Search
  • blpglobalanalyst

Threat Assessment: Aftermath of Cyberattack on US Colonial Pipeline

Kayla Kearns, Sophie Provins, Neoclis Soteriou, Krystel von Kumberg; NORTHCOM, Extremism

May 11, 2021


Colonial Pipeline Company[1]


Summary


The Colonial Pipeline is the largest refined products pipeline in the United States (US), stretching 5,500 miles and transporting more than 100 million gallons of fuel daily to meet the energy needs of consumers stemming from Texas to New Jersey (See Annex A).[2] On Friday, May 7, 2021, a cyber-extortion attempt knocked out a major route for gasoline, diesel, and jet fuel affecting almost half of the East Coast.[3] The Colonial Pipeline has been shut down ever since. The hackers who forced the Colonial Pipeline to shut down began their attack against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment. The Colonial Pipeline took certain systems offline and stopped pipeline operations as a precautionary measure, and stated that the ransomware itself did not directly cause the shutdown.[4] On Monday, May 10, 2021, the FBI confirmed that a hacker group based in Russia known as DarkSide is allegedly responsible.[5] This event comprises the largest successful cyberattack on oil infrastructure in US history.

  • The Counterterrorism Group (CTG) assesses that there will highly likely be a disruption in the distribution of gasoline across the US.

  • The pipeline supplies gasoline to other countries across Northern America which is likely to spill over and also affect other states like Canada.

  • There is a highly likely chance that prices of gasoline will increase, which is likely to lead to a surge in panic buying.

  • Nation-state hackers will almost certainly launch more cyberattacks on the US, likely on their critical infrastructure.

At the same time, the recent cyberattack has triggered a comprehensive federal response focused on securing critical energy supply chains. The White House has released a statement indicating that US President Biden is receiving regular briefings on the incident and has directed agencies across the Federal Government to bring all resources at their disposal to alleviate shortages where they are occurring.[6] While this cyberattack is likely to lead to short-term effects on the price and availability of fuel throughout the US, the effects on fuel are unlikely to be long-term, rather the significant security implications of future cyberattacks against critical US infrastructure by both state and non-state actors are likely to be long-term.

The US will also likely witness cyberattacks from nation-states as well as non-state actors in the near future.


Assessments


Disruption in the Distribution of Gasoline


A disruption in the distribution of gasoline is highly likely to occur following the cyberattack on the Colonial Pipeline, which distributes gasoline, jet fuel, and diesel to 45% of the states along the US East Coast (See Annex A).[7] The ransomware attack has forced the Colonial Pipeline to shut down its operations, with no word on when the company will be able to completely restart the pipeline. The Colonial Pipeline has assured that there is no shortage in fuel, however it is likely that shortages will occur due to a lack of drivers transporting fuel across the country. Prior to the cyberattack, economists predicted that a fuel shortage would likely occur due to the lack of qualified drivers following the COVID-19 pandemic.[8] Gasoline is expected to be in high demand this summer due to the lifting of COVID-19 restrictions, increasing the likelihood that more individuals will be traveling. According to reports, it is likely that Florida and Arizona will be the biggest areas affected by a gasoline shortage due to a decrease in the transportation of gasoline and an increase in tourists this time of year.[9] It is highly likely that should a fuel shortage across the US East Coast occur, it will be due to a lack of necessary means to transport it, rather than a lack in the supply itself.


The shutdown of the Colonial Pipeline is also likely to disrupt air travel throughout the US from the East Coast. The company is also responsible for providing the majority of jet fuel to states along the East Coast. The price of jet fuel is likely to increase following the shutdown, with prices having already increased to $1.82 per gallon closing price.[10] Air travel will potentially be affected in the form of an increase in flight costs due to rising jet-fuel prices or cancellations due to lack of fuel should the Colonial Pipeline not resolve the issue in an appropriate amount of time. However, this is unlikely as many large airlines have their own backup supply of jet-fuel, although smaller airports and private airlines are likely to be the most affected should a jet-fuel shortage occur.


