ATLANTA -- The operator of the nation's largest gasoline pipeline, which was hit May 7 by a ransomware attack, announced Saturday that it has resumed "normal operations" in delivering fuel to its markets, including a large swath of the East Coast.
Georgia-based Colonial Pipeline had begun the process of restarting the pipeline's operations on Wednesday evening, warning it could take several days for the supply chain to return to normal.
[Video not showing up above? Click here to watch » https://www.youtube.com/watch?v=_yCO5ET7GEA]
"Since that time, we have returned the system to normal operations, delivering millions of gallons per hour to the markets we serve," Colonial Pipeline said in a tweet Saturday. Those markets include Texas, Louisiana, Mississippi, Alabama, Tennessee, Georgia, South Carolina and North Carolina, Virginia, Maryland, Delaware, Pennsylvania, New Jersey and Washington, D.C.
"All of these markets are now receiving product from our pipeline," the company said, noting that its employees across the pipeline "worked safely and tirelessly around the clock to get our lines up and running."
Gas shortages that spread from the South, all but emptying stations in Washington, D.C., have been easing since a peak on Thursday night. Energy Secretary Jennifer Granholm said Friday that the nation is "over the hump" on gas shortages, with about 200 stations returning to service every hour. Nearly 2,000 outlets ran out of fuel.
"It's still going to work its way through the system over the next few days, but we should be back to normal fairly soon," she said.
As of Saturday, however, about 44% of Georgia's gas stations were still without fuel, according to Patrick De Haan, head of petroleum analysis for GasBuddy.
He expected that figure to drop as more stations receive shipments this weekend.
Some stations were still out of gas in Raleigh, N.C., on Saturday. Driver Jermaine Barnes told the CBS 17 news station that the shortage has made him more conservative with his trips.
"I'm not going places I don't need to go," he said. "I'm not visiting people. I'm watching where I'm driving. I'm doing everything different right now."
Granholm, like other Biden administration officials, urged drivers not to panic or hoard gasoline.
"Really, the gasoline is coming," she said. "If you take more than what you need, it becomes a self-fulfilling prophecy in terms of the shortages. Let's share a little bit with our neighbors, and everybody should know that it's going to be OK in the next few days."
Martha Meade, manager for public and government relations at AAA Mid-Atlantic, said many gas stations in the Virginia area still did not have gas on Saturday. But she said that "lines have diminished from the height of the crisis" and that "panic buying has subsided."
Prices at the pump have stabilized. Average prices of regular gasoline in Tennessee and South Carolina, two of the hardest-hit states, rose by only a penny on Saturday, according to the AAA motor club. Nationwide, gasoline prices remained stable at $3.04, 8 cents higher than a week ago. Prices in the states most affected by the shutdown rose by as much as 20 cents a gallon in the past week.
Georgia Gov. Brian Kemp on Friday extended the suspension of the state's gas tax to help control the price of fuel. His new executive order also extended an increase in weight limits for trucks carrying fuel and prohibited price gouging. A previous executive order had been scheduled to expire Saturday.
The Biden administration on Thursday approved a waiver to allow a foreign tanker to deliver gas to an East Coast seaport, and it may approve more waivers. Federal trucking rules also have been relaxed.
"The idea is to look at every ... tool we have to help mitigate the shortage and get back to normal as quickly as we can," Transportation Secretary Pete Buttigieg said Friday afternoon.
HACKING GROUP
Federal authorities have linked the ransomware attack to a criminal hacking group called DarkSide, based in Eastern Europe and possibly Russia. President Joe Biden said U.S. officials do not believe the Russian government was involved but that "we do have strong reason to believe that the criminals who did the attack are living in Russia."
The hackers didn't take control of pipeline operations, but Colonial Pipeline shut it down to prevent malware from affecting industrial control systems.
To free up its computer systems, Colonial Pipeline paid the extortionists about 75 bitcoins, or nearly $5 million, according to people briefed on the transaction. The decision allowed the company to get gas flowing again, but it may have complicated the Biden administration's efforts to stave off new attacks.
