President Biden said Monday that the United States would “disrupt and prosecute” a criminal gang of hackers called Darkside, which the FBI formally held a much larger conviction. Ransomware attack This has disrupted the flow of nearly half of gasoline and jet fuel supplies to the East Coast.
The FBI is clearly concerned that the ransomware effort could spread, issuing an emergency alert for electric utilities, gas suppliers and other pipeline operators looking for the kind of code that would shut down coital pipelines, a private one. The firm that controls the major pipeline. Carrying petrol, diesel, and jet fuel from the Texas Gulf Coast to New York Harbor.
Pipeline offline To keep the malware as a pre-emptive measure on Monday for the fourth day that infected the company’s computer network by spreading control systems running the pipeline. till now, Effect on gasoline and other energy supplies Feeling minimal, and Colonial said the pipeline is expected to run again by the end of this week.
Attack indicated Emergency meetings at the White House All weekend, as the authorities tried to understand whether the episode was purely a criminal act – the purpose was to shut down the colonial computer network until it paid a large ransom – or Russia or someone The other was the work of the state which the criminal group was using.
Until now, intelligence officials said, all indications were that it was merely an act of extortion by the group, which first began deploying such ransomware last August and is believed to have operated from Eastern Europe, possibly Russia. it happens. There was also some evidence in the group’s own statements on Monday, which suggested that the group intended to withdraw money from the company, and was surprised that it ended up supplying the main gasoline and jet fuel for the Eastern Seaboard. .
The attack exposed the significant vulnerability of a critical drain to energy in the United States as hackers become more vivid in taking over critical infrastructure such as critical grids, pipelines, hospitals, and water treatment facilities. The city governments of Atlanta and New Orleans, and, in recent weeks, Washington, DC, Police Department, Was also a hit.
The explosion of ransomware cases stemmed from the rise of cybersecurity – which has led many companies and governments to be ripe targets for criminal gangs who believe their targets will pay – and cryptocurrencies, making it harder to forcibly pay payments .
In this case, ransomware was not directed at the pipeline’s control systems, federal officials and private investigators said, but rather the colonial pipeline’s back-office operations. However, fears of more losses forced the company to shut down the system, a move that overcame huge vulnerabilities in the patch-together network that keeps gas stations, truck stops, and airports operational.
An initial investigation showed poor safety practices in the colonial pipeline, according to federal and private officials familiar with the investigation. He said, most likely, the process of breaking and locking the company’s system was fairly easy.
The Colonial Pipeline has not answered the question of how it invested in the security of its network, and declined to say whether it was paying the ransom. And the company appeared reluctant to defend itself to federal authorities.
“Right now, they have not asked the federal government for cyberspace,” Anne Neuberger, national security adviser for cyber and emerging technology, told reporters at a briefing at the White House. She declined to say whether the federal government would recommend giving the ransom, noting that “companies are often in a difficult situation if their data is encrypted and they don’t have backups and cannot recover the data Could. “
Whereas Ms. Neuberger did not say so, which seems to have essentially happened to the Colonial.
Mr. Biden, who is expected to announce executive Order In the coming days to strengthen the US cyber defense said that there was no evidence of Russian government behind this attack. But he said that he soon saw Russian President Vladimir V. Planned a meeting with Putin – both men are expected to hold their first summit next month – and suggested giving Moscow some responsibility as the Darkside’s roots have been conferred in Russia and the country of cybercriminals. Adda.
“There are governments that blind or positively encourage these groups, and Russia is one of those countries,” said Christopher Painter, a former top cyberdiplomat in the United States. “Pressure on safe havens for these criminals should be a part of any solution.”
Colonial’s pipelines feed large storage tanks up and down the East Coast, and supplies feel great as traffic decreases during the epidemic. Colonial Issued a statement Saying what its goal was on Monday “Quite” service resumes by the end of the week, But the company cautioned that the process would take time.