Increases in Gasoline Prices


It is highly likely that gas prices will increase following the shutdown of the Colonial Pipeline. The American Automobile Association (AAA) has advised the public that prices will likely increase after already jumping up six cents following the shutdown.[11] While there is not necessarily a shortage in gas, the disruption in the distribution of gas and transporting of gas from backup tanks is likely to be a longer process, leading to the increased likelihood of gasoline price increases. The East Coast has plenty of harbors to import gasoline and other petroleum products from its allies, however the process to do so would take two weeks.[12] The increase in prices is likely to occur the longer the pipeline remains shutdown. The national average for the price of gasoline is currently at $2.962, with some states reporting prices of over $3.00.[13] It is highly likely that states within the southeast will be affected first by the pipeline shutdown, as a majority of those states rely heavily on the pipeline for their gasoline and diesel needs.


Panic Buying


It is highly likely that the influence of social media will lead to “panic buying” of gasoline in states affected by the Colonial Pipeline shutdown. Evidence of panic buying was seen in March 2020, during the early onset of the COVID-19 pandemic, when individuals stockpiled on necessary goods such as toilet paper, paper goods, and specific types of foods, resulting in a national shortage and implementation of restrictions on such items. Gas stations across the southeast US have already reported shortages likely due to “panic buying” spread across social media (See Annex B-D). Panic spreads particularly effectively on social media as it reaches a lot of people in a short space of time, and when others are proven to be panic buying, others are highly likely to feel as though they ought to as well which accelerates and increases the result.


The increase in panic buying of gasoline is also likely to lead to price gouging by gas stations and other distributors. Individuals may attempt to stockpile gasoline while it still remains at its lowest price. This will increase the likelihood that the shortage will hit in a sooner space of time. Panic buying is highly likely to worsen the issue, as it will prevent everyone from having access to fuel, which will accelerate the speeds of price increases. This is likely to make the problem last for a longer period of time as gas stations attempt to reach the new demand rates. Additionally, it is likely to affect future transportation if companies across the US cannot access gasoline to transport future production, which could further slow the recovery.


The Impact of the Attack on the Other Nation-States


Although the cyber attack was on critical infrastructure in Georgia, US, the pipeline supplies gasoline to other countries across Northern America which will lead to a trickle-down effect of the consequences of the attack. The price of gasoline in Canada is likely to increase if and when prices increase in the US as a result of the pipeline cyber attack. This will get worse the longer that the gasoline shortages go on for; sources estimate that if they go on for a week then the impact will be significant.[14] Furthermore, if refineries in Texas slow their production, Canada is highly likely to see an increase in prices.[15] This will likely be worsened in the case of a surge of panic buying, both in the US and Canada.


The impact of the cyber attack on the US pipeline also demonstrates the strength of cyber actors and the disruption that they can cause when the target is against critical infrastructure.[16] Many countries, including Canada, have equipped their critical infrastructure with network equipment. These decisions were made to increase efficiency and reduce costs, but now leaves them vulnerable and therefore they could face cyberattacks from a wide variety of cyber actors, including cybercriminals and nation states. The disruption caused to the US as a result of this attack is highly likely to inspire other attacks similar to this in other nations. Canada is a notable likely target due to its proximity to the US, although the other nations in Five Eyes (United Kingdom, Australia and New Zealand) are also likely targets. A series of global disruptions to these nations would have a significant impact and strengthen the roles of alternative nation states such as Russia and China.


The Role of Nation State Cyber Actors


Nation state hackers have the greatest capacity to cause significant damage to their targets when conducting a cyberattack due to their vast resources contrasted to other types of hackers.[17] Nation state hackers can refer to those directly employed within government, or cyber actors hired to create the illusion that the nation state is not involved through plausible deniability.[18] There will almost certainly be more nation state attacks against the US in coming months. These threats are highly likely to come from nations including China, Iran, and also Russia. The threats are likely to increase in severity and frequency as President Biden refocuses his policies on dealing with the threats posed by these nations and therefore will lead to retaliation. President Biden has already stated that the cyberattack was a ‘criminal act’, indicating that tensions are likely to increase between the two nations.[19] However, the Russian state has not yet been publicly confirmed as directing or having ties to the hackers.


