Colonial Pipeline transports more than 2.5 million barrels of fuel every day. Photo / AP
It took just two hours for cyber criminals to steal almost 100 gigabytes of data from one of the biggest energy pipelines in the US.
On Friday, a shadowy criminal gang, known as Darkside, was able to use that data to lock the computers of the Colonial pipeline, halting themovement of nearly half of the US east coast's fuel supply.
Officials are still scrambling to fully restart operations at Colonial, which transports 2.5m barrels per day of gasoline and other fuels through 5,500 miles (8,850km) of pipelines linking refiners on the Gulf Coast to the eastern and southern US.
Colonial Pipeline said on Monday it was only able to bring parts of its system back online, and added service will disrupted until the end of the week.
"This is as close as you can get to the jugular of infrastructure in the United States," says Amy Myers Jaffe, managing director of the Climate Policy Lab. "It's not a major pipeline; it's the pipeline."
Little is known about Darkside, the Eastern European collective that targets businesses using ransomware, a type of computer virus that involves hackers taking control of a computer system and blocking access to it until a ransom is paid.
Evidence from past campaigns show it demanding between $200,000 (£141,000) and $4m to release files and computer systems, often attempting to dress up its criminals in a veneer of respectability. It sends out press releases and offers chat support to victims to help them pay up.
It promises not to target hospitals, non-profits, schools or governments. It even claims to have made donations to charities from the profits of their hacks.
DarkSide also offers to sell its malware to others in what is known as "ransomware-as-a-service," according to the cybersecurity firm Cybereason.
In a message posted on the dark web, where DarkSide maintains a site, the group suggested one of its customers was behind the attack.
Attacks on national infrastructure on the rise
In the latest incident, in which Colonial Pipeline was forced to shut down its system, emergency powers have been enacted by Joe Biden's administration which allow fuel normally transported through pipes to be loaded into trucks for transportation.
Gasoline prices have risen to their highest level since 2018 in a knock-on effect for consumers at the pump.
"If this were a nation state attack it would be incredibly dangerous," says Alan Woodward, a cyber security expert at the University of Surrey. "Physically trying to turn the lights off is a world away from espionage. This takes us away from the kind of 'virtual', victimless cyber attack into something that is very real."
Ransomware attacks on critical national infrastructure are on the rise. In February, for instance, hackers changed the level of sodium hydroxide in water after penetrating cybersecurity at a Florida treatment plant.
Last week, the National Cyber Security Centre (NCSC), part of the Government Communication Headquarters, warned that hackers could bring cities to a standstill by creating ghost traffic jams by turning off green lights. Meanwhile, attackers are targeting police stations, banks and telecommunications networks, threatening to release sensitive data unless a ransom is paid.
"Thwarting cyber-attacks against key utilities and services has never been more critical," says Stuart Reed, director at Orange Cyberdefense.
It comes at a high point in tensions over hacking attacks, both on infrastructure and individuals.
Last month, the US issued financial sanctions against Russia and expelled 10 diplomats for the Kremlin's alleged role in a cyber espionage campaign against the US Government. While DarkSide is believed to be criminal in origin, rather than a so-called "nation state" hacking group, the severity of the shutdown has raised the stakes again.
"We should not underestimate these groups," says Marty Edwards, a cyber security expert at Tenable. "They are essentially full-fledged criminal corporations operating in the digital world."
"It is concerning that a ransomware attack can cause the disconnection of such an important system," adds Ciaran Martin, the former head of the National Cyber Security Centre who is now an advisor to Paladin Capital. "Even before this there were signs that we were waking up to [the problem of ransomware] a bit more. Hopefully this concerning case will add to the momentum."
Some experts believe that, for too long, companies have discretely paid up in ransomware extortion attempts, often while backed up by specialist insurance.
Last week, AXA, the insurance provider, announced that it would stop writing cyber insurance policies in France that reimburse ransoms paid to cyber criminals. Similar moves by rival insurers could increase the economic barrier to working with ransomware gangs.
'Our goal is to make money'
There are also open questions about the response from the White House to the incident. It may have been carried out by cyber criminals, rather than state-backed hackers, but the seriousness of the shutdown is likely to stoke tensions.
"The Russian police is corrupt and inadequately trained to tackle hi-tech crime, so it is rampant," says Richard Walters, the chief technology officer of security business Censornet. "Any security incident is about the impact of the incident. It doesn't matter who the actor was, the outcome is exactly the same."
Biden now faces renewed pressure to stop the tide of cyberattacks originating from Russia, whether criminal or state-backed, especially after the uncovering of the debilitating SolarWinds breach.
For the Darkside hackers, inflaming geopolitical tensions in order to extort a ransom seems to have been a step too far.
On Monday, as the fallout from the ransomware attack continued, the gang posted an almost apologetic message on its website.
"We are apolitical," the hackers wrote, "we do not participate in geopolitics … Our goal is to make money and not create problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."
After a string of successful hacks, the criminals at DarkSide may be uneasy about the impact a full US fightback will have on their profitable enterprise.