President Biden said Monday that the United States was “disrupting and prosecuting” a criminal group of hackers called DarkSide that the FBI officially blamed for a huge ransomware attack that struck the flow of nearly half of its gasoline and jet fuel supplies to the US has disrupted east coast.
Obviously concerned that the ransomware effort could spread, the FBI issued a distress alert to electricity, gas and other pipeline operators looking for codes like those used by Colonial Pipelines, a private company that controls the main pipeline , caged transportation of gasoline, diesel, and jet fuel from the Texas Gulf Coast to New York Harbor.
The pipeline stayed offline for a fourth day on Monday to prevent the malware that has infected the company’s computer networks from spreading to the control systems on which the pipeline is running. So far, the impact on gasoline and other energy supplies appears minimal, and Colonial was hoping to get the pipeline back online by the end of this week.
The attack sparked emergency White House meetings throughout the weekend as officials tried to understand whether or not the episode was a purely criminal act to shut down Colonial’s computer networks unless a large ransom was paid whether it was the work of Russia or some other state that covertly used the criminal group.
According to intelligence officials, all signs indicate that it was merely an act of extortion by the group that first began delivering such ransomware in August last year and that is believed to be operating from Eastern Europe, possibly Russia. Even in the group’s own testimony on Monday, there was evidence that the group had only intended to extort money from the company and was surprised that the main gasoline and jet fuel supplies for the east coast were cut.
The attack exposed the remarkable vulnerability of a major energy channel in the US as hackers become bolder in taking over critical infrastructure such as power grids, pipelines, hospitals and water treatment plants. The Atlanta and New Orleans city governments and, in recent weeks, the Washington, DC Police Department, have also been hit.
The explosion in ransomware cases has been fueled by the rise in cyber insurance – which has made many companies and governments mature targets for criminal gangs who believe their targets will pay off – and cryptocurrencies, which make it difficult to track extortion payments.
In this case, the ransomware targeted the back office operations of the Colonial Pipeline rather than the pipeline’s control systems, federal officials and private investigators said. However, fear of greater damage forced the company to shut down the system. This created the huge security gaps in the patched network that keeps gas stations, truck stops, and airports going.
A preliminary investigation found poor security practices at Colonial Pipeline, according to federal and private officials familiar with the investigation. The mistakes most likely made it fairly easy to break into and block the company’s systems.
Colonial Pipeline did not answer questions about investing in protecting its networks and refused to say whether the ransom was paid. And the company didn’t seem ready to let federal officials step up its defenses.
“At the moment they haven’t asked the federal government for cyber support,” Anne Neuberger, deputy national security advisor on cyber and emerging technologies, told reporters at a White House briefing. Declining to say whether the federal government would recommend paying the ransom, she noted that “companies are often in a difficult position when their data is encrypted and they don’t have backups and cannot restore the data.”
While Ms. Neuberger did not say so, this appears to be essentially what happened to Colonial.
Mr Biden, who is expected to announce an executive order to strengthen US cyber defense in the coming days, said there was no evidence that the Russian government was behind the attack. But he said he planned to meet with President Vladimir V. Putin of Russia soon – the two men are expected to hold their first summit next month – and suggested Moscow has some responsibility, given that DarkSide is believed to have roots in Russia and the country envisages this as a paradise for cyber criminals.
“There are governments that turn a blind eye or positively encourage these groups, and Russia is one of those countries,” said Christopher Painter, the former top US cyber diplomat. “Putting pressure on safe havens for these criminals must be part of any solution.”
Colonial’s pipelines supply large storage tanks along the east coast, and supplies appear to be plentiful, partly due to decreased traffic during the pandemic. Colonial issued a statement Monday calling for it to “essentially” resume service by the end of the week. However, the company warned that the process would take some time.
