Ransomware attack on major U.S. pipeline is work of criminal gang called DarkSide, FBI says
The cyberextortion attempt that's forced the shutdown of a vital U.S. pipeline was carried out by a criminal gang known as DarkSide that cultivates a Robin Hood image of stealing from corporations and giving a cut to charity, the FBI said Monday.
The shutdown, meanwhile, stretched into its third full day, with the Biden administration loosening regulations of the transport of petroleum products on highways as part of an "all-hands-on-deck" effort to avoid disruptions in the fuel supply. Georgia-based Colonial Pipeline said Monday it hopes to have service mostly restored by the end of the week.
Experts said gasoline prices are unlikely to be affected if the pipeline is back to normal in the next few days but that the incident — the worst cyberattack to date on critical U.S. infrastructure — should serve as a wake-up call to companies about the vulnerabilities they face.
The pipeline carries gasoline and other fuel from Texas to the Northeast. It delivers roughly 45% of fuel consumed on the East Coast, according to the company.
It was hit by what Colonial called a ransomware attack, in which hackers typically lock up computer systems by encrypting data and paralyzing networks, then demand a large ransom to unscramble it.
On Monday, Colonial Pipeline said it was planning a "phased approach" with the goal of "substantially restoring operational service by the end of the week."
"Restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time," the company said in a statement.
It says it remains in contact with law enforcement and other federal agencies, including the Department of Energy, which is leading the federal government response. The company hasn't said what was demanded or who made the demand.
At the White House, President Biden told reporters Monday the U.S. intelligence community had no evidence the Russian government was involved with the Colonial attack, but Mr. Biden said there was evidence the ransomware was in Russia. "They have some responsibility to deal with this," the president said after delivering remarks on the economy.
DarkSide is among ransomware gangs that have "professionalized" a criminal industry that has cost Western nations tens of billions of dollars in losses in the past three years.
DarkSide claims it doesn't attack hospitals and nursing homes, educational or government targets and that it donates a portion of its take to charity. It's been active since August and, typical of the most potent ransomware gangs, is known to avoid targeting organizations in former Soviet bloc nations.
Colonial didn't say whether it has paid or was negotiating a ransom, and DarkSide neither announced the attack on its dark web site nor responded to an Associated Press reporter's queries. The lack of acknowledgment usually indicates a victim is either negotiating or has paid.
"All-hands-on-deck" restart effort
On Sunday, Colonial Pipeline said it is developing a "system restart" plan. It said its main pipeline remains offline but some smaller lines are now operational.
"Segments of our pipeline are being brought back online in a stepwise fashion, in compliance with relevant federal regulations and in close consultation with the Department of Energy," the company said in its statement Monday.
Commerce Secretary Gina Raimondo said Sunday that ransomware attacks are "what businesses now have to worry about" and that she will work "very vigorously" with the Department of Homeland Security to address the problem, calling it a top priority for the administration.
"Unfortunately, these sorts of attacks are becoming more frequent," she said on the CBS News broadcast "Face the Nation." "We have to work in partnership with business to secure networks to defend ourselves against these attacks."
She said President Biden was briefed on the attack.
"It's an all-hands-on-deck effort right now," Raimondo said, "and we are working closely with the company, state and local officials to make sure that they get back up to normal operations as quickly as possible and there aren't disruptions in supply."
The Department of Transportation issued a regional emergency declaration Sunday, relaxing hours-of-service regulations for drivers carrying gasoline, diesel, jet fuel and other refined petroleum products in 17 states and the District of Columbia. It lets them work extra or more flexible hours to make up for any fuel shortage related to the pipeline outage.
The Pentagon's Defense Logistics Agency is monitoring inventory levels. "There is sufficient inventory on hand for downstream customers so there is no immediate mission impact," Pentagon spokesperson John Kirby told reporters Monday. "Obviously, we're coordinating with our interagency partners."
