Colonial Pipeline Co. operates the 5,500-mile Colonial Pipeline system taking fuel from the refineries of the Gulf Coast to the New York metro area. It said it learned Friday that it was the victim of the attack and "took certain systems offline to contain the threat, which has temporarily halted all pipeline operations."
The outage isn't expected to have a significant impact on fuel markets unless the pipeline remains shut down for several days, analysts said.
The cyberattack on Colonial appeared to involve ransomware, a type of code that attempts to seize computer systems and demand payment from the victim to have them unlocked, according to a person familiar with the matter. The investigation was in its early stages, the person said.
The company said it had engaged a third-party cybersecurity firm to help with the issue, which affected some of its IT systems, and had contacted federal agencies and law enforcement.
FireEye Inc., a U.S.-based cybersecurity firm, is investigating the attack, according to people familiar with the matter. A FireEye spokesman declined to comment.
The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, which works with critical infrastructure companies on cyber defense, didn't immediately respond to requests for comment.
It wasn't clear whether the attack was perpetrated by a nation-state actor or criminal actor. Attributing cyberattacks is difficult and can often take months or longer.
The Colonial Pipeline is the largest refined-products pipeline in the U.S., transporting more than 100 million gallons a day, or roughly 45% of fuel consumed on the East Coast, according to the company's website. It delivers fuels including gasoline, diesel, jet fuel and heating oil and serves U.S. military facilities.
"At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation," the company said in a statement. "This process is already under way, and we are working diligently to address this matter and to minimize disruption to our customers."
Colonial spokeswoman Kelsey Tweed said the company didn't have further details to provide at this time.
Inventories of gasoline have been readied for the summer driving season and usually get replenished every five to six days. But if the pipeline remains offline for days, shortages at terminals that receive fuel in the southeastern U.S. and Atlantic Coast markets could begin to affect retail stations and consumers, said Andy Lipow, president of consulting firm Lipow Oil Associates in Houston.
"It's similar to a hurricane event where the pipeline gets shut down, so if it's for a day or two then the impact will be mitigated," Mr. Lipow said.
The fuel artery is critical to supplying the northeastern U.S. and other markets, and extended shutdowns of the pipeline have caused fuel prices to jump in previous years. Starting full operations in the 1960s, it is also among the many aging U.S. pipelines that were built before 1970.
An outage lasting more than five days could have sharp consequences for fuel supplies, particularly in the southeast U.S., as inventory levels there are fairly tight, said Tom Kloza, global head of energy analysis for Oil Price Information Services, or OPIS, an IHS Markit company.
"If you were looking at the top 20 public targets that you could really wreak havoc with by screwing with the software, the Colonial Pipeline is in that group," Mr. Kloza said. "It's a big deal."
Still, areas along the northern Atlantic Coast have ample fuel supplies amid a rise in foreign imports, particularly from Europe, he said.
Cyberattacks targeting critical infrastructure or key companies, some by suspected foreign actors, have become a growing area of concern for the U.S. national security officials.
Russian hackers, for example, have been blamed by Western intelligence agencies for temporarily downing parts of Ukraine's power grid in the winter. Pipelines have long been viewed as an area of concern for these kinds of attacks, in part because halting their operations can have immediate impact.
President Biden in April announced punitive measures against Russia, blaming suspected Russian agents for a month-long hack of the U.S. government and some of America's biggest corporations.
That attack involved SolarWinds Corp. , a network-management software firm whose software was one of the primary entry-points for the hackers, but extended beyond its software. It has been described as one of the worst instances of cyber espionage in U.S. history.
U.S. officials in recent months have ramped up warnings about such hacks. The number of ransomware incidents has risen dramatically during the coronavirus pandemic, cybersecurity experts say, targeting schools, hospitals and companies.
On Wednesday, Homeland Security Secretary Alejandro Mayorkas said his agency is dedicating more resources to counter ransomware aimed at locking up government and private-sector computer networks. And the Justice Department last month announced a new task force dedicated to ransomware.
"The threat is real. The threat is upon us. The risk is to all of us," Mr. Mayorkas said.
Mike Chapple, a cybersecurity expert at the University of Notre Dame and former National Security Agency official, said the Colonial Pipeline attack appeared to show the hackers were "extremely sophisticated" or that the systems weren't properly secured.
"This pipeline shutdown sends the message that core elements of our national infrastructure continue to be vulnerable to cyberattack," Mr. Chapple said.
If the attack originated from malware or ransomware that infected systems, potentially inadvertently, then network issues could be fixed in a matter of days or weeks, depending on how well prepared Colonial was to respond to an attack, said Grant Geyer, chief product officer of software firm Claroty, which specializes in industrial cybersecurity.
But if a nation-state directed the attack, it would require an extensive cybersecurity response to fix vulnerabilities that could serve as a "backdoor" for infections later.
"A lot of the systems that control industrial environments are managed by, in some cases, antiquated Windows systems that are rife with vulnerabilities," Mr. Geyer said, adding the problem is particularly acute in the energy industry.
Miguel Bustillo and David Uberti contributed to this article.