C.; Charlotte and Greensboro, N.C.; Baltimore; and Woodbury and Linden, N.J.

In preparation for system restart, Colonial said late Tuesday it had taken delivery of an additional two million barrels – or 84 million gallons – from refineries for deployment upon restart. Consistent with regulatory requirements, Colonial said Tuesday it has also increased aerial patrols of its pipeline right of way and deployed more than 50 people to walk and drive alongside 5,000 miles of pipeline each day.

Colonial began operating a line running from Greensboro, N.C., to Woodbine, Md. late Monday under manual control for a limited period of time while existing inventory was available. The company’s main pipelines connect Houston to the New York Harbor and provide refined fuel products to more than 50 million Americans.

Shortly after realizing it had been compromised, Colonial brought in Milpitas, Calif.-based threat intelligence vendor FireEye to investigate the nature and scope of the cyberattack. On Monday afternoon, the Federal Bureau of Investigation (FBI) confirmed media reports that the Darkside ransomware group was responsible for the compromise of the Colonial Pipeline networks.

Darkside was reportedly behind the ransomware attack against Fort Mill, S.C.-based CompuCom, No. 41 on the 2020 CRN Solution Provider 500, that’s expected to cost the Office Depot subsidiary $20 million. And just today, Darkside claimed on its leak site to have attacked an Illinois-based technology services reseller, a Brazilian reseller of renewable energy products, and a Scottish construction company.

But when it comes to the Colonial Pipeline attack, Darkside might have realized it was flying too close to the sun. The ransomware gang posted a statement insisting it’s apolitical and isn’t looking to participate in geopolitics. But Darkside’s software is coded to not work against computers where Russian or one of several other eastern European languages are set as the default, Emsisoft analyst Brett Callow said.

“Our goal is to make money, and not creating (sic) problems for society,” Darkside posted to its leak site Monday, according to media reports. “From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.

Also on Wednesday, President Joseph Biden signed an executive order aimed at increasing investment in cybersecurity defenses on the part of the federal government. The order calls for sharing information about potential cyber threats between the federal government and IT service providers as well as adopting security best practices, moving toward zero trust architecture. The order also calls for enhancing software supply chain security and establishing a “cyber safety review board” to review significant cyberattacks.