F.B.I. Identifies Group Behind Pipeline Hack

The attack by DarkSide, a relatively new criminal group believed to have roots in Eastern Europe, exposed the remarkable vulnerability of key American infrastructure.



By David E. Sanger and Nicole Perlroth

President Biden said on Monday that the United States would “disrupt and prosecute” a criminal gang of hackers called DarkSide, which the F.B.I. formally blamed for a huge ransomware attack that has disrupted the flow of nearly half of the gasoline and jet fuel supplies to the East Coast.

The F.B.I., clearly concerned that the ransomware effort could spread, issued an emergency alert to electric utilities, gas suppliers and other pipeline operators to be on the lookout for code like the kind that locked up Colonial Pipelines, a private firm that controls the major pipeline carrying gasoline, diesel and jet fuel from the Texas Gulf Coast to New York Harbor.

The pipeline remained offline for a fourth day on Monday as a pre-emptive measure to keep the malware that infected the company’s computer networks from spreading to the control systems that run the pipeline. So far, the effects on gasoline and other energy supplies seem minimal, and Colonial said it hoped to have the pipeline running again by the end of this week.

The attack prompted emergency meetings at the White House all through the weekend, as officials tried to understand whether the episode was purely a criminal act — intended to lock up Colonial’s computer networks unless it paid a large ransom — or was the work of Russia or another state that was using the criminal group covertly.

So far, intelligence officials said, all of the indications are that it was simply an act of extortion by the group, which first began to deploy such ransomware last August and is believed to operate from Eastern Europe, possibly Russia. There was some evidence, even in the group’s own statements on Monday, that suggested the group had intended simply to extort money from the company, and was surprised that it ended up cutting off the main gasoline and jet fuel supplies for the Eastern Seaboard.

The attack exposed the remarkable vulnerability of a key conduit for energy in the United States as hackers become more brazen in taking on critical infrastructure, like electric grids, pipelines, hospitals and water treatment facilities. The city governments of Atlanta and New Orleans, and, in recent weeks, the Washington, D.C., Police Department, have also been hit.

The explosion of ransomware cases has been fueled by the rise of cyberinsurance — which has made many companies and governments ripe targets for criminal gangs that believe their targets will pay — and of cryptocurrencies, which make extortion payments harder to trace.

In this case, the ransomware was not directed at the control systems of the pipeline, federal officials and private investigators said, but rather the back-office operations of Colonial Pipeline. Nonetheless, the fear of greater damage forced the company to shut down the system, a move that drove home the huge vulnerabilities in the patched-together network that keeps gas stations, truck stops and airports running.

A preliminary investigation showed poor security practices at Colonial Pipeline, according to federal and private officials familiar with the inquiry. The lapses, they said, most likely made the act of breaking into and locking up the company’s systems fairly easy.

Colonial Pipeline has not answered questions about what kind of investment it had made in protecting its networks, and refused to say whether it was paying the ransom. And the company appeared reluctant to let federal officials bolster its defenses.

Source: Read Full Article