Biden Admin Assembles Pipeline Breach Task Force
(Bloomberg) -- The investigation into a major cyber-attack on the biggest U.S. pipeline continued on Sunday as the White House pulled together an inter-agency task force to tackle the problem.
The task force has been working through the weekend to address the breach, including exploring options for lessening its impact on the energy supply, according to a White House official.
The victim, Colonial Pipeline, halted all operations on its systems when it was hit with ransomware late Friday and is working to restore operations as investigators assess the damage.
Meanwhile, new details emerged about the probable culprit behind the attack, a relatively new ransomware group known as DarkSide. The group posted a message on its dark web page suggesting an affiliate was behind the attack and that it would vet customers in the future to “avoid social consequences.”
“We are apolitical. We do not participate in geopolitics,” the message says. “Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Some ransomware groups, including DarkSide, sell versions of the malware with instructions and customer service, in what is known as “ransomware as a service.”
While the inquiry remains in its early stages, some evidence has emerged linking DarkSide to Russia or elsewhere in Eastern Europe.
The attackers are known by cybersecurity experts as a “Russian-speaking group that popped up last summer,” according to Dmitri Alperovitch, the chairman of Silverado Policy Accelerator and former chief technology officer of the cybersecurity firm Crowdstrike Holdings Inc.
“Like many Russian cyber crime operations they specifically exclude Russian companies from being targeted by their malware,” he added in a statement.
Rob Lee, chief executive officer of the industrial security firm Dragos Inc., said his teams have responded to a few incidents involving DarkSide ransomware in recent months, including a U.S. power company that he declined to name. In those cases -- which involve companies smaller than Colonial Pipeline -- DarkSide ransoms were typically in the single-digit millions of dollars, Lee said.
Dragos investigators didn’t pinpoint the group’s location. But Lee said that IP and email addresses found in the investigations were based in Russia. In addition, he said, DarkSide doesn’t typically work on systems operating in Russian and other Eastern European languages.
The hackers stole almost 100 gigabytes of data from Colonial Pipeline’s networks in just two hours on Thursday, before locking its computers with ransomware and demanding payment, according to two people familiar with the investigation.
DarkSide has been identified as the suspected hacking group by two people familiar with the investigation and by Allen Liska, a senior threat analyst at the cybersecurity firm Recorded Future. The group first surfaced in August 2020, according to a blog post by the cybersecurity firm Cybereason.
On Sunday, Colonial Pipeline said it was still developing a plan for restarting the pipeline, which is critical for supplies along the East Coast.
The Transportation Security Administration, which is responsible for working to enhance pipeline security, said in a statement it has been in contact with Colonial Pipeline.
Senator Angus King, independent from Maine, and Representative Mike Gallagher, Republican from Wisconsin, who are co-chairs of the CyberSpace Solarium Commission, said in a statement the Colonial Pipeline attack underscores the need for more robust cybersecurity measures.
“We are disappointed, though unsurprised, to learn of the cyber-attack that shut down 5,500 miles of pipeline,” they said. “This interruption of the distribution of refined gasoline and jet fuel underscores the vulnerability of our national critical infrastructure in cyberspace and the need for effective cybersecurity defenses.”
--With assistance from Jennifer Jacobs and Alan Levin.
© 2021 Bloomberg L.P.
WHAT DO YOU THINK?
Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.