The attempted cyber extortion that has forced the closure of a vital U.S. oil pipeline was carried out by a criminal gang known as DarkSide that cultivates an image of Robin Hood stealing from businesses and giving a cut to charity, van say Sunday two people close to the investigation.
Meanwhile, the shutdown lasted until its third day, with the Biden administration loosening regulations for the transportation of petroleum products to highways as part of a “practical on-deck” effort to avoid interruptions in fuel supply.
Experts said gasoline prices are unlikely to be affected if the pipeline returns to normal in the coming days, but that the incident – the worst cyberattack to date on critical US infrastructure – should serve as an alarm clock to companies on the vulnerabilities they face.
The pipeline, operated by Georgia-based Colonial Pipeline, transports gasoline and other fuels from northeast Texas. It supplies about 45 percent of the fuel consumed on the east coast, according to the company.
He was hit by what Colonial called a ransomware attack, in which hackers typically block computer systems by encrypting data, paralyzing networks and then demanding a large rescue to remove them.
On Sunday, Colonial Pipeline said it was in the process of actively restoring some of its computer systems. He says he remains in contact with law enforcement and other U.S. agencies, including the Department of Energy, which leads the federal government’s response. The company did not say what was requested or who did it.
However, two people close to the investigation, who spoke on condition of anonymity, identified the culprit as DarkSide. It is among the ransomware gangs that have “professionalized” a criminal industry that has cost Western nations tens of billions of dollars in losses over the past three years.
DarkSide states that it does not attack hospitals, nursing homes, educational or government purposes and that it gives a portion of its contribution to charity. It has been active since August and, typical of the most powerful ransomware gangs, is known to avoid targeting organizations of the former Soviet bloc nations.
Colonial did not say whether it paid or negotiated a ransom, and DarkSide did not announce the attack on its dark website or answer questions from an Associated Press reporter. Lack of recognition usually indicates that a victim is negotiating or has paid.
On Sunday, Colonial Pipeline said it was developing a “system reboot” plan. He said his main pipeline remains offline, but some smaller lines are already operational.
“We are in the process of restoring service to other sides and will put our complete system back online only when we believe it is safe to do so and fully comply with the approval of all federal regulations,” the company said in a statement. .
U.S. Secretary of Commerce Gina Raimondo said Sunday that ransomware attacks are “what companies should now worry about” and that she will work “very vigorously” with the Department of Homeland Security to address the issue. , considering it a top priority for the administration.
“Unfortunately, these types of attacks are becoming more common,” he told CBS’s Face the Nation program. “We need to work in partnership with companies to protect networks to defend ourselves from these attacks.”
He said U.S. President Joe Biden was informed of the attack.
“It’s now a practical effort on deck,” Raimondo said. “And we are working closely with the company, state and local officials to make sure they get back to normal operations as quickly as possible and that there are no supply disruptions.”
The Department of Transportation issued a regional emergency statement Sunday that relaxed service schedule regulations for drivers transporting gasoline, diesel, aircraft fuel and other petroleum products to 17 states and the District of Columbia . It allows them to work extra or more flexible hours to make up for any fuel shortages related to pipe shutdown.
One of the people close to the colonial investigation said the attackers also stole data from the company, allegedly for extortion purposes. Sometimes stolen data is more valuable to ransomware criminals than the exploitation they get by paralyzing a network, because some victims don’t feel like seeing sensitive information being thrown online.
Security experts said the attack should be a warning to critical infrastructure operators, including electricity and water companies and energy and transportation companies, that they should not invest in upgrading their infrastructure. security puts them at risk of catastrophe.
Ed Amoroso, CEO of TAG Cyber, said Colonial was lucky that his attacker was at least ostensibly motivated only by profit, not geopolitics. State-backed hackers, who engage in more serious destruction, use the same methods of intrusion as ransomware gangs.
“For companies vulnerable to ransomware, it’s a bad sign that they’re likely to be more vulnerable to more serious attacks,” he said. Russian cyber-warriors, for example, paralyzed the power grid in Ukraine during the winters of 2015 and 2016.
Attempts at cyber extortion in the U.S. have become a death knell for a thousand cuts over the past year, with attacks forcing cancer treatment to be delayed in hospitals, disrupting schooling and paralyzing police and government governments. the cities.
This week, Tulsa (Oklahoma) became the 32nd U.S. state or local government to be attacked with ransomware, said Brett Callow, a threat analyst at cybersecurity firm Emsisoft.
The average ransom paid in the United States nearly tripled to more than $ 310,000 last year. According to the firm Coveware, the average downtime of victims of ransomware attacks is 21 days, which helps respond to victims.
David Kennedy, founder and chief security consultant at TrustedSec, said that once a ransomware attack is discovered, companies have little recourse to completely rebuild their infrastructure or pay for the ransom.
“Ransomware is absolutely out of control and is one of the biggest threats we face as a nation,” Kennedy said. “The problem we have is that most companies are not prepared to deal with these threats.”
Colonial transports gasoline, diesel, aircraft fuel, and diesel for heating Gulf Coast refineries through pipelines running from Texas to New Jersey. Its pipeline system covers more than 8,850 km (5,500 miles), carrying more than 380 million liters (100 million gallons) a day.
Debnil Chowdhury, of research firm IHS Markit, said that if the shutdown lasts between one and three weeks, gas prices could start to rise.
“I wouldn’t be surprised if this ended up being an interruption of this magnitude, if we see a 15 to 20 cent increase in gas prices over the next week or two,” he said.
The Justice Department has a new working group dedicated to fighting ransomware attacks.
While the United States has not suffered any serious cyberattacks on its critical infrastructure, officials say Russian hackers, in particular, are known to have infiltrated some crucial sectors, positioning themselves to do damage if it explodes. an armed conflict. While there is no evidence that the Kremlin is benefiting economically from ransomware, U.S. officials believe President Vladimir Putin is savoring the chaos it is causing opponents’ economies.
Iranian hackers have also been aggressive in trying to gain access to utilities, factories and oil and gas facilities. In one case, in 2013, they broke into the control system of an American dam.