President Biden said Monday that the United States was “disrupting and prosecuting” a criminal gang of hackers called DarkSide that the FBI officially held responsible for a huge gang Ransomware attack This has disrupted the flow of nearly half of the gasoline and jet fuel supplies to the east coast.
Clearly concerned that the ransomware effort could spread, the FBI issued an emergency alert to electricity, gas and other pipeline operators looking for codes like those used by Colonial Pipelines, a private company that controls the main pipeline , caged transportation of gasoline, diesel, and jet fuel from the Texas Gulf Coast to New York Harbor.
The Pipeline stayed offline for a fourth day on Monday as a preventative measure to prevent the malware that has infected the company’s computer networks from spreading to the control systems on which the pipeline is running. So far the Effects on gasoline and other energy supplies seem minimal, and Colonial said it hopes to get the pipeline back up and running by the end of this week.
The attack was triggered Emergency White House meeting Throughout the weekend, officials tried to understand whether the episode was a purely criminal act designed to shut down Colonial’s computer networks unless a large ransom was paid, or whether it was the work of Russia or someone else State that covertly used the criminal group.
According to intelligence officials, all signs indicate that it was merely an act of extortion by the group that first began delivering such ransomware in August last year and that is believed to be operating from Eastern Europe, possibly Russia. Even in the group’s own testimony on Monday, there was evidence that the group merely intended to extort money from the company and was surprised that the main gas and jet fuel supplies for the east coast were cut.
The attack exposed the remarkable vulnerability of a major energy channel in the US as hackers become bolder in taking over critical infrastructure such as power grids, pipelines, hospitals and water treatment plants. The Atlanta and New Orleans city governments and for the past few weeks the Washington, DC, Police Departmentwere also hit.
The explosion in ransomware cases has been fueled by the rise in cyber insurance – which has made many companies and governments mature targets for criminal gangs who believe their targets will pay off – and cryptocurrencies, which make it difficult to track extortion payments.
In this case, the ransomware targeted the back office operations of the Colonial Pipeline rather than the pipeline’s control systems, federal officials and private investigators said. However, fear of greater damage forced the company to shut down the system. This led to the huge security gaps in the patched network that keeps gas stations, truck stops, and airports going.
A preliminary investigation found poor security practices at Colonial Pipeline, according to federal and private officials familiar with the investigation. The mistakes most likely made it fairly easy to break into and block the company’s systems.
Colonial Pipeline did not answer questions about investing in protecting its networks and refused to say whether the ransom was paid. And the company didn’t seem ready to let federal officials step up its defenses.
“At the moment they haven’t asked the federal government for cyber support,” Anne Neuberger, deputy national security advisor on cyber and emerging technologies, told reporters at a White House briefing. Declining to say whether the federal government would recommend paying the ransom, she noted that “companies are often in a difficult position when their data is encrypted and they don’t have backups and cannot restore the data.”
While Ms. Neuberger didn’t say so, this appears to be essentially what happened to Colonial.
Mr. Biden who is expected to announce one supreme command In the days ahead to bolster America’s cyber defense, there was no evidence that the Russian government was behind the attack. But he said he plans to meet soon with President Vladimir V. Putin of Russia – the two men are expected to hold their first summit next month – and he suggested that Moscow has some responsibility as DarkSide is believed to have roots in Russia has, and the country envisages, a paradise for cyber criminals.
“There are governments that turn a blind eye or positively encourage these groups, and Russia is one of those countries,” said Christopher Painter, the former top US cyber diplomat. “Putting pressure on safe havens for these criminals must be part of any solution.”
Colonial’s pipelines supply large storage tanks along the east coast, and supplies appear to be plentiful, partly due to decreased traffic during the pandemic. Colonial made a statement on Monday said his goal was to “Essentially” resumption of duty by the end of the weekHowever, the company warned that the process would take time.