In a statement Friday, a Colonial spokeswoman said, "There is an ongoing investigation, and we're not commenting on the ransom."
DarkSide has announced that it is shutting down because of unspecified "pressure" from the United States.
In a statement written in Russian and provided to The New York Times on Friday by the cybersecurity firm Intel 471, DarkSide said it had lost access to the public-facing portion of its online system, including its blog and payment server, as well as funds that it said had been withdrawn to an unknown account. It said the group's main webpage and other public-facing resources would go offline within 48 hours.
"Due to the pressure from the U.S., the affiliate program is closed," the statement said, referring to the intermediary hackers, or so-called affiliates, whom it works with to break into corporate computer systems. "Stay safe and good luck."
What that pressure may have been is unclear, but on Thursday, Biden said the United States would not rule out a retaliatory strike against DarkSide that would "disrupt their ability to operate."
White House spokeswoman Jen Psaki said the administration was waiting for recommendations from U.S. Cyber Command, but government officials on Friday declined to comment further about whether any action had been taken.
Cybersecurity analysts cautioned that the DarkSide statement could be a ruse, allowing its members to regroup and deflect the negative attention caused by the attack. Even if DarkSide has shut down, the threat from ransomware has not passed. Cybercriminal networks often disband, regroup and rebrand themselves in an effort to throw off law enforcement authorities, cybersecurity experts say.
"It's likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways," said Mark Arena, Intel 471's chief executive. "A number of the operators will most likely continue to operate in their own close-knit groups, resurfacing under different aliases and ransomware names."
Elliptic, a computer security company specializing in cryptocurrency, said that since the DarkSide account was opened in March, it had received $17.5 million from 21 Bitcoin wallets, indicating the number of ransoms it had collected just this spring. Cybersecurity analysts assess that the group has been active since at least August and has most likely used a number of different Bitcoin wallets to receive ransoms.
Nonetheless, the intense scrutiny that followed the Colonial Pipeline attack has unsettled ransomware groups. Last week, the operators behind two major Russian-language ransomware platforms, REvil and Avaddon, announced strict new rules governing the use of their products, including bans on targeting government-affiliated entities, hospitals or educational institutions.
GROWING THREAT
The Energy Department is leading the federal response to the ransomware attack. Granholm said the incident shows the vulnerability not only of U.S. infrastructure, but also personal computers. Her 86-year-old mother recently suffered a ransomware attack on her iPad, Granholm said.
"So it's just happening everywhere," she said. "All these cybercriminals see an opportunity in the cloud and in our connectivity. And so we all have to be very vigilant. That means we've got to have security systems on our devices, and individually we shouldn't be clicking on any email with attachments from people you don't know. I mean it's just around us."
Biden signed an executive order on cybersecurity last week, and the Energy Department and other agencies are working to protect critical infrastructure, she said.
Much of the U.S. pipeline infrastructure is privately owned. The chairman of the Federal Energy Regulatory Commission, which oversees interstate pipelines, said last week that the U.S. should establish mandatory cybersecurity standards for pipelines similar to those in the electricity sector.
"Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors," commission Chairman Richard Glick said.
"We definitely have to look at it," Granholm said Friday, adding that pipeline organizations have voluntary standards. "Even though it may be privately owned, the public uses it. So I think we have to look at that, making sure that they abide by the latest and greatest."
John Stoody, a spokesman for the Association of Oil Pipe Lines, declined to comment on Glick's proposal. The industry historically has opposed government mandates on cybersecurity.
The ransomware attack should also play a role as Congress considers Biden's $2.3 trillion infrastructure proposal, Granholm said.
"Obviously pipelines should be considered part of that," she said. "Cybersecurity should be considered part of that. Energy infrastructure, including transmission grids, should be part of that. We need to upgrade across the board, and hopefully there will be some interest in a bipartisan fashion to see an upgrade in the nation's infrastructure."
Information for this article was contributed by Matthew Daly and staff members of The Associated Press; by Clifford Krauss and Michael Schwirtz of The New York Times; and by Shaddi Abusaid of The Atlanta Journal-Constitution (TNS).
