Colonial Pipeline Hackers Stole Data on Thursday


The hackers who caused Colonial Pipeline to shut down the biggest U.S. gasoline pipeline on Friday began their blitz against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, according to people familiar with the matter.

Ransomware is a type of malware designed to lock down systems by encrypting data, with the attackers then demanding payment to regain access. According to the investigators, the hackers took nearly 100 gigabytes of data from the Alpharetta, a Georgia-based company’s network in two hours on Thursday. 

Bloomberg quoted people familiar with the investigation saying that the move was part of a double-extortion scheme. Besides threatening to keep the company’s information locked, hackers also threatened to leak the data to the internet unless they are paid a ransom.

Colonial’s decision late Friday to shut down a pipeline that is the main source of gasoline, diesel and jet fuel for the East Coast, without saying when it would reopen, represents a dangerous new escalation in the fight against ransomware, which President Joe Biden’s administration has identified as a priority. It’s not clear how much money the attackers demanded or whether Colonial has paid. Ransomware demands can range from several hundred dollars to millions of dollars in cryptocurrency. Many companies pay, often facilitated by their insurers.

AXA, one of Europe’s top insurance companies, said last week that it would break with that trend and stop offering policies in France that reimburse customers for payments made to ransomware hackers, which could be the first in the industry, the Associated Press reported.

Cyberattacks have disrupted the operations of other energy assets in the US in recent years. Last year, the Department of Homeland Security revealed that an attack brought down an unnamed natural gas compressor facility for two days. In April 2018, several natural gas pipeline operators had service interruptions because of the hack of a third-party provider whose technology enables electronic communications between the entities.

The theft of Colonial’s data, coupled with the detonation of ransomware on the company’s computers, highlights the leverage that hackers often have over their victims in these kinds of cases. The company said FireEye Inc’s Mandiant digital forensics division is assisting with the investigation. The White House said that Mr Biden was briefed on the incident on Saturday morning. A series of major cyberattacks in recent weeks also underscored the brazenness of the attackers and the challenges of tackling the problem of ransomware.

Colonial Pipeline is a private company owned by CDPQ Colonial Partners, LP; IFM (US) Colonial Pipeline 2, LLC; KKR-Keats Pipeline Investors, LP; Koch Capital Investments Company, LLC; and Shell Midstream Operating, LLC, according to the company’s website.