Cyberattack on pipeline linked to dark web gang
The cyberextortion attempt that has forced the shutdown of a vital U.S. pipeline was carried out by a criminal gang known as DarkSide that cultivates a Robin Hood image of stealing from corporations and giving a cut to charity, two people close to the investigation said Sunday.
The shutdown, meanwhile, stretched into its third day, with the Biden administration saying an “all-hands-on-deck” effort is underway to restore operations and avoid disruptions in the fuel supply.
Experts said that gasoline prices are unlikely to be affected if the pipeline is back to normal in the next few days but that the incident — the worst cyberattack to date on critical U.S. infrastructure — is as a wake-up call to companies about the vulnerabilities they face.
Operated by Georgiabased Colonial Pipeline, it carries gasoline and other fuel from Texas to the Northeast. It delivers roughly 45% of fuel consumed on the East Coast, according to the company.
It was hit by what Colonial called a ransomware attack, in which hackers typically lock up computer systems by encrypting data, paralyzing networks, and then demand a large ransom to unscramble it.
On Sunday, Colonial Pipeline said it was actively in the process of restoring some of its IT systems. It says it remains in contact with law enforcement and other federal agencies, including the Department of Energy, which is leading the federal government response. The company has not said what was demanded or who made the demand.
However, two people close to the investigation, speaking on condition of anonymity, identified the culprit as DarkSide. It is among ransomware gangs that have “professionalized“a criminal industry that has cost Western nations tens of billions of dollars in losses in the past three years.
DarkSide claims that it does not attack hospitals and nursing homes, educational or government targets and that it donates a portion of its take to charity. It has been active since August and, typical of the most potent ransomware gangs, is known to avoid targeting organizations in former Soviet bloc nations.
Colonial did not say whether it has paid or was negotiating a ransom, and DarkSide neither announced the attack on its dark web site nor responded to an Associated Press reporter’s queries.
Colonial Pipeline said Sunday it is developing a “system restart” plan. Its main pipeline remains offline but some smaller lines are now operational.
Commerce Secretary Gina Raimondo said Sunday ransomware attacks are “what businesses now have to worry about,” and that she will work “very vigorously” with the Department of Homeland Security to address teh situation.
“Unfortunately, these sorts of attacks are becoming more frequent,” she said on CBS’ “Face the Nation.” “We have to work in partnership with business to secure networks to defend ourselves against these attacks.”