Elizabeth Sherwood-Randall, Mr. Biden’s homeland security adviser and former assistant secretary of energy in the Obama administration, said the Department of Energy led the federal response and “convened utilities in the oil, natural gas and electricity sectors to share details about the.” Ransomware attack and to discuss recommended actions to mitigate further incidents across the industry. “She noted that the federal government had relaxed the rules for drivers who haul gasoline and jet fuel by truck to mitigate the impact.
“At the moment there is no supply shortage,” she said. “We are preparing for several possible contingencies.” But she said the job of getting the pipeline back online belongs to Colonial.
For many officials who have struggled for years to protect the United States’ critical infrastructure from cyberattacks, the only surprise about what happened over the past few days is that it lasted so long. When Leon E. Panetta was Secretary of Defense under President Barack Obama, Panetta warned of a “Cyber Pearl Harbor” that could turn off electricity and fuel. This phrase is often used to get Congress or corporations to spend more on Cyberdefense.
During the Trump administration, the Department of Homeland Security issued warnings about Russian malware on the American power grid, and the United States made not-entirely-secret efforts to put malware on the Russian power grid as a warning.
But in the many simulations carried out by government agencies and electricity companies of what a strike against the American energy sector would look like, the effort has usually been viewed as some sort of terrorist attack – a mix of cyber and physical attacks – or a lightning bolt from Iran, China or Russia at the opening moments of a major military conflict.
But this case was different: a criminal actor who stalled the system while trying to extort money from a company. A senior Biden government official called it “the ultimate mixed threat” as it was a crime to which the United States typically responded with arrests or charges, creating a major threat to the country’s energy supply chain.
By threatening to “disrupt” the ransomware group, Mr Biden may have signaled that the administration has taken action against these groups that goes beyond charges. This is what the United States Cyber Command did last year before the presidential election in November, when its military hackers broke into the systems of another ransomware group called Trickbot and tampered with their command and control computer servers in such a way that they couldn’t use New Victims Lock up ransomware. At the time, it was feared that the ransomware group might sell its capabilities to governments, including Russia, who were trying to freeze the electoral tables.
On Monday, DarkSide argued that it was not operating on behalf of a nation-state, perhaps to distance itself from Russia.
“We are apolitical, we do not participate in geopolitics, we do not have to be tied to a defined government and look for our motives,” said a statement on the website. “Our goal is to make money and not create problems for society.”
The group seemed somewhat surprised that their actions resulted in the closure of a large pipeline and suggested that such goals may be avoided in the future.
“Starting today, we’re introducing moderation and reviewing every company that our partners want to encrypt to avoid future social consequences,” said the group, although it was unclear how they defined moderation.
DarkSide is a relative newcomer to the ransomware scene, what Ms. Neuberger referred to as a “criminal actor” who rents his services to the highest bidder and then “shares the proceeds with ransomware developers”. It’s essentially a business model with some of the illicit profits going into research and development for more effective forms of ransomware.
The group often portrays itself as a kind of digital Robin Hood who steals from companies and passes them on to others. DarkSide says it avoids hacking hospitals, funeral homes, and nonprofits, but it targets large corporations and temporarily donates its proceeds to charities. Most of the charities have turned down their gift offers.
A clue to DarkSide’s origins is in its code. Private researchers note that DarkSide’s ransomware is asking victims’ computers for their default language setting. If it is Russian, the group switches to other victims. It also seems to avoid victims speaking Ukrainian, Georgian, and Belarusian.
Its code bears remarkable similarities to that of REvil, a ransomware group that was one of the first to offer “ransomware as a service” – essentially hackers for hire – to take ransomware systems hostage.
“It seems that this was an offshoot that wanted to start its own business,” said Jon DiMaggio, a former intelligence community analyst who is now Analyst1’s chief security strategist. “To gain access to REvil’s code, you would have to have it or steal it because it is not publicly available.”
DarkSide makes lesser ransom demands than the eight-digit amounts REvil is known for – between $ 200,000 and $ 2 million. According to DiMaggio, there is a unique key in every ransom note, suggesting that DarkSide is tailoring attacks to each victim.
“They are very selective compared to most ransomware groups,” he said.