Enlarge image
"Warning": In a meadow in Maryland, a warning sign indicates an underground gasoline pipeline
Photo: JIM LO SCALZO / EPA
What happened?
Colonial Pipeline, the company operating one of the most important pipelines in the United States, has been the victim of a hacker attack using ransomware, known as ransomware.
The attack paralyzed the IT systems of the Georgia-based company, and almost 100 gigabytes of internal data are said to have been fished.
The actual control systems of industrial plants are usually separated from the rest of the IT networks in the case of particularly important infrastructure. As a precautionary measure, Colonial Pipeline took its pipeline network out of operation. The result: large quantities of oil and gasoline have to be transported by road tanker on the American east coast for the time being.
The hacking expert Kim Zetter spoke for her newsletter "Zero Day" with an informant who works for an oil company that feeds gasoline into the pipeline. That insider told Zetter that his company had not yet received any information about when the pipeline would be usable again. The talk was that it would take longer than a day or two, but less than six weeks. His company must now weigh what to do with the oil and gasoline in its tanks, the informant said. The incident puts so much more companies under pressure than just Colonial Pipeline.
Neil Wilson, chief analyst of the online broker Markets.com, warns that even the increased distribution of fuel by tanker truck could not make up for the lost pipeline capacities. For the time being, prices for petroleum products must therefore continue to rise. The gasoline futures contract was up more than four percent on Monday to a three-year high of $ 2.217 a gallon. At $ 2.0776, heating oil was as expensive as it was a year and a half ago.
Around half of the fuel for the US east coast is transported through the Colonial Pipeline network.
Most of the pipelines run underground.
In terms of the volume transported, the pipeline, which runs for more than 8,800 kilometers from Houston in the state of Texas to New York, is the largest in the USA.
Normally, more than 2.5 million barrels of gasoline, diesel, kerosene and other petroleum products are transported through them every day.
A barrel is 159 liters.
What exactly is ransomware?
Ransomware is malware that can be downloaded onto your computer or into an entire company network, for example, by opening malicious email attachments.
Classic ransomware encrypts files and drives in such a case.
The perpetrators offer their victims, in return for payment of a ransom ("ransom"), to provide them with a key with which the files can be decrypted again.
A ransomware attack can be very annoying and expensive, especially for companies without external backups.
There are both wide-spread attacks in which individual computer users or companies come into contact with ransomware by chance, as well as targeted attacks in which the attackers carefully select their targets in advance.
In recent years there has been a trend towards attackers no longer just trying to blackmail companies by encrypting their files.
There is also an increasing threat that leaked information will be published if no ransom is paid - IT security companies speak of “double blackmail”.
Such scams work best when companies handle secret or a lot of personal data, i.e. when a leak would mean lasting damage to their image.
An example of a firm facing "double blackmail" is Grubman Shire Meiselas & Sacks, which served music and film stars, including Madonna.
What is known about the attackers?
According to media reports, a relatively new group of cyber criminals called Darkside is behind the attack on Colonial Pipeline.
According to the IT security company Cybereason, which specializes in defending against ransomware, this group works according to the ransomware-as-a-service (RaaS) principle, i.e. it offers its ransomware as a service.
The group presumed to be in Russia proceeds very professionally.
According to Cybereason, it is not only active in hacker forums to advertise its services and to point out new software versions, but also offers a so-called affiliate program through which customers who recruit new customers are rewarded.
Allegedly, the group even operates a support hotline that victims of their ransomware can use to negotiate ransom payments.
more on the subject
Interview on cybercrime: "We are seeing more and more blackmail" By Marcel Rosenbach and Wolf Wiedmann-Schmidt
Cybercrime: Encrypted and soldBy Patrick Beuth and Jörg Schmitt
Hacker attacks on German companies: What to do with online blackmail? By Patrick Beuth and Jörg Schmitt
In addition, Darkside has committed itself to attacking only "the right" targets with its malware.
According to Cybereason, this means large, profitable companies.
In order to select suitable targets, the hackers apparently conduct extensive research.
The ransom that Darkside is demanding is usually between $ 200,000 and $ 2 million.
According to a post in a hacker forum, the attackers donate part of their loot to charitable organizations.
Two screenshots should prove donations of currently more than 80,000 euros to two organizations.
According to Cybereason, however, they refused to accept the funds with reference to their origin.
In response to a request from SPIEGEL on Monday, the Federal Office for Information Security said that attacks with darkside ransomware were "opportunistic according to local estimates": the BSI has so far assumed that they are "not targeting a country or a sector" judge, so a spokesman.
The software is also not known to specialize in industrial control systems.
How did the pipeline operators and the US government react?
The US government declared a regional emergency on Sunday.
With that declaration, fuel can now be transported by road to affected states, including Florida, Texas, New York, Washington and Pennsylvania.
US Secretary of Homeland Security Alejandro Mayorkas also called on other companies to be vigilant and protect themselves against blackmail software and other types of cyberattacks.
Colonial Pipeline discovered the hacker attack on Friday.
The company informed the authorities and called on the well-known IT security company FireEye for help.
On Sunday, a statement from Colonial Pipeline said that maintaining the operational reliability of the pipeline and the safe restart of your IT systems were currently the highest priority.
"While our main lines are still out of service, some smaller side lines between terminals and delivery points are now back in service," the company said.
One is grateful "for the patience and the great support that we have received from others in the industry."
Can something like this also happen in Germany?
There are numerous victims of ransomware attacks worldwide, from police authorities to city administrations and car manufacturers. In Germany, too, such attacks are a widespread problem from which no industry is safe. Recently, for example, two large German media companies, Funke Mediengruppe and Madsack, had problems with ransomware, which restricted the production of their newspapers. And in 2020 the Technischen Werke Ludwigshafen - a municipal utility that supplies around 100,000 households with energy and drinking water - was blackmailed by hackers. 500 gigabytes of data flowed out.
In the same year, a ransomware attack that paralyzed the computer systems of the Düsseldorf University Hospital made headlines far beyond Germany.
Operations had to be postponed, treatments canceled, and ambulances no longer drove to the clinic.
A 78-year-old emergency patient who was about to be admitted was brought to Wuppertal in the course of the IT failure - and died after the transport.
The case made the rounds as the allegedly first ransomware attack resulting in death, with experts in retrospect assuming that the woman would have died without a detour.
more on the subject
Cybersecurity in Germany: Ransomware puts the healthcare system at riskBy Patrick Beuth
Nevertheless, one thing is clear: The incident was a warning signal that must be taken seriously, a sign that ransomware attacks can also endanger human lives, even if the criminals behind them may be primarily about money. And the pipeline failure in the USA should definitely be reflected on in this country in a self-critical manner. The attack on Colonial Pipeline finally shows that important infrastructure can practically be paralyzed even if attackers only hack IT systems from their environment.
The Federal Criminal Police (BKA) wrote in 2020 in his National Situation cybercrime, was ransomware and stick to "
the
threat to businesses and public institutions": Already in 2019 there had been seven of the twelve "formative cyber attacks" in Germany to ransomware infections. The BKA counted among those attacks, among other things, an attack on the South-West sponsoring company of the German Red Cross.
Arne Schönbohm, head of the Federal Office for Information Security, told SPIEGEL on Monday that cyberattacks on critical infrastructures were "a realistic scenario that should be taken seriously, even in Germany": "In particular, the development of attacks with ransomware is progressing rapidly." Regarding operating companies in the mineral oil sector, Schönbohm also emphasized that they attach great importance to cybersecurity.
with material from dpa and Reuters
