The cyber attack that shutdown the Colonial pipeline causing a gas panic and stoking fears of gasoline shortages, didn’t actually shut down the pipeline. It impacted the billing system at the Colonial Pipeline Co., which shut it down because they were worried about how they’d collect payments.
(It’s Memorial Day, so we’re running some of our favorite posts from the last few months while we watch Indy, eat garbage and hug/hi-five our troop friends and family. We hope you’re having a lovely holiday weekend!)
Yes, the fuel-carrying pipeline was shut down last week in order to prevent a company that is entrusted with what should be a public utility from enduring an accounting headache.
The company halted operations because its billing system was compromised, three people briefed on the matter told CNN, and they were concerned they wouldn’t be able to figure out how much to bill customers for fuel they received.
One person familiar with the response said the billing system is central to the unfettered operation of the pipeline. That is part of the reason getting it back up and running has taken time, this person said.
Asked about whether the shutdown was prompted by concerns about payment, the company spokesperson said, “In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems.”
At this time, there is no evidence that the company’s operational technology systems were compromised by the attackers, the spokesperson added
Zetter pointed out the affected system handled the billing in a report prior to CNN’s, wherein she cited Colonial itself. The company said that the hack affected its corporate network and not the operation of the pipeline:
In a statement published Saturday, it said the ransomware infected only its corporate IT network. Although the operational network that controls its pipelines and distributes fuel is separate from the corporate network and wasn’t infected, Colonial said it temporarily shut down the pipelines as a precaution to prevent the infection from spreading.
Meaning that the pipeline was fine, and all its gasoline was sitting.
Meanwhile, Colonial had to get its corporate network running in order to process what amount of fuel went to which of its clients, as Zetter noted:
Colonial’s operational network uses automation systems to control and monitor the flow of fuel from refineries and tank farms into Colonial’s pipeline, and from Colonial’s pipeline into the tanks and transportation facilities belonging to suppliers and distributors.
As if that weren’t enough, CNN also disclosed the hackers that breached Colonial’s automated billing were likely “novices” who miscalculated their own actions:
Among the signs that the hackers were novices is the fact that they chose a high-risk target that deals in a low-margin business, meaning the attack was unlikely to yield the kind of payout experienced ransomware actors are typically looking for, the sources told CNN.
“This was a gross miscalculation on the hackers’ part,” a source previously told CNN, noting the hackers likely had not anticipated that their attack would lead to the shutdown of one of the US’ largest refined products pipeline system, spurring emergency White House meetings and a whole-of-government response
Zetter quoted the hackers, who even supplied a press release. In that release, the “novice” hackers reminded Colonial that doing its business harm was not in their best interest. They went on to refer Colonial to its support team, who was available via chat and could answer any questions Colonial had:
“We do not want to kill your business,” they wrote.
“Before an attack, we carefully analyze your accountancy and determine how much you can pay based on your net income. You can ask all your questions in the chat before paying and our support will answer them.”
I can’t get over this exchange where the hackers are blasé about the billing breach, and refer Colonial to their customer service as if this were some broadband outage from a shitty ISP.