The group responsible for this attack is a Russian-based criminal group named DarkSide. It is likely that they were acting under the orders or influence of the Russian government. This is likely because Russia has already been blamed for orchestrating the SolarWinds cyberespionage campaign that comprised the biggest hack of the US government in years and occurred for months during the Trump Administration. Analysts studying DarkSide have proven that the code used is written to detect if the software uses the Russian language, and if so, then they move on and do not conduct the attack, which demonstrates that the group does not conduct attacks on Russian organizations.[20] According to BAE Systems, most DarkSide victims have been US companies, but the hackers also attacked firms in Europe, South Africa, and Brazil.[21] Usually, the DarkSide group attacks by encrypting the target’s network, and only offer to decrypt it once a ransom has been paid. The group seems to provide marketing services as well as the actual ransomware. Although they claim to be apolitical, targeting such a vital network indicates that their goals are more sinister than simply looking for money.[22] The group also presents samples of blackmail when asking for large sums of money from their victims. At present, the US intelligence community has not identified any connection between DarkSide and the Russian government, but this is likely as a result of successful plausible deniability tactics conducted by the Kremlin. It is highly likely that the US will witness more Russian-based cyberattacks on critical infrastructure in the coming months in order to cause further disruptions and tensions.


US Change in Cyber Command


In March 2021, the Commander of the US Cyber Command (USCYBERCOM) General Paul M. Nakasone revealed that the organization is beginning to shift its focus from traditional terrorist groups to the threat posed by nation-states, particularly China.[23] This is due to the increasing numbers of cyberattacks that the US has witnessed from China, such as an identified attack in March 2021 that targeted 30,000 US organizations including local governments.[24] Although the Colonial Pipeline was targeted by a Russian cyber- group, it demonstrates that this decision was well placed to meet the cyber threats posed to the US today. Cyberattacks on critical infrastructure can lead to devastating consequences. This new approach is more likely to be successful at countering attacks such as this.


There will almost certainly be more cyberattacks against US critical infrastructure, likely from nation-state groups, and therefore the US needs to improve these policies to deal with the new threats. However, they should be careful not to underestimate the threat still posed by terrorist groups. The Islamic State of Iraq and Syria (ISIS) is likely to seek to cause disruption utilizing cyber warfare in the US, such as recruiting those who work in critical infrastructure for key roles in conducting an attack. Cyber security is an increasingly complex field, but the US must stay ahead and plan for all potential threats in order to reduce the likelihood of an attack.


Future Implications


Because the Colonial Pipeline is the most important pipeline for US gasoline, diesel, and jet fuel markets given its large capacity, supplying around 45% of the fuel consumed by the East Coast, there is significant risk associated with DarkSide's ransomware attack against it.[25] These risks include the increased likelihood of fuel shortages, particularly in certain states such as Florida and Arizona, as well as nationwide and even international increases in fuel prices due to lack of transport and time delay from importation.[26] Some analysts have warned that if the pipeline requires an extended period of time in order to restore service beyond what is expected, it is likely that consumers can “expect higher gasoline prices along the East Coast, especially around Memorial Day” due to heightened demand from the easing of COVID-19 restrictions.[27] However, there are also some indications that this incident is unlikely to have a significant long-term effect on the price or availability of fuel throughout the US, rather it will most likely cause short-term disruption and price hikes due to factors such as transport delays and panic buying by consumers.


Additionally, there are significant security implications, especially threats to US cyber-security, relating to the ransomware attack by the Russian-based criminal group, DarkSide against the Colonial Pipeline. Although the US intelligence community has not yet been able to identify a connection between DarkSide and the Russian government, it is likely that such a connection exists and that the Russian government is using the group as a means to preserve plausible deniability for the attack.[28] This is likely to further deteriorate the relationship between Russia and the US, as President Biden has repeatedly taken a tough stance against President Putin and has stated that the recent cyber attack was a “criminal act.”[29] In addition, US national security is likely to be significantly undermined in the future as more cyberattacks against US critical infrastructure are committed by Russia, other state actors such as China and Iran, as well as non-state actors such as ISIS.


