Cyberattack on pipeline linked to criminal gang
Incident a wake-up call about ‘ransomware’ risks firms face, experts warn
The cyberextortion attempt that forced the shutdown of a vital US pipeline was carried out by a criminal gang known as DarkSide that cultivated a Robin Hood image of stealing from corporations and giving a cut to charity, two people close to the investigation said.
The shutdown, meanwhile, stretched into its third day, with the administration of US President Joe Biden saying an “allhands-on-deck” effort was under way to restore operations and avoid disruptions in fuel supply.
Experts said fuel prices were unlikely to be affected if the pipeline was back to normal in the next few days but the incident – the worst cyberattack to date on critical US infrastructure – should serve as a wake-up call to companies about the vulnerabilities they faced.
The pipeline, operated by Georgia-based Colonial Pipeline, carries petrol and other fuel from
Texas to the northeast. It delivers roughly 45 per cent of fuel consumed on the east coast, according to the company.
It was hit by what Colonial called a ransomware attack, in which hackers typically lock up computer systems by encrypting data, paralysing networks, and then demand a large ransom to them. Colonial said it was actively in the process of restoring some of its IT systems.
It said it remained in contact with law enforcement and other federal agencies, including the Department of Energy, which was leading the federal government response.
The company has not said what was demanded or who made the demand.
However, two people close to the investigation, speaking on condition of anonymity, identified the culprit as DarkSide. It is among ransomware gangs that have “professionalised” a criminal industry that has cost Western nations tens of billions of dollars in losses in the past three years.
DarkSide claims that it does not attack hospitals and nursing homes, educational or government targets and that it donates a portion of its take to charity.
It has been active since August and, typical of the most potent ransomware gangs, is known to avoid targeting organisations in former Soviet bloc nations.
Colonial did not say whether it had paid or was negotiating a ransom, and DarkSide did not announce the attack on its dark website. The lack of acknowledgement usually indicates a victim is either negotiating or has paid.
On Sunday, Colonial said it was developing a “system restart” plan. It said its main pipeline remained offline but some smaller lines were now operational.
“We are in the process of reunscramble storing service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations,” the company said in a statement.
Commerce Secretary Gina Raimondo said ransomware attacks were “what businesses now have to worry about”, and that she would work “very vigorously” with the Department of Homeland Security to address the problem, calling it a top priority for the administration.
“Unfortunately, these sorts of attacks are becoming more frequent,” she said on CBS’ Face the Nation.
“We have to work in partnership with [businesses] to secure networks to defend ourselves against these attacks.”
She said Biden was briefed on the attack.
“It’s an all-hands-on-deck effort right now,” Raimondo said. “And we are working closely with the company, state and local officials to make sure that they get back up to normal operations as quickly as possible and there aren’t disruptions in supply.”