Ransomware attack on Colonial Pipeline is work of criminal gang called DarkSide, AP says

Business

CBS News 10 May, 2021 - 06:32am 17 views

What is a cyber attack on a pipeline?

Ransomware attacks are typically carried out by criminal hackers who scramble data, paralyzing victim networks, and demand a large payment to decrypt it. ... Colonial Pipeline did not say what was demanded or who made the demand. NBC NewsCyberattack on U.S. pipeline is linked to criminal gang

Where is the Colonial Pipeline?

The Colonial Pipeline originates in Houston and terminates at the Port of New York and New Jersey. It traverses the southeastern states of Louisiana, Mississippi, Alabama, Georgia, South Carolina, North Carolina, and Virginia, and continues north through Maryland, Delaware, Pennsylvania, and New Jersey. ForbesThe Colonial Pipeline Attack Is A Major National Security Incident

Why is the pipeline shut down?

The pipeline shutdown comes amid growing concerns over vulnerabilities in the country's infrastructure after several recent cyberattacks, including last year's attack on the software company SolarWinds that hit several U.S. government agencies, including the Pentagon, the Treasury Department, the State Department and ... NPRAn Extended Pipeline Shutdown Could Impact Gas Prices In Southeast U.S.

The shutdown, meanwhile, stretched into its third day, with the Biden administration loosening regulations of the transport of petroleum products on highways as part of an "all-hands-on-deck" effort to avoid disruptions in the fuel supply.

Experts said gasoline prices are unlikely to be affected if the pipeline is back to normal in the next few days but that the incident - the worst cyberattack to date on critical U.S. infrastructure - should serve as a wake-up call to companies about the vulnerabilities they face.

The pipeline, operated by Georgia-based Colonial Pipeline, carries gasoline and other fuel from Texas to the Northeast. It delivers roughly 45% of fuel consumed on the East Coast, according to the company.

It was hit by what Colonial called a ransomware attack, in which hackers  typically lock up computer systems by encrypting data and paralyzing networks, then demand a large ransom to unscramble it.

On Sunday, Colonial Pipeline said it was actively in the process of restoring some of its IT systems. It says it remains in contact with law enforcement and other federal agencies, including the Department of Energy, which is leading the federal government response. The company hasn't said what was demanded or who made the demand.

However, two people close to the investigation, speaking on condition of anonymity, identified the culprit as DarkSide. It is among ransomware gangs that have "professionalized" a criminal industry that has cost Western nations tens of billions of dollars in losses in the past three years.

DarkSide claims it doesn't attack hospitals and nursing homes, educational or government targets and that it donates a portion of its take to charity. It's been active since August and, typical of the most potent ransomware gangs, is known to avoid targeting organizations in former Soviet bloc nations.

Colonial didn't say whether it has paid or was negotiating a ransom, and DarkSide neither announced the attack on its dark web site nor responded to an Associated Press reporter's queries. The lack of acknowledgment usually indicates a victim is either negotiating or has paid.

On Sunday, Colonial Pipeline said it is developing a "system restart" plan. It said its main pipeline remains offline but some smaller lines are now operational.

"We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations," the company said in a statement.

Commerce Secretary Gina Raimondo said Sunday that ransomware attacks are "what businesses now have to worry about" and that she will work "very vigorously" with the Department of Homeland Security to address the problem, calling it a top priority for the administration.

"Unfortunately, these sorts of attacks are becoming more frequent," she said on the CBS News broadcast "Face the Nation." "We have to work in partnership with business to secure networks to defend ourselves against these attacks."

She said President Joe Biden was briefed on the attack.

"It's an all-hands-on-deck effort right now," Raimondo said, "and we are working closely with the company, state and local officials to make sure that they get back up to normal operations as quickly as possible and there aren't disruptions in supply."

The Department of Transportation issued a regional emergency declaration Sunday, relaxing hours-of-service regulations for drivers carrying gasoline, diesel, jet fuel and other refined petroleum products in 17 states and the District of Columbia. It lets them work extra or more flexible hours to make up for any fuel shortage related to the pipeline outage.

One of the people close to the Colonial investigation said the attackers also stole data from the company, presumably for extortion purposes. Sometimes stolen data is more valuable to ransomware criminals than the leverage they gain by crippling a network because some victims are loath to see sensitive information of theirs dumped online.

Security experts said the attack should be a warning for operators of critical infrastructure - including electrical and water utilities and energy and transportation companies - that not investing in updating their security puts them at risk of catastrophe.

Ed Amoroso, CEO of TAG Cyber, said Colonial was lucky its attacker was at least ostensibly motivated only by profit, not geopolitics. State-backed hackers bent on more serious destruction use the same intrusion methods as ransomware gangs.

"For companies vulnerable to ransomware, it's a bad sign because they are probably more vulnerable to more serious attacks," he said. Russian cyberwarriors, for example, crippled the electrical grid in Ukraine during the winters of 2015 and 2016.

Cyberextortion attempts in the U.S.  have become a death-by-a-thousand-cuts phenomenon in the past year, with attacks forcing delays in cancer treatment at hospitals,  interrupting schooling and paralyzing police and city governments.

Tulsa, Oklahoma, this week became the 32nd state or local government in the U.S. to come under ransomware attack, said Brett Callow, a threat analyst with the cybersecurity firm Emsisoft.

Average ransoms paid in the U.S. jumped nearly threefold to more than $310,000 last year. The average downtime for victims of ransomware attacks is 21 days, according to the firm Coveware, which helps victims respond.

David Kennedy, founder and senior principal security consultant at TrustedSec, said that once a ransomware attack is discovered, companies have little recourse but to completely rebuild their infrastructure, or pay the ransom.