Elizabeth Sherwood-Randall, Mr. Biden’s homeland security adviser and a former deputy secretary of energy in the Obama administration, said the Department of Energy was spearheading the federal response and he shared details of the oil and natural gas and power sector utilities Partners were called to discuss the ransomware attack and recommended measures to reduce further incidents in the industry. “He said the federal government had relaxed regulations for drivers who transport gasoline and jet fuel in an effort to reduce the impact.”
“Right now, there is no shortage of supplies,” she said. “We are preparing for a number of possible contingencies.” But he said that the task of returning the pipeline was colonial.
For many officials who have been struggling for years to protect the critical infrastructure of the United States from cyber attack, the only surprise about the events of the last few days is that it took them so long to happen. When Leon E. When Panetta was Secretary of Defense under President Barack Obama, Mr. Panetta warned of a “cyber Pearl Harbor” that could shut down electricity and fuel, a phrase often used by Congress or corporations to try to spend more on cybercrime. Is used in
During the Trump administration, the Department of Homeland Security issued warnings about the US power grid and Russian malware in the United States Made a no-secret attempt to place malware in the Russian grid as a reminder.
But while many simulations conducted by government agencies and the strike against the US energy sector would look like electric utilities, the effort was usually envisioned as some sort of terrorist strike – a mixture of cyber and physical attacks – or against Iran. Preparing for an attack, China or Russia in the early moments of a major military conflict.
But the case was different: a criminal actor, who was trying to extort money from a company, ended up bringing the system down. A senior Biden administration official called it a “final mixed threat” because it was a criminal act, similar to the way the United States usually reacted with arrests or indictments, resulting in a major threat to the nation’s energy supply chain Was.
By threatening to “disrupt” the ransomware group, Mr. Biden would have been indicating that the administration was moving to take action against these groups. That’s why the United States Cyber Command preceded the presidential election in November last year, when its military hackers ducked into another ransomware group’s system, called Trickboat, and launched its command-and-control computer server. Manipulated so that it could close new victims with ransomware. Fear at that time It was that the ransomware group could sell its skills to governments including Russia, which tried to stabilize electoral taboos.
On Monday, Darkside argued that it was not running on behalf of a nation-state, perhaps in an attempt to distance itself from Russia.
A statement posted on its website said, “We are political, we do not participate in geopolitics, we do not have to engage with a defined government and seek our objectives.” “Our goal is to earn money and not create problems for society.”
The group was somewhat surprised that its actions led to the closure of a large pipeline and suggested that perhaps such goals be avoided in the future.
The group stated, “From today we begin moderation and examine each company that our partners want to encrypt to avoid social consequences in the future”
Darkside is a newcomer to the ransomware scene, dubbed by Ms. Neuberger “a criminal actor” who hires his services to the highest bidder, then shares “income with ransomware developers”. It is essentially a business model in which some nonprofit benefits are channeled into research and development on more effective forms of ransomware.
The group often portrays itself as a digital Robin Hood, stealing from companies and giving to others. Darkside says it avoids hacking hospitals, funeral homes, and nonprofits, but sometimes has the purpose in large corporations, sometimes donating their income to charity. Most charities have turned down their offers of gifts.
A clue to the origin of Darkside lies in its code. Private researchers note that Darkside’s ransomware calls the victims’ computers for their default language settings, and if it is Russian, the group moves in with other victims. It also seems to avoid victims who speak Ukrainian, Georgian, and Belarusian.
Its code has similarities to that used by a ransomware group, which was the first to offer ransomware as a service – essentially hackers to hire system hackrage with ransomware.
“It appears that it was an insult that wanted to go into business for itself,” said John DiMaggio, a former intelligence community analyst who is now Analyst 1’s chief security strategist. “To access REvil’s code, you’ll have to keep it or steal it because it’s not publicly available.”
Darkside asks for a smaller ransom than the eight-digit amount that Revil is known for – anywhere from $ 200,000 to $ 2 million. It puts a unique key in each ransom note, said Mr. DiMaggio, who suggests that the Darkside tailor attacks each victim.
“They are very selective compared to most ransomware groups,” he said.