WASHINGTON — A Russian criminal group may be responsible for a ransomware attack that shut down a major U.S. fuel pipeline, two sources familiar with the matter said Sunday.
The group, known as DarkSide, is relatively new, but it has a sophisticated approach to extortion, sources said.
Commerce Secretary Gina Raimondo said Sunday that the White House was working to help Colonial Pipeline, the Georgia-based company that operates the pipeline, to restart its 5,500-mile network.
The system, which runs from Texas to New Jersey, transports 45 percent of the East Coast’s fuel supply. In a statement Sunday, the company said that some smaller lateral lines were operational but that the main lines remained down.
“We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations,” the company said.
Raimondo said on CBS’ “Face the Nation” that the effort to restart the network was “an all-hands-on-deck effort right now.”
“We are working closely with the company, state and local officials to make sure that they get back up to normal operations as quickly as possible and there aren’t disruptions in supply,” she said, adding: “Unfortunately, these sorts of attacks are becoming more frequent. They’re here to stay.”
A White House official said Sunday that the Energy Department is leading the government’s response. Agencies are planning for a number of scenarios in which the region’s fuel supply takes a hit, the official said.
On Saturday, Colonial Pipeline blamed the cyberattack on ransomware and said some of its information technology systems were affected. It said it “proactively” took “certain systems offline to contain the threat.”
The company has not said what was demanded or who made the demand.
Although Russian hackers often freelance for the Kremlin, early indications suggest that this was a criminal scheme — not an attack by a nation-state — the sources said.
But the fact that Colonial had to shut down the country’s largest gasoline pipeline underscores just how vulnerable the U.S. cyber infrastructure is to criminals and national adversaries, such as Russia, China and Iran, experts say.
“This could be the most impactful ransomware attack in history, a cyber disaster turning into a real-world catastrophe,” said Andrew Rubin, CEO and co-founder of Illumio, a cybersecurity company
“It’s an absolute nightmare, and it’s a recurring nightmare,” he said. “Organizations continue to rely and invest entirely on detection, as if they can stop all breaches from happening. But this approach misses attacks over and over again. Before the next inevitable breach, the president and Congress need to take action on our broken security model.”
If the culprit turns out to be a Russian criminal group, it will underscore that Russia gives free rein to criminal hackers who target the West, said Dmitri Alperovitch, a co-founder of the cyber company CrowdStrike who is executive chairman of the Silverado Policy Accelerator, a think tank.
“Whether they work for the state or not is increasingly irrelevant, given Russia’s obvious policy of harboring and tolerating cybercrime,” he said.
According to a top Reuters cybersecurity reporter, DarkSide has its own website on the dark web that features an array of leaked data from victims who it claims failed to pay ransom. It claims that the group has made millions from cyber extortion.
Ransomware as a service
While DarkSide is not the largest such gang in this space, the incident highlights the increasing risk ransomware is posing to critical national industrial infrastructure, not just businesses.
It also marks the rise of an insidious criminal IT eco-system worth tens of millions of pounds, that is unlike anything the cyber-security industry has ever seen before.
In addition to a notice on their computer screens, victims of a DarkSide attack receive an information pack informing them that their computers and servers are encrypted.
The gang lists all the types of data it has stolen, and sends victims the URL of a “personal leak page” where the data is already loaded, waiting to be automatically published, should the company or organisation not pay before the deadline is up.
DarkSide also tells victims it will provide proof of the data it has obtained, and is prepared to delete all of it from the victim’s network.
According to Digital Shadows, a London-based cyber-security firm that tracks global cyber-criminal groups to help enterprises limit their exposure online, DarkSide operates like a business.
The gang develops the software used to encrypt and steal data, then trains up “affiliates”, who receive a toolkit containing the software, a template ransomware demand email, and training on how to carry out attacks.
The affiliate cyber-criminals then pay DarkSide a percentage of their earnings from any successful ransomware attacks.
And when it released a new software in March that could encrypt data faster than before, the gang issued a press release and invited journalists to interview it.
The gang even has a website on the dark web where it brags about its work in detail, listing all the companies it has hacked and what was stolen, and an “ethics” page where it says which organisations it will not attack.