CNN reports that ColPipe was founded in 1962 and transports 45 per cent of all gasoline, diesel and jet fuel consumed on the US East Coast. The BBC reported on 9 May 2021 that cyber-criminal gang DarkSide had been officially confirmed as responsible for the incident by the US Federal Bureau of Investigation (FBI). DarkSide is one of many ransomware gangs extorting victims while avoiding targets in post-Soviet states. The groups gain access to private networks, encrypt files using software, and often also steal data and demand payment to decrypt the files and/or ask for additional money not to publish stolen content. ColPipe said it learned about the attack on 7 May 2021. According to Reuters, the hacking group gained access to ColPipe’s cloud computing system and stole over 100 gigabytes (GB) of data which the hackers threatened to leak online. The system was taken offline on 8 May 2021. Reuters also reports that ColPipe's data did not appear to have been transferred from that system to anywhere else, potentially limiting the hackers' leverage to extort or further embarrass the company.
In response to the incident, ColPipe said it had taken certain systems offline to contain the threat which had temporarily halted all pipeline operations and affected some IT systems. ColPipe also engaged third-party firm FireEye Mandiant to investigate the incident and contacted law enforcement and other federal agencies. On 9 May 2021, ColPipe stated that although its four main pipelines remained offline, some smaller inter-terminal lines and delivery points had been re-opened.
The US Department of Energy (DoE) said it was coordinating with ColPipe, US states, and interagency partners to provide situational awareness and support response efforts to the incident. In addition, the DoE was working closely with analysis centres and the energy sector coordinating councils and the sharing of energy information and was monitoring any potential impacts to energy supply. US President Joe Biden was briefed, and the White House had planned for a number of scenarios to help mitigate any potential impact on supply.
The US Department of Transport (USDOT) announced on 9 May 2021 that it had issued a regional emergency declaration following the incident that granted extra work hours for those transporting gasoline, diesel, jet fuel and other refined petroleum products to 18 eastern states.
As of 11 May 2021, ColPipe announced on Twitter that its systems were still not fully functional, and that due to a separate incident unrelated to the ransomware attack its corporate website was experiencing a temporary service disruption. On 13 May 2021, Bloomberg reported that on 7 May 2021, hours after the attack had been discovered, ColPipe paid a USD 5 Deep Dive. Last Update 28 May 2021 million ransom in cryptocurrency to DarkSide. After they had received the payment, the hackers provided ColPipe with a decrypting tool to restore its disabled computer network, but the tool they provided was too slow, so the company used its own backups to help restore the system. Reuters reported that the disruption had lasted a total of six days.
On 19 May 2021, ColPipe's CEO confirmed that he had authorised the payment of a ransom of USD 4,400,000 on 7 May 2021 after an employee found a ransom note from hackers on a control-room computer, as ColPipe's executives were unsure how badly the cyber-attack had breached its systems and therefore how long it would take to bring the pipeline back, The Wall Street Journal reports.
