Top US fuel pipeline still working on recovery from massive ransomware attack

Colonial Pipeline, top US fuel pipeline operator, continued work on Sunday to recover from a ransomware cyberattack that forced it to shut down on Friday and sparked worries of a spike in retail gasoline prices.

The incident is one of the most disruptive digital ransom operations ever reported and has prompted calls from American lawmakers to tighten up protection for critical US energy infrastructure against hackers.

Colonial said on Saturday it was "continuing to monitor the impact of this temporary service halt" and to work to restore service. It did not give an estimate for a restart date.

Colonial moves 2.5 million barrels per day of gasoline and other fuels from refiners on the Gulf Coast to consumers in the eastern and southern United States. It also serves some of the largest US airports, including Atlanta's Hartsfield Jackson Airport, the world's busiest by passenger traffic.

Read more: Ransomware attack shuts down top US fuel pipeline network

Retail fuel experts including the American Automobile Association said an outage lasting several days could have significant impacts on regional fuel supplies, particularly in the US Southeast.

While the US government investigation is in early stages, a former US official and two industry sources said the hackers are likely a professional cybercriminal group and that a group dubbed "DarkSide" was likely among the potential suspects.

DarkSide is known for deploying ransomware and extorting victims while avoiding targets in post-Soviet states. Ransomware is a type of malware designed to lock down systems by encrypting data and demanding payment to regain access.

Cybersecurity firm FireEye has also been brought in to respond to the attack, according to the two industry sources. FireEye declined to comment. Colonial said late on Saturday it was working with a "leading, third-party cybersecurity firm," but did not name the firm.

Bloomberg News, citing people familiar with the matter, reported late on Saturday that the hackers are part of DarkSide and took nearly 100 gigabytes of data out of Colonial's network on Thursday ahead of the pipeline shutdown.

Colonial did not immediately reply to an email from Reuters seeking comment outside usual US business hours.

Also read: Firms in India are facing more cyberattacks than any other country, says Acronis survey

US President Joe Biden was briefed on the incident on Saturday morning, a White House spokesperson said, adding that the government was working to try to help the company restore operations and prevent supply disruptions.

The privately held, Georgia-based company is owned by CDPQ Colonial Partners L.P., IFM (US) Colonial Pipeline 2 LLC, KKR-Keats Pipeline Investors L.P., Koch Capital Investments Company LLC and Shell Midstream Operating LLC.

Gasoline futures and diesel futures on the New York Mercantile Exchange rose on Friday after the outage was reported. In previous Colonial outages, retail prices have risen substantially, if briefly.

Oil refining companies contacted by Reuters on Saturday said their operations had not yet been impacted.