"Ransomware is absolutely out of control and one of the biggest threats we face as a nation," Kennedy said. "The problem we face is most companies are grossly underprepared to face these threats."

Colonial transports gasoline, diesel, jet fuel and home heating oil from refineries on the Gulf Coast through pipelines running from Texas to New Jersey. Its pipeline system spans more than 5,500 miles, transporting more than 100 million gallons (380 million liters) a day.

Debnil Chowdhury at the research firm IHSMarkit said that if the outage stretches to one to three weeks, gas prices could begin to rise.

"I wouldn't be surprised, if this ends up being an outage of that magnitude, if we see 15- to 20-cent rise in gas prices over next week or two," he said.

The Justice Department has a new task force dedicated to countering ransomware attacks.

While the U.S. hasn't suffered any serious cyberattacks on its critical infrastructure, officials say Russian hackers in particular are known to have infiltrated some crucial sectors, positioning themselves to do damage if armed conflict were to break out. While there is no evidence the Kremlin benefits financially from ransomware, U.S. officials believe President Vladimir Putin savors the mayhem it wreaks in adversaries' economies.

Iranian hackers have also been aggressive in trying to gain access to utilities, factories and oil and gas facilities. In one case in 2013, they broke into the control system of a U.S. dam.

Copyright © 2021 CBS Interactive Inc. All rights reserved.

Read full article at CBS News

Ransom group linked to Colonial Pipeline hack is new but experienced

Reuters 10 May, 2021 - 08:25am

The ransomware group linked to the extortion attempt that has snared fuel deliveries across the U.S. East Coast may be new, but that doesn't mean its hackers are amateurs.

Who precisely is behind the disruptive intrusion into Colonial Pipeline hasn't been made officially known and digital attribution can be tricky, especially early on in an investigation. A former U.S. official and two industry sources have told Reuters that the group DarkSide is among the suspects. read more

Cybersecurity experts who have tracked DarkSide said it appears to be composed of veteran cybercriminals who are focused on squeezing out as much money as they can from their targets.

"They're very new but they're very organized," Lior Div, the chief executive of Boston-based security firm Cybereason, said on Sunday.

"It looks like someone who's been there, done that."

DarkSide is one of a number of increasingly professionalized groups of digital extortionists, with a mailing list, a press center, a victim hotline and even a supposed code of conduct intended to spin the group as reliable, if ruthless, business partners.

Experts like Div said DarkSide was likely composed of ransomware veterans and that it came out of nowhere in the middle of last year and immediately unleashed a digital crimewave.

"It's as if someone turned on the switch," said Div, who noted that more than 10 of his company's customers have fought off break-in attempts from the group in the past few months.

Ransom software works by encrypting victims' data; typically hackers will offer the victim a key in return for cryptocurrency payments that can run into the hundreds of thousands or even millions of dollars. If the victim resists, hackers are increasingly threatening to leak confidential data in a bid to pile on the pressure.

DarkSide's site on the dark web hints at their hackers' past crimes, claims they previously made millions from extortion and that just because their software was new "that does not mean that we have no experience and we came from nowhere."

The site also features a Hall of Shame-style gallery of leaked data from victims who haven't paid up, advertising stolen documents from more than 80 companies across the United States and Europe.

Reuters was not immediately able to verify the group's various claims but one of the more recent victims featured on its list was Georgia-based rugmaker Dixie Group Inc (DXYN.O) which publicly disclosed a digital shakedown attempt affecting "portions of its information technology systems" last month.

A Dixie executive did not immediately return a message seeking further comment.

In some ways DarkSide is hard to distinguish from the increasingly crowded field of internet extortionists. Like many others it seems to spare Russian, Kazakh and Ukrainian-speaking companies, suggesting a link to the former Soviet republics.

It also has a public relations program, as others do, inviting journalists to check out its haul of leaked data and claiming to make anonymous donations to charity. Even its tech savvy is nothing special, according to Georgia Tech computer science student Chuong Dong, who published an analysis of its programming.

According to Dong, DarkSide's code was "pretty standard ransomware."

Div said that what does set them apart is the intelligence work they carry out against their targets beforehand.

Typically "they know who is the manager, they know who they're speaking with, they know where the money is, they know who is the decision maker," said Div.

In that respect, Div said that the targeting of Colonial Pipeline, with its potentially massive knock-on consequences for Americans up and down the Eastern seaboard - may have been a miscalculation.

"It's not good for business for them when the U.S. government becomes involved, when the FBI becomes involved," he said. "It's the last thing they need."

As for DarkSide, which usually isn't shy about putting out press releases and promises registered journalists "fast replies within 24 hours," the group has stayed uncharacteristically silent.

The reason is not clear. Requests for comment Reuters left via its main site and their media center have gone unanswered.

Our Standards: The Thomson Reuters Trust Principles.

The most comprehensive solution to manage all your complex and ever-expanding tax and compliance needs.

The industry leader for online information for tax, accounting and finance professionals.

Information, analytics and exclusive news on financial markets - delivered in an intuitive desktop and mobile interface.

Access to real-time, reference, and non-real time data in the cloud to power your enterprise.

Screen for heightened risk individual and entities globally to help uncover hidden risks in business relationships and human networks.

All quotes delayed a minimum of 15 minutes. See here for a complete list of exchanges and delays.

© 2021 Reuters. All rights reserved

Colonial Is Just the Latest Energy Asset Hit by Cyber-Attack

Bloomberg Quicktake: Now 10 May, 2021 - 08:25am

Ransomware attacks on the rise as workers remote in

CBS 8 San Diego 10 May, 2021 - 08:25am

Colonial Pipeline

Business Stories