The Department of Justice (DOJ) managed to recover part of the ransom paid to the criminal hacking group suspected of being responsible for the attack on the colonial pipeline, which cut off a major fuel supply to the east coast during about a week in May. .
Deputy Attorney General Lisa O. Monaco announced on June 7 that the DOJ, through its new ransomware and digital extortion task force, was able to recover around 64 of the 75 bitcoins paid to attackers by “following the money” – even though the money was in a crypto -currency difficult to trace. Once he knew the address of the hackers’ wallet, he was able to obtain a court order to seize the funds it contained. The FBI apparently had the necessary digital key to open the wallet. How he obtained this access has not been made public. Seizure is a rare example of recovered ransomware payments.
The attack was attributed to DarkSide, a hacker group based in Eastern Europe. The pipeline, which supplies about half of the east coast’s gasoline, broke down for several days, causing panic gas buying, shortages and price spikes in some states. It seems to be the biggest cyberattack ever on an American energy system and yet another example of cybersecurity vulnerabilities President Joe Biden has promised to fix.
The Colonial Pipeline Company reported on May 7 that it was the victim of a “cybersecurity attack” that “involves ransomware”, forcing the company to take certain systems offline and shut down the pipeline. The Georgia-based company said it operates the largest pipeline in the United States, carrying 2.5 million barrels per day of gasoline, diesel, heating oil and jet fuel on its 5,500 mile route from Texas to New Jersey.
The pipeline provides nearly half of the East Coast’s fuel supply, and an extended shutdown is believed to have caused price increases and shortages at affect the industry. This was largely avoided when the pipeline came back online within the week, but price hikes and shortages still occurred, largely due to panic rather than supply. Five days after the hack was announced, the national average price of a gallon of regular gasoline had overwhelmed $ 3 for the first time since 2014 (although gas prices had already risen before the pipeline closed), with larger jumps in some states served by the pipeline, including Georgia, the Carolinas and Virginia. Governor of Georgia Brian Kemp temporarily suspended the state gasoline tax to offset price increases. Other States enforce predatory pricing laws.
“Fuel shortages are more likely to be the result of panic buying by consumers watching the headlines, as opposed to shortages directly caused by the attack,” Marty Edwards, former director of industrial control systems for CISA, and vice president of operational technology security for Tenable, told Recode. “This is something we’ve seen with Covid and grocery stores selling household items. Either way, it shows the impact of cybersecurity on our daily life.
“It is much easier to understand the impact of a cyber attack if it has a direct impact on your daily life,” he added.
The FBI confirmed DarkSide is responsible for the attacks. DarkSide does not appear to be tied to any nation state, say in a statement that “our goal is to earn money [not to create] social problems ”and that it is apolitical. Dark side claims it was closing following the pipeline attack.
According to cybersecurity firm Check Point, however, DarkSide provides its ransomware services to its partners. “This means we know very little about the real threat actor behind the attack on Colonial, who may be one of DarkSide’s partners,” Lotem Finkelstein, threat intelligence manager at Check, told Recode. Point. “What we do know is that removing large-scale operations like the Colonial Pipeline reveals a sophisticated and well-designed cyber attack.”
Colonial admitted on May 19 that he actually paid $ 4.4 million worth of bitcoin (which is now worth much less – even though the DOJ was able to recover 64 bitcoins, they are only worth $ 2.3 million now). CEO Joseph Blount told the Wall Street Journal that paying the ransom was a difficult decision, but he considered “the right thing to do for our country”.
Blount added that it would cost Colonial significantly more – tens of millions of dollars – to completely restore its systems over the next few months.
Ransomware attacks typically use malware to lock companies out of their own systems until a ransom is paid. They have increased in recent years and cost billions of dollars in ransom paid alone – not including those that go unreported or the costs associated with taking systems offline until the ransom is paid. Ransomware attacks have targeted everything from private companies to government to hospitals and health systems. The latter are particularly attractive targets, given the urgency to restore their systems as quickly as possible.
Energy systems and suppliers have also been the target of ransomware and cyber attacks. The cybersecurity of America’s energy infrastructure has been of particular concern in recent years, with the Trump administration declare a national emergency in May 2020 aimed to secure America’s bulk supply system with an executive order that would ban the acquisition of equipment from countries that present an “unacceptable risk to national security or the safety and security of American citizens “.
Bloomberg reported about a month after the attack, the company was likely hacked through a leaked password on an old account that had access to the virtual private network (VPN) used to remotely access the company’s servers . The account would apparently not have multi-factor authentication, so hackers only needed to know the username and password to gain access to the country’s largest pipeline.
The attack underscores two of the Biden administration’s stated priorities: improving America’s infrastructure and cybersecurity. Russian on a large scale SolarWinds hacking, disclosed in December 2020, was found to have affected several federal government systems. Biden then said that as president, “my administration will make cybersecurity a top priority at all levels of government – and we will make dealing with this breach a top priority as soon as we take office.” … I will not stand idly by in the face of cyber attacks against our nation.
Biden also unveiled a $ 2,000 billion infrastructure plan which includes $ 100 billion to modernize the power grid, which cybersecurity experts were hoping for include improved cybersecurity measures. Biden also suspended Trump bulk feed system executive order for deployment. his own plan.
And Biden signed a decree intended to strengthen the federal government’s cybersecurity standards for the software and technology services it uses, which one senior administration official described as a fundamental shift in the federal government’s approach to incidents cybersecurity – away from ad hoc responses and to try to prevent them from happening in place. The order has been in the works for a short time after Biden took office, the official said.
But these measures are more focused on preventing another SolarWinds-type attack. Federal officials told the New York Times they don’t think the order is doing enough to prevent a sophisticated attack, nor would it apply to a private company like Colonial. The pipeline attack could increase cybersecurity standards requirements for companies that play an important role in the lives of Americans. As it stands, it is often up to them to choose the security measures they use to protect critical systems.
“Ransomware is about extortion, and extortion is about pressure,” James Shank, chief architect for community services at cybersecurity firm Team Cymru, told Recode. “The impact on fuel delivery immediately catches people’s attention. … This underscores the need for a coordinated effort that links the capacities of the public and private sectors to protect our national interests.
The pipeline was able to be put back into service before a major or prolonged disruption in the fuel supply chain, and customer portfolios were not affected too much. But the next one – and many cybersecurity experts fear there will be one or more next – could be far worse if action is not taken at the highest level to prevent it.
“The closure of the Colonial Pipeline by cybercriminals highlights a huge problem – many companies that operate our critical infrastructure have left their systems vulnerable to hackers through dangerously negligent cybersecurity,” said Senator Ron Wyden (D-OR ) in a press release. . “Congress must take action to hold critical infrastructure companies accountable and force them to secure their IT systems.”