The cyber extortion attempt that forced the shutdown of a vital U.S. pipeline was carried out by a criminal gang called DarkSide who cultivate a Robin Hood image of corporate theft and cut for charity.
The shutdown extended into day three, when the Biden government eased regulations on the transportation of petroleum products on highways to avoid disruptions to fuel supplies.
Experts said gasoline prices are unlikely to be affected if the pipeline returns to normal in the next few days, but that the incident – the worst cyberattack to date on critical US infrastructure – should serve as a wake-up call for companies to the security flaws they are facing.
The pipeline, operated by Georgia-based Colonial Pipeline, carries gasoline and other fuel from Texas to the northeast. According to the company, it supplies around 45 percent of the fuel consumed on the east coast.
It was hit by what Colonial called a ransomware attack, in which hackers typically block computer systems by encrypting data, crippling networks, and then demanding a large ransom to decrypt it.
On Sunday, Colonial Pipeline announced that some of its IT systems are being actively restored. It said it remains in contact with law enforcement and other U.S. agencies, including the Department of Energy, which leads the federal government’s response. The company didn’t say what was asked or who made the demand.
However, two people who were close to the investigation and who spoke on condition of anonymity identified the perpetrator as DarkSide. It is one of the ransomware gangs that have “professionalized” a criminal industry that has cost the Western nations tens of billions in losses over the past three years.
DarkSide claims it does not attack hospitals, nursing homes, educational or government goals and donates a portion of its proceeds to charity. It has been active since August and is known to avoid targeting organizations in former Soviet bloc nations, typical of the most powerful ransomware gangs.
Colonial did not say whether it paid a ransom or negotiated, and DarkSide did not announce the attack on its dark website, nor did it respond to questions from an Associated Press reporter. The lack of confirmation usually indicates that a victim has either negotiated or paid.
On Sunday, Colonial Pipeline announced that a plan to restart the system was being developed. The main pipeline remains offline, but some smaller lines are now operational.
“We are in the process of restoring service to other side panels and will only bring our entire system back online if we believe it is safe and fully comply with all federal regulations,” the company said in a statement.
US Commerce Secretary Gina Raimondo said Sunday that ransomware attacks “are what businesses need to worry about now,” and that she will be working “very vigorously” with the Department of Homeland Security to address the issue, and as a result designated top priority for management.
“Unfortunately, such attacks are becoming more common,” she said on CBS’s Face the Nation program. “We need to work with companies to secure networks and defend ourselves against these attacks.”
She said US President Joe Biden had been informed of the attack.
“It’s an all-hands-on-deck effort right now,” said Raimondo. “And we’re working closely with the company, state and local authorities to make sure they get back to normal operations as quickly as possible and that there are no disruptions to supplies.”
The Department of Transportation issued a regional emergency statement on Sunday easing hours of operation for drivers hauling gasoline, diesel, jet fuel and other refined petroleum products in 17 states and the District of Columbia. This allows them to work additional or more flexible hours to make up for the fuel shortages associated with the pipeline failure.
One of the people close to the colonial investigation said the attackers also stole data from the company, presumably for blackmail purposes. Sometimes stolen data is more valuable to ransomware criminals than the leverage they gain by crippling a network, as some victims refuse to see sensitive information from them online.
Security experts said the attack should be a warning to critical infrastructure operators – including electricity and water utilities, and energy and transportation companies – that they are not investing in upgrading their security to expose them to disaster risk.
Ed Amoroso, CEO of TAG Cyber, said Colonial was lucky that its attacker was at least allegedly motivated only by profit and not geopolitics. Government-sponsored hackers looking for more serious destruction use the same attack methods as gangs of ransomware.
A large pipeline carrying fuels along the US east coast said it had to cease operations because it was the victim of a cyber attack [File: Mark Lennihan/AP Photo]”For companies that are vulnerable to ransomware, this is a bad sign as they are likely to be more vulnerable to more serious attacks,” he said. For example, Russian cyber warriors paralyzed the power grid in Ukraine in the winters of 2015 and 2016.
Cyber extortion attempts in the United States have become a phenomenon over the past year, delaying cancer treatment in hospitals, disrupting schooling, and paralyzing police and city governments.
Tulsa, Oklahoma, became the 32nd state or local government in the US to be attacked by ransomware this week, said Brett Callow, a threat analyst with cybersecurity firm Emsisoft.
The average ransom amounts paid in the US nearly tripled in the past year to exceed $ 310,000. The average downtime for victims of ransomware attacks is 21 days, according to Coveware, which helps victims respond.
David Kennedy, Founder and Senior Security Advisor at TrustedSec, said that once a ransomware attack is discovered, companies have little time to completely rebuild their infrastructure or pay the ransom.
“Ransomware is absolutely out of control and one of the greatest threats we face as a nation,” said Kennedy. “The problem we face is that most organizations are poorly prepared for these threats.”
Colonial transports gasoline, diesel, jet fuel and heating oil from refineries on the Gulf Coast via pipelines from Texas to New Jersey. The pipeline system stretches for more than 8,850 km and transports more than 380 million liters every day.
Debnil Chowdhury of research firm IHS Markit said gas prices could rise if the outage extends for one to three weeks.
“I wouldn’t be surprised if this resulted in a failure of this magnitude if gas prices rose 15 to 20 cents over the next week or two,” he said.
The Justice Department has a new task force dedicated to fighting ransomware attacks.
While the US has not suffered serious cyberattacks on its critical infrastructure, officials say Russian hackers in particular have infiltrated some key sectors and are positioning themselves to cause damage when armed conflict breaks out. Although there is no evidence that the Kremlin benefits financially from ransomware, US officials believe President Vladimir Putin is saving the havoc he is wreaking havoc on opponents’ economies.
Iranian hackers have also aggressively tried to gain access to utilities, factories, and oil and gas facilities. In one case, they broke into the control system of a US dam in 2013.