CTG Efforts


CTG’s Northern Command (NORTHCOM) and Extremism Teams are continuing to monitor the implications of the cyber attack on the pipeline. They are utilizing open-source intelligence (OSINT), and when required social media intelligence (SOCMINT) and imagery intelligence (IMINT) to provide a thorough analysis utilizing unbiased information. Our Worldwide Analysis of Threats, Crime, and Hazard (WATCH) Officers provide 24/7 analysis on any risks to national security, including attacks. They also seek evidence of global threats, which will enable the organization to monitor the fallout to other nations in North America. Our CICYBER Team will continue to monitor the threats posed by nation-state hackers. CTG as a whole will continue to provide analytical and intelligence reports, as well as threat assessments, to ensure those policymakers are able to formulate clear and informed decisions, and that the general public is aware of potential implications.


Annex A-X


A. Reach of The Colonial Pipeline[30]


B. Individuals “panic buying” gasoline in Myrtle Beach, South Carolina[31]


C. Long Gas Stations Lines[32]


D. Citgo Gas Station Lines in Tallahassee, Florida[33]


E. Percent of Gas Stations Without Fuel[34]


F. How it started. How its going[35]


________________________________________________________________________ The Counterterrorism Group (CTG)

[1] Colonial Pipeline Company by peripathetic licensed under Creative Commons

[2] Gas Pipeline Hack Leads to Panic Buying in the Southeast, The New York Times, May 2021, https://www.nytimes.com/2021/05/11/business/colonial-pipeline-shutdown-latest-news.html

[3] What We Know About the Colonial Pipeline Shutdown, Intelligencer, May 2021, https://nymag.com/intelligencer/2021/05/what-we-know-about-the-colonial-pipeline-shutdown-updates.html

[4] Ibid.

[5] Ibid.

[6] FACT SHEET: The Biden-Harris Administration Has Launched an All-of-Government Effort to Address Colonial Pipeline Incident, The White House, May 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/11/fact-sheet-the-biden-harris-administration-has-launched-an-all-of-government-effort-to-address-colonial-pipeline-incident/

[7] Colonial Pipeline Officials Say There is No Fuel Shortage Amid Service Disruption, Newsweek, May 2021, https://www.newsweek.com/colonial-pipeline-officials-say-there-no-fuel-shortage-amid-service-disruption-1590191

[8] Gas shortages possible this summer because of a lack of drivers transporting fuel, KMBC News, April 2021, https://www.kmbc.com/article/gas-shortages-possible-this-summer-because-of-a-lack-of-drivers-transporting-fuel/36282522#

[9] Ibid.

[10] U.S. Pipeline Closure Could Disrupt Jet-A Supply, AIN Online, May 2021, https://www.ainonline.com/aviation-news/general-aviation/2021-05-10/us-pipeline-closure-could-disrupt-jet-supply

[11] AAA warns major pipeline shutdown could lead to higher gas prices, 13 News Now, May 2021, https://www.13newsnow.com/article/traffic/gas-prices/major-pipeline-shutdown-higher-gas-prices-ransomware-aaa/291-8b46a0ba-d88d-43d9-be2a-62fc176eccaf

[12] Hacked Pipeline May Stay Shut for Days, Raising Concerns About Fuel Supply, The New York Times, May 2021, https://www.nytimes.com/2021/05/09/business/energy-environment/colonial-pipeline-shutdown-gasoline.html

[13] U.S. Southeast braces for fuel price rises after pipeline shutdown, Reuters, May 2021, https://www.reuters.com/business/energy/us-southeast-braces-fuel-price-rises-after-pipeline-shutdown-2021-05-09/

[14] Gas prices and security lessons: What the U.S. pipeline hack means for Canada, Global News, May 2021, https://globalnews.ca/news/7848225/us-colonial-pipeline-hack-gas-prices/

[15] Ibid.

[16] Colonial attack highlights particular vulnerability of pipelines from cyberthreats, S & P Global, May 2021, https://www.spglobal.com/platts/en/market-insights/latest-news/natural-gas/051021-colonial-attack-highlights-particular-vulnerability-of-pipelines-from-cyber-threats

[17] The Nation State Actor has a ‘Licence to Hack’ – and they use it target their adversaries, BAE Systems, n.d., https://www.baesystems.com/en/cybersecurity/feature/the-nation-state-actor

[18] Ibid.

