The cyberextortion attempt that forced the shutdown of a vital pipeline in the United States was carried out by a criminal gang known as DarkSide who cultivates Robin Hood’s image of robbing businesses and slashing businesses. charities, two people familiar with the investigation said on Sunday.
The shutdown, meanwhile, continued into its third day, with the Biden administration easing regulations for transporting petroleum products on highways as part of an “everyone on bridge” effort to avoid disruptions in the fuel supply.
Experts said gasoline prices are unlikely to be affected if the pipeline returns to normal within the next few days, but the incident – the worst cyberattack to date on critical US infrastructure – should serve as a warning to companies about vulnerabilities. they confront.
The pipeline, operated by Georgia-based Colonial Pipeline, transports gasoline and other fuels from Texas to the northeast. It provides about 45% of the fuel consumed on the East Coast, according to the company.
He was struck by what Colonial called a ransomware attack, in which hackers typically block computer systems by encrypting data, crippling networks, and then demanding a large ransom to decrypt them.
Colonial Pipeline said on Sunday that it was actively restoring some of its computer systems. He says he remains in contact with law enforcement and other US agencies, including the Department of Energy, which is leading the federal government’s response. The company did not say what was requested or who requested it.
However, two people close to the investigation, speaking on condition of anonymity, identified the culprit as DarkSide. He is one of the ransomware gangs that have “professionalized” a criminal industry that has cost Western countries tens of billions of dollars in losses over the past three years.
DarkSide claims that it does not attack hospitals, nursing homes, educational or government targets and that it donates a portion of its catch to charity. It has been active since August and, typical of the most powerful ransomware gangs, it is known to avoid targeting organizations in countries of the former Soviet bloc.
Colonial did not say if he paid or negotiated a ransom, and DarkSide did not announce the attack on its dark website or answer questions from an Associated Press reporter. Lack of recognition usually indicates that a victim is negotiating or has paid.
On Sunday, Colonial Pipeline said it was developing a “system reboot” plan. He said its main pipeline remains offline but some smaller lines are now operational.
“We are in the process of restoring service to other laterals and will only bring our complete system back online when we believe it is safe to do so, and in full compliance with the approval of all federal regulations,” the company said in a statement. .
US Secretary of Commerce Gina Raimondo said on Sunday that ransomware attacks are “what businesses need to be worried about now,” and that she will work “very vigorously” with the Department of Homeland Security to resolve the issue. , calling it an absolute priority for the administration. .
“Unfortunately, this type of attack is more and more common,” she said on CBS’s Face the Nation show. “We need to work in partnership with businesses to secure networks in order to defend against these attacks.”
She said US President Joe Biden had been briefed on the attack.
“It’s an off-road effort on the bridge right now,” said Raimondo. “And we are working closely with the company, national and local authorities to ensure that they return to normal operations as quickly as possible and that there are no disruptions in supply.”
The Department of Transportation issued a regional emergency declaration on Sunday, easing hours of service regulations for drivers carrying gasoline, diesel, jet fuel and other refined petroleum products in 17 states and the District of Columbia. This allows them to work overtime or more flexible hours to compensate for any fuel shortages related to the pipeline failure.
One of those close to the colonial investigation said the attackers also stole data from the company, presumably for extortion purposes. Sometimes stolen data is more valuable to ransomware criminals than the leverage they gain by crippling a network, as some victims are reluctant to have their sensitive information dumped online.
Security experts said the attack should be a warning to operators of critical infrastructure – including electricity and water utilities and energy and transportation companies – not to invest in the updating their security exposes them to disaster risk.
Ed Amoroso, CEO of TAG Cyber, said Colonial was lucky his attacker was at least ostensibly motivated solely by profit, not geopolitics. State-backed hackers bent on more serious destruction use the same intrusion methods as ransomware gangs.
“For businesses vulnerable to ransomware, this is a bad sign because they are likely more vulnerable to more serious attacks,” he said. Russian cyber warriors, for example, crippled the electricity grid in Ukraine during the winters of 2015 and 2016.
Cyberextortion attempts in the United States have become a deadly phenomenon by a thousand cuts over the past year, with attacks causing delays in cancer treatment in hospitals, disrupting education and crippling police and city governments.
Tulsa, Oklahoma, this week became the 32nd state or local government in the United States to be attacked by ransomware, said Brett Callow, threat analyst at cybersecurity firm Emsisoft.
The average ransoms paid in the United States nearly tripled to over $ 310,000 last year. The average downtime for victims of ransomware attacks is 21 days, according to Coveware, which helps victims respond.
David Kennedy, founder and senior senior security consultant at TrustedSec, said that once a ransomware attack is discovered, companies have little recourse but to completely rebuild their infrastructure or pay the ransom.
“Ransomware is absolutely out of control and is one of the biggest threats we face as a nation,” Kennedy said. “The problem we face is that most businesses are unprepared to deal with these threats.”
Colonial transports gasoline, diesel, jet fuel and heating oil from refineries on the Gulf Coast through pipelines from Texas to New Jersey. Its pipeline network spans more than 8,850 km (5,500 miles), transporting more than 380 million liters (100 million gallons) per day.
Debnil Chowdhury, of research firm IHS Markit, said if the outage spanned one to three weeks, gas prices could start to rise.
“I wouldn’t be surprised, if it ends up being an outage of this magnitude, if we see a 15 to 20 cent increase in gasoline prices over the course of the week or two,” he said.
The Department of Justice has a new task force dedicated to combating ransomware attacks.
While the United States has not suffered any serious cyberattacks on its critical infrastructure, officials say Russian hackers in particular are known to have infiltrated certain critical sectors, positioning themselves to do damage if armed conflict breaks out. While there is no evidence that the Kremlin benefits financially from ransomware, U.S. officials believe President Vladimir Putin is relishing the chaos it is causing on the economies of his opponents.
Iranian hackers have also been aggressive in trying to gain access to utilities, factories, and oil and gas facilities. In one case in 2013, they broke into the control system of an American roadblock.