December 1, 2023

WASHINGTON – The Justice Department announced Monday that it had confiscated much of the ransom money a major U.S. pipeline operator paid to a Russian hacker collective last month and turned the tables on the hackers by turning it into a digital one Wallet to recapture millions of dollars in cryptocurrency.

Investigators have traced over $ 4 million worth of 75 bitcoins worth more than $ 4 million in the past few weeks that Colonial Pipeline paid the hackers when the attack shut down their computer systems, causing fuel shortages, a surge in gasoline prices, and mayhem Airlines led.

Federal investigators tracked the ransom as it moved through a maze of at least 23 different electronic accounts owned by the hacking group DarkSide, before ending up in one that a federal judge had it broken into, according to law enforcement officers and court documents.

The Justice Department said it seized 63.7 bitcoins worth about $ 2.3 million. (The value of a bitcoin has fallen in the last month.)

“The sophisticated use of technology to hold companies and even entire cities hostage for profit is clearly a 21st century challenge, but the old saying ‘follow the money’ still applies,” said Lisa O. Monaco, who Deputy Attorney General at the press conference at the Ministry of Justice.

Law enforcement officials highlighted the seizure to warn cybercriminals that the United States was aiming to target its profits, which are often made through cryptocurrencies like Bitcoin. It should also encourage victims of ransomware attacks – which occur on average every eight minutes – to notify authorities to help with ransom recovery.

For years, victims have chosen to silently pay cyber criminals, assuming that paying would be cheaper than restoring data and services. Although the FBI advises against ransom payments, they are legal and even tax deductible. But the payments – which collectively amount to billions of dollars – have funded and encouraged ransomware groups.

Justice Department officials said Colonial’s willingness to engage the FBI quickly helped get the ransom back, and they praised the company for its role in the first of its kind through a new ransomware task force in the department to tackle a cybercrime to hijack the group’s profit.

“We must continue to take cyber threats seriously and invest accordingly to strengthen our defenses,” said Joseph Blount, CEO of Colonial, in a statement. Mr Blount said investigators helped Colonial understand the hackers and their tactics after his company contacted the FBI and the Justice Department to inform them of the attack.

The Justice Department’s announcement also came ahead of President Biden’s planned meeting with Russian President Vladimir V. Putin in Geneva next week, where Mr Biden is expected to address what American officials see as the Kremlin’s readiness to protect hackers. Russia typically does not arrest or extradite suspects in ransomware attacks.

The New York Times reported last month that the Colonial Pipeline ransom payment was withdrawn from DarkSide’s Bitcoin wallet, although it was not clear who orchestrated the move.

On Monday, the government filled in some of the gaps. DarkSide works by delivering ransomware to affiliates. In return, DarkSide reaps part of their profits.

Officials said they identified a virtual currency account, often called a wallet, that DarkSide used to collect payments from a ransomware victim – identified only as Victim X in court records, but the hacking details of which are the same as Colonial’s. Officials said a judge in the Northern District of California approved an arrest warrant Monday to seize funds from the wallet.

The FBI began the investigation into DarkSide last year and identified more than 90 victims in various economic sectors including manufacturing, legal, insurance, healthcare and energy, Paul M. Abbate, the FBI’s assistant director, told the news conference.

DarkSide first appeared in August and is said to have started as a subsidiary of another Russian hacker group called REvil before opening its own operations last year.

Weeks after DarkSide attacked Colonial, REvil used ransomware to extort money from JBS, one of the largest meat processors in the world. The attack forced the company to close nine beef factories in the United States, destroyed poultry and pork plants, and had a significant impact on grocery stores and restaurants that asked for more or removed meat products from their menus.

In the past few weeks, ransomware has also crippled the hospital that serves the Villages in Florida, the largest retirement community in the United States. Television networks; NBA and minor league baseball teams; and even ferries to Nantucket and Martha’s Vineyard in Massachusetts.

The episodes raised national awareness of digital vulnerabilities. White House officials said last week that they are working to fix issues with the cryptocurrency that has enabled ransomware attacks for years.

Last week, FBI Director Christopher A. Wray compared the threat posed by ransomware attacks to the challenge of global terrorism in the days following the September 11, 2001 attacks.

“There are many parallels, there is a lot of meaning, and we are very focused on disorder and prevention,” he said. “There is a shared responsibility, not just among government agencies, but also in the private sector and even with the average American.”

Mr Wray added that the FBI is investigating 100 variants of software used in ransomware attacks, demonstrating the scale of the problem.

Although US officials were careful not to link the ransomware attacks directly to Russia, Mr Biden, Mr Wray and others said the country is protecting cyber criminals.

In many cases, Russia treats them as national property. For example, in an attack on Yahoo in 2014, Russian intelligence agents worked side-by-side with cybercriminals and enabled them to profit from stolen data while instructing them to give email accounts to the FSB, the Soviet-era successor agency to the KGB

Putin has compared hackers with “artists who wake up in a good mood in the morning and start painting”. The reality, US officials say, is that they are giving Mr Putin and Russian intelligence agencies a level of plausible denial.

Not only is Mr Biden expected to raise the issue with Mr Putin, but the Foreign Ministry is also in talks with about two dozen other countries about ways to pressure Russia on each other to fight cybercrime.

“If the Russian government wants to show that it is serious, there is plenty of room for them to demonstrate real progress that we are not seeing,” Wray said last week.

Anne Neuberger, assistant national security advisor for cyber and emerging technologies, warned American companies last week that ransomware had taken a dark turn, noting that it had recently “gone from data stealing to business disruption”.

The hackers targeted Colonial’s accounting systems directly. With these frozen, executives found they had no way of billing customers and stopping operations preventively. A confidential government assessment found that if the pipeline had been closed for two more days, the attack would have brought local public transport and chemical refineries, which rely on Colonial for diesel transportation, to their knees.

The White House held emergency meetings to combat the attack. The Biden administration announced that it would require pipeline companies to report significant cyberattacks and that the government would set up 24-hour emergency centers to handle serious hacker attacks.

Cybersecurity experts welcomed the Justice Department’s move.

“It has become clear that we need to use multiple tools to stem the tide” of ransomware, said John Hultquist, vice president of cybersecurity company FireEye. “A stronger focus on disorders can discourage this behavior, which grows in a vicious circle.”

David E. Sanger contributed to the coverage.