[19] Biden to discuss Russian ransomware hackers with Putin and suggests Moscow bears ‘some responsibility’, Independent, May 2021, https://www.independent.co.uk/news/world/americas/us-politics/biden-russia-ransomware-attack-putin-b1845161.html

[20] Colonial pipeline hack claimed by Russian group DarkSide spurs emergency order from White House, NBC News, May 2021, https://www.nbcnews.com/tech/security/colonial-pipeline-hack-claimed-russian-group-darkside-spurs-emergency-rcna878

[21] DarkSide Hackers Mint Money With Ransomware Franchise, Bloomberg, 12 May 2021, https://www.bloomberg.com/news/articles/2021-05-12/darkside-hackers-mint-money-with-ransomware-franchise

[22] Ibid.

[23] US Cyber Command Gives-Up On Terror Organizations Like Islamic State & Shifts Focus To China, The Eurasian Times, May 2021, https://eurasiantimes.com/why-us-cyber-command-is-more-concerned-about-the-indo-pacific-than-islamic-state/?utm_source=iterable&utm_medium=email&utm_campaign=2310509_

[24] ‘Active threat’: Chinese hackers target 30,000 US entities, Al Jazeera, March 2021, https://www.aljazeera.com/news/2021/3/6/active-threat-chinese-hackers-target-30000-us-entities

[25] Here’s what the Colonial Pipeline cyberattack means for energy markets, MarketWatch, May 2021 https://www.marketwatch.com/story/heres-what-the-shutdown-of-the-colonial-pipeline-means-for-the-gasoline-market-11620668939

[26] Gas shortages possible this summer because of a lack of drivers transporting fuel, KMBC News, April 2021, https://www.kmbc.com/article/gas-shortages-possible-this-summer-because-of-a-lack-of-drivers-transporting-fuel/36282522#

[27] Here’s what the Colonial Pipeline cyberattack means for energy markets, MarketWatch, May 2021 https://www.marketwatch.com/story/heres-what-the-shutdown-of-the-colonial-pipeline-means-for-the-gasoline-market-11620668939

[28] The Nation State Actor has a ‘Licence to Hack’ – and they use it target their adversaries, BAE Systems, n.d., https://www.baesystems.com/en/cybersecurity/feature/the-nation-state-actor

[29] Biden to discuss Russian ransomware hackers with Putin and suggests Moscow bears ‘some responsibility’, Independent, May 2021, https://www.independent.co.uk/news/world/americas/us-politics/biden-russia-ransomware-attack-putin-b1845161.html

[30] The federal government is helping the operator of a major pipeline system that shut down on Friday after a Russian ransomware attack. The Colonial Pipeline stretches from Texas to New Jersey and carries nearly half of East Coast driving and flying fuel tweet by USA Today Graphics, Twitter, May 2021 https://twitter.com/usatgraphics/status/1391862163627782146

[31] No need to wonder why there's a #gasshortage on the east coast. Ole buddy had eight containers lined up at the Murphy across from Tanger 17 in Myrtle Beach tweet by TJ Lundeen, Twitter, May 2021 https://twitter.com/lundeentj/status/1391882331930169344

[32] My parents told me about living in the 1970s and going through gas lines. So, this is where I started to get in line to get gas for my little car. As you can see, you can't see the gas station from here, but it is moving at least. I wonder if I will get gas tweet by WolfWithCoffee, Twitter, May 2021 https://twitter.com/WolfWithCoffee/status/1391882548972859398

[33] Are you still seeing lines for gas in your area? These photos were taken at the Citgo on Capital Circle NE in Tallahassee around 9 a.m. tweet by WCTV Eyewitness News, Twitter, May 2021 https://twitter.com/WCTV/status/1392114627878825992

[34] Latest figures of % of stations without fuel tweet by Patrick De Haan, Twitter, May 2021 https://twitter.com/GasBuddyGuy/status/1392122538571010051

[35] How it started. How its going tweet by Linda Childers, Twitter, May 2021 https://twitter.com/lindarchilders/status/1392260126464036866?s=11



74 views

Recent Posts

See All