Elizabeth Sherwood-Randall, Mr. Biden’s homeland security advisor and former deputy secretary of energy in the Obama administration, said the Department of Energy led the federal response and “convened the oil, natural gas and electricity utilities to share details on the Ransomware attack and to discuss recommended actions to mitigate further incidents across the industry. “She noted that the federal government had relaxed the rules for drivers who haul gasoline and jet fuel by truck to mitigate the impact.
“At the moment there is no supply bottleneck,” she said. “We are preparing for several possible contingencies.” But she said the job of getting the pipeline back online belongs to Colonial.
For many officials who have struggled for years to protect the United States’ critical infrastructure from cyberattacks, the only surprise about what happened over the past few days is that it lasted so long. When Leon E. Panetta was Secretary of Defense under President Barack Obama, Panetta warned of a “Cyber Pearl Harbor” that could turn off electricity and fuel. This phrase is often used to get Congress or corporations to spend more on Cyberdefense.
During the Trump administration, the Department of Homeland Security warned of Russian malware in the American power grid and in the United States made a not-so-secretive effort to get malware onto the Russian network as a warning.
But in the many simulations carried out by government agencies and electricity companies of what a strike against the American energy sector would look like, the effort has usually been viewed as some sort of terrorist attack – a mix of cyber and physical attacks – or a lightning bolt from Iran, China or Russia at the opening moments of a major military conflict.
But this case was different: a criminal actor who stalled the system while trying to extort money from a company. A senior government official in Biden called it “the ultimate mixed threat” as it was a crime to which the United States normally responded with arrests or charges, creating a major threat to the country’s energy supply chain.
By threatening to “disrupt” the ransomware group, Mr Biden may have signaled that the administration has taken action against these groups that goes beyond charges. This is what the United States Cyber Command did last year, ahead of the November presidential election, when its military hackers broke into the systems of another ransomware group called Trickbot and tampered with their command and control computer servers so that it could not use New Victims Lock up ransomware. The fear at that time was that the ransomware group could sell its capabilities to governments, including Russia, that were trying to freeze voting tables.
On Monday, DarkSide argued that it was not operating on behalf of a nation-state, perhaps to distance itself from Russia.
“We are apolitical, we do not participate in geopolitics, we do not have to be tied to a defined government and look for our motives,” said a statement on the website. “Our goal is to make money and not create problems for society.”
The group seemed somewhat surprised that their actions resulted in the closure of a large pipeline and suggested that such goals may be avoided in the future.
“Starting today, we are introducing moderation and reviewing every company that our partners want to encrypt to avoid future social consequences,” said the group, although it was unclear how they defined ‘moderation’.
DarkSide is a relative newcomer to the ransomware scene, what Ms. Neuberger referred to as a “criminal actor” who rents his services to the highest bidder and then “shares the proceeds with ransomware developers”. It’s essentially a business model with some of the illicit profits going into research and development for more effective forms of ransomware.
The group often portrays itself as a kind of digital Robin Hood who steals from companies and passes them on to others. DarkSide says it avoids hacking hospitals, funeral homes, and nonprofits, but it targets large corporations and temporarily donates its proceeds to charities. Most of the charities have turned down their gift offers.
A clue to DarkSide’s origins is in its code. Private researchers note that DarkSide’s ransomware is asking victims’ computers for their default language setting. If it is Russian, the group switches to other victims. It also seems to avoid victims speaking Ukrainian, Georgian, and Belarusian.
Its code bears remarkable similarities to that of REvil, a ransomware group that was one of the first to offer “ransomware as a service” – essentially hackers for hire – to take ransomware systems hostage.
“It appears this was an offshoot looking to set up for business,” said Jon DiMaggio, a former intelligence community analyst who is now Analyst1’s chief security strategist. “To gain access to REvil’s code, you would have to have it or steal it because it is not publicly available.”
DarkSide makes lesser ransom demands than the eight-digit amounts REvil is known for – anywhere between $ 200,000 and $ 2 million. According to DiMaggio, there is a unique key in every ransom note, suggesting that DarkSide is tailoring attacks to each victim.
“They are very selective compared to most ransomware groups,” he said.