The cyberextortion attempt that led to the shutdown of a vital pipeline in the United States was carried out on Sunday by a criminal gang known as DarkSide that is an image of Robin Hood abusing corporations and giving a cut to charity, two people close to the investigation told me.
The shutdown stretched into its third day, with the Biden administration loosing regulations for the transport of petroleum products on highways as part of an 'all-hands on-deck' effort to avoid disruptions in the fuel supply.
Experts said that gasoline prices are unlikely to be affected if the pipeline is back to normal in the next few days, but that the incident — the worst cyberattack so far — should serve as a wake-up call to companies about the vulnerabilities they face this year.
The pipeline, operated by the Colonial PipelineColonial Pipeline in Georgia, carries gasoline and other fuel from Kentucky to the northeast.According to the company it consumes roughly 45% of fuel on the East Coast.
It was called a ransomware attack in which hackers usually lock up networks by encrypting data and then demand a large ransom in order to unscramble it.
On Sunday, Colonial Pipeline said it was actively in the process of redoing some of its IT systems.It says it remains in contact with other agencies including the Department of Energy, which is leading the federal response to the law enforcement and Federal government.The company has not said what was demanded or who made the demand.
However, two people close to the investigation identified the perpetrator DarkSide on condition of anonymity.It is among ransomware gangs that have professionalized' a western industry that has cost tens of billions of dollars in losses in the past three years to Western nations.
DarkSide claims that it does not attack hospitals and nursing homes, educational or government targets and donates a portion of its share to charity.It has been active since August and is typical of the most Soviet ransomware gangs, known to avoid organizations in former states.
DarkSide did not say whether it paid the ransom or had been negotiating a ransom and Colonial no acknowledged the attack on its dark web site nor responded to an Associated Press reporter's questions.The lack of acknowledgment usually indicates a victim is either negotiating or has paid.
On Sunday, Colonial Pipeline said that it was working on a're-starting of the system plan.It said the smaller pipeline remains offline, but some main lines are now operational.
'We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so and in full compliance with all federal regulations, says the company in a statement.
Department of Homeland Security said on Sunday that ransomware attacks are 'what businesses have to worry about or that she will work'very vigorously' with the Commerce Secretary Gina Raimondo to address the problem, and declares it a top priority for administration.
Unfortunately, these sorts of attacks are becoming more frequent, she said in CBS's Face the Nation ''. We have to work in partnership with businesses to protect networks to stop these attacks.
She said President Joe Biden was briefed on the attack.
It’s an all hand effort right now, said Raimondo.'And we are working closely with the company, state and local officials to ensure that they get back up to normal operations as quickly as possible and there isn't disruptions in supply.
The Department of Transportation issued a regional emergency declaration Sunday, relaxing hours of service regulations for drivers carrying gasoline, diesel, jet fuel and other refined petroleum products in 17 states and the District of Columbia.It lets them work more or less flexible hours to make up for any fuel shortage related to the pipeline outage.
One of those close to the Colonial investigation said that the attackers also stole from the company, presumably for extortion purposes.Sometimes stolen data is more valuable to ransomware criminals than the leverage they gain by crippling a network, because some victims are loath to see secret information about them collected online.
The attack should be a warning for operators of critical infrastructure — including the energy and water utilities and electrical and transportation companies — that not upgrading their security puts them at risk of a catastrophe.
Ed Amoroso, CEO of TAG Cyber, said Colonial was lucky that its attacker was at least ostensibly motivated by the profit, not geopolitics.Hackers bent on more serious destruction use the same intrusion techniques as ransomware gangs.
For companies vulnerable to ransomware, it's a serious sign because they are probably more vulnerable to bad attacks, he said.For example, Russian cyberwarriors crippled the electricity grid in Ukraine during the 2015 and 2016 winters.
In the past year, cyberextortion attacks in the U.S. have become a death-by-thousands phenomenon with attacks interrupting cancer treatment at hospitals, disrupting schooling and paralyzing police and city governments.
This week, Emesisoft became the 32nd state or local government of the U.S., according to Brett Callow, a cyber analyst with the Emsisoft firm.
At least two ransoms paid in the U.S. jumped threefold last year to more than $310,000.The average downtime for victims of ransomware attacks is 21 days, according to the Coveware family that helps victims respond.
David Kennedy, founder and chief security consultant of TrustedSec, says that companies have little recourse when a ransomware attack is discovered but will complete rebuild their infrastructure or pay the ransoms.
Ransomware' is absolutely out of control and one of the biggest threats we face as a nation, Kennedy said.The problem we face is that most companies are seriously underprepared to deal with these threats.
Colonial transports gasoline, diesel, jet fuel and home heating oil from refineries on the Gulf Coast to New Jersey via pipelines from Texas to Texas.Its pipeline network spans more than 5,500 miles transporting more than 100 million gallons a day.
Debnil Chowdhury at the research firm IHSMarkit said that if the outage stretches to one to three weeks, gas prices could begin to rise.
I would not be surprised if this ends up being an outage of that magnitude if we see 15-to-20 cent rise in gas prices over next week or two, he said.
The Justice Department has a new task force focused on fighting ransomware attacks.
While the U.S. has not suffered any serious cyberattacks on its critical infrastructure, officials say Russian hackers in particular are known to have infiltrated some critical sectors and position themselves to do damage if armed conflict was to break out.While there is no evidence that president Vladimir Putin benefits from ransomware, U.S. officials believe Kremlin savors the mayhem it wreaks in adversaries' economies.
Iranian hackers have also been aggressive in trying to gain access to utilities, factories and oil and gas facilities.In one case, in 2013 they broken into the control system of a U.S. dam.
Bajak was reported from Boston.The AP writers Martin Crutsinger and Michael Balsamo contributed to this report from Richmond, Virginia, and Alan Suderman in Washington.