Colonial Pipeline attack places spotlight on cybersecurity in US

Governor Brian Kemp has extended his executive order declaring a state of emergency because of the Colonial Pipeline shutdown.

The order suspended the collection of Georgia's gas taxes and waived weight limits for trucks carrying fuel in the state.

It was set to expire Saturday at midnight, but the order will now last through next week.

The state collects a gasoline tax of 28.7 cents a gallon and a diesel tax of 32.2 cents a gallon. 

"I continue to ask Georgians to only purchase the fuel they need for essential travel through the upcoming weekend," the governor said in a statement.

Gas prices in Georgia were averaging $2.98 a gallon Tuesday, according to AAA. That’s a 23-cent jump since last week.

A cyberattack by hackers who lock up computer systems and demand a ransom to release them hit the pipeline on May 7. The hackers didn’t take control of the pipeline’s operations, but Colonial shut it down to prevent the malware from impacting its industrial control systems. Though the pipeline operator paid a ransom, restoring service was taking time.

Georgia-based Colonial Pipeline reported making "substantial progress" in restoring full service, two people briefed on the matter confirmed that the company had paid the criminals a ransom of about $5 million in cryptocurrency for the software decryption key required to unscramble their data network. The people spoke on condition they not be further identified because they were not authorized to divulge the information. Bloomberg first reported the payment.

President Joe Biden declined to comment when asked by a reporter Thursday if he had been briefed about the ransom payment.

Biden also said that his administration will try to disrupt the hackers’ ability to operate.

The tracking service on Friday showed that 88% of gas stations were out of fuel in the nation’s capital, 45% were out in Virginia and 39% of Maryland stations were dry. About 65% of stations were without gas in North Carolina, and nearly half were tapped out in Georgia and South Carolina.

Colonial said Thursday that operations had restarted and gasoline deliveries were being made in all of its markets, but it would take "several days" to return to normal.

White House press secretary Jen Psaki said at a Friday briefing that "the vast majority of markets and affected regions are receiving fuel at gas stations for consumers, and will continue to receive more fuel throughout the weekend and into early next week."

Biden said U.S. officials do not believe the Russian government was involved, but said "we do have strong reason to believe that the criminals who did the attack are living in Russia."

Biden has promised aggressive action against DarkSide, the Russian-speaking ransomware syndicate responsible for the attack. The syndicate’s public-facing darknet site went offline on Thursday, and its operators said in a cybercriminal forum post that the group had lost access to it and would be shutting down.

This does not necessarily mean U.S. or allied cyberjockeys knocked it offline. Cybersecurity experts said that DarkSide, which rents out its ransomware to partners to carry out the actual attacks, could have taken it down to prevent Western law enforcement from tracking down the rest of its infrastructure.

It could also be an "exit scam," many noted. Ransomware gangs have dissolved and ‘rebranded’ under different names in the past when the heat was on.

Yelisey Boguslavskiy, director of research of the cybersecurity firm Advanced Intelligence, noted that the moderator of a top darknet forum for Russian-speaking cybercriminals, XSS, said Thursday that "he was officially prohibiting all ransomware-related activity and discussion on the forum."

That could suggest fears of a U.S. crackdown — or pressure from the Kremlin. While there is no indication the Kremlin benefits from ransomware extortion, U.S. officials say ransomware gangs are tolerated by Russia’s security services, which have employed some of their members.

DarkSide stole information from Colonial’s network prior to locking up the data on Friday. DarkSide is among the ransomware gangs that employ double extortion, threatening to dump online sensitive data they steal before activating the ransomware. In Colonial’s case, that could potentially include data on contracts with suppliers that would be of keen interest to stock and commodities traders.

The Colonial Pipeline system stretches from Texas to New Jersey and delivers about 45% of the gasoline consumed on the East Coast.

Richard Joswick, global head of oil analytics at S&P Global Platts, said gas stations should be back to normal next week if the pipeline restart goes as planned and consumers are convinced they no longer need to panic-buy fuel. Full recovery would take several more weeks, he estimated.

The Associated Press contributed to this report

WATCH: FOX 5 Atlanta live news coverage


Sign up for FOX 5 email alerts

Download the FOX 5 Atlanta app for breaking news and weather alerts.