A cyberattack on a US pipeline is believed to be the work of a criminal group.
According to a new article, the cyberattack that shut down a major oil pipeline was carried out by a gang notorious for extorting businesses and donating a portion of the ransom money to charity.
Since Friday, the Colonial Pipeline, which transports more than 100 million gallons of fuel daily from Texas to the Northeast, has been out of operation.
Two sources familiar with the federal investigation into the attack told The Associated Press that the attack was carried out by the criminal organization known as DarkSide.
DarkSide launched a ransomware attack against Colonial, which encrypts company networks and then demands a large ransom to reverse the damage.
Colonial announced Sunday that it is preparing a strategy for the pipeline’s “system restart.” The pipeline supplies approximately 45 percent of the East Coast’s fuel supply.
“We are currently restoring service to other laterals and will put our entire system back online only when we conclude it is safe and in accordance with all applicable federal regulations,” the company said in a statement.
Meanwhile, Commerce Secretary Gina Raimondo announced Sunday that a “all-hands-on-deck” plan to reopen the facility is underway.
“We are coordinating closely with the business, state, and local authorities to ensure that normal operations resume as soon as possible and that supply chain disruptions do not occur,” Raimondo said.
DarkSide asserts that it does not target hospitals or nursing homes, educational institutions, or government targets, and that a majority of its revenue is donated to charity. It has been involved since August and, like the most sophisticated ransomware groups, has been known to avoid organizations in former Soviet bloc countries.
Colonial declined to comment on whether it had paid or was negotiating a ransom, and DarkSide did not announce the attack on its dark web site or respond to questions from an Associated Press reporter. The absence of acknowledgement usually means that the victim is negotiating or has already paid.
The Department of Transportation announced that it would loosen hours-of-service rules for drivers transporting gasoline, diesel, jet fuel, and other refined petroleum products, enabling drivers to work additional or more flexible hours to compensate for any fuel shortages caused by the pipeline shutdown. This is true for motorists transporting gasoline between 17 states and the District of Columbia.
According to a source familiar with the Colonial investigation, the attackers also stole data from the company, presumably for the purpose of extortion. Occasionally, stolen data is more useful to ransomware hackers than the leverage gained by crippling a network, as some victims are averse to having their personal information leaked online.
According to security experts, the attack should serve as a reminder to operators of vital infrastructure — like electric and water utilities, as well as electricity and transportation firms — that failing to invest in security updates puts them at risk of disaster.
According to Ed Amoroso, CEO of TAG Cyber, Colonial was fortunate that its attacker was ostensibly driven solely by profit, not geopolitics. State-sponsored hackers intent on greater devastation use the same intrusion techniques as ransomware gangs.
“For businesses that are susceptible to ransomware, this is a bad sign because it means they are more vulnerable to more serious attacks,” he said. For example, Russian cyberwarriors crippled Ukraine’s electrical grid in the winters of 2015 and 2016.
In the last year, cyberextortion attempts in the United States have become a death-by-a-thousand-cuts epidemic, with attacks causing delays in cancer care at hospitals, disrupting schools, and paralyzing police and city governments.
Tulsa, Oklahoma, became the 32nd state or local government in the United States this week to fall victim to ransomware, according to Brett Callow, a threat analyst with cybersecurity company Emsisoft.
In the United States, the average ransom charged nearly tripled to more than $310,000 last year. According to the company Coveware, which assists victims in responding to ransomware attacks, the average downtime for victims of ransomware attacks is 21 days.
According to David Kennedy, founder and senior principal security expert at TrustedSec, after a ransomware attack is detected, businesses are left with no choice but to restore their networks completely or pay the ransom.
“Ransomware has gotten completely out of hand and is one of the most serious challenges we face as a country,” Kennedy said. “The issue is that the majority of businesses are woefully unprepared to deal with these threats.”
Colonial transports gasoline, diesel, jet fuel, and home heating oil from Gulf Coast refineries to New Jersey through pipelines. Its pipeline system stretches over 5,500 miles (8,850 kilometers) and transports more than 100 million gallons (380 million liters) of water daily.
According to Debnil Chowdhury of the research firm IHSMarkit, if the outage lasts between one and three weeks, gas prices can begin to rise.
“I wouldn’t be surprised if this turns out to be a major outage and we see a 15- to 20-cent increase in gas prices over the next week or two,” he said.
The Justice Department has established a new task force to combat ransomware attacks.
Although the US has not experienced any significant cyberattacks on its critical infrastructure, officials say Russian hackers in particular have penetrated several critical sectors, positioning themselves to cause havoc if armed conflict breaks out. Although there is no proof that the Kremlin profits financially from ransomware, US officials believe President Vladimir Putin relishes the havoc ransomware wreaks on adversaries’ economies.
Iranian hackers have also been particularly aggressive in their attempts to breach infrastructure, warehouses, and oil and gas facilities. In one instance in 2013, they gained access to a dam’s control system in the United States.