A person close to the Colonial investigation, speaking to the AP on condition of anonymity, said the attackers also stole data from the company, presumably for extortion purposes. Sometimes stolen data is more valuable to ransomware criminals than the leverage they gain by crippling a network because some victims are loath to see sensitive information of theirs dumped online.
Vulnerabilities exposed
Security experts said the attack should be a warning for operators of critical infrastructure — including electrical and water utilities and energy and transportation companies — that not investing in updating their security puts them at risk of catastrophe.
Ed Amoroso, CEO of TAG Cyber, said Colonial was lucky its attacker was at least ostensibly motivated only by profit, not geopolitics. State-backed hackers bent on more serious destruction use the same intrusion methods as ransomware gangs.
"For companies vulnerable to ransomware, it's a bad sign because they are probably more vulnerable to more serious attacks," he said. Russian cyberwarriors, for example, crippled the electrical grid in Ukraine during the winters of 2015 and 2016.
Cyberextortion attempts in the U.S. have become a death-by-a-thousand-cuts phenomenon in the past year, with attacks forcing delays in cancer treatment at hospitals, interrupting schooling and paralyzing police and city governments.
Tulsa, Oklahoma, this week became the 32nd state or local government in the U.S. to come under ransomware attack, said Brett Callow, a threat analyst with the cybersecurity firm Emsisoft.
Average ransoms paid in the U.S. jumped nearly threefold to more than $310,000 last year. The average downtime for victims of ransomware attacks is 21 days, according to the firm Coveware, which helps victims respond.
Homeland Security Secretary Alejandro Mayorkas said last week more than $350 million in victim funds were paid in 2020. The rate of ransomware attacks increased by 300% in 2020 across the U.S.
David Kennedy, founder and senior principal security consultant at TrustedSec, said that once a ransomware attack is discovered, companies have little recourse but to completely rebuild their infrastructure, or pay the ransom.
"Ransomware is absolutely out of control and one of the biggest threats we face as a nation," Kennedy said. "The problem we face is most companies are grossly underprepared to face these threats."
Colonial transports gasoline, diesel, jet fuel and home heating oil from refineries on the Gulf Coast through pipelines running from Texas to New Jersey. Its pipeline system spans more than 5,500 miles, transporting more than 100 million gallons a day.
Debnil Chowdhury at the research firm IHSMarkit said that if the outage stretches to one to three weeks, gas prices could begin to rise.
"I wouldn't be surprised, if this ends up being an outage of that magnitude, if we see 15- to 20-cent rise in gas prices over next week or two," he said.
The Justice Department has a new task force dedicated to countering ransomware attacks. The Department of Homeland Security began a "60-day sprint" to tackle the challenge of ransomware last month.
While the U.S. hasn't suffered any serious cyberattacks on its critical infrastructure, officials say Russian hackers in particular are known to have infiltrated some crucial sectors, positioning themselves to do damage if armed conflict were to break out. While there is no evidence the Kremlin benefits financially from ransomware, U.S. officials believe President Vladimir Putin savors the mayhem it wreaks in adversaries' economies.
Chris Krebs, the former director of Homeland Security's Cybersecurity and Infrastructure Security Agency, told CBS News the tactics of the Colonial attack are indicative of "veteran" cybercriminals.
Krebs added that the escalating ransomware attacks of Russian-based groups have created "a lot of frustration" to U.S. critical infrastructure operators.
"I tend to think as sort of a rule of thumb that if a ransomware crew is operating successfully out of Russia, they at very least have the tacit approval of the intelligence apparatus within Russia for strategic benefit," Krebs said. "This is creating a lot of frustration, a lot of harm to U.S. critical infrastructure and ultimately that aligns with the strategic objectives of those intelligence services."
Iranian hackers have also been aggressive in trying to gain access to utilities, factories and oil and gas facilities. In one case in 2013, they broke into the control system of a U.S. dam.
