23 May 2021

Biden official warns cyberattacks on US are 'here to stay' after 'Russian ransomware gangsters DarkSide' shut down America's largest fuel pipeline: Emergency declaration is issued in 18 states amid price hike fears

By LAUREN FRUEN and ANDREW COURT 

An emergency declaration has been issued for 18 states to keep fuel supply lines open after a cyberattack knocked out America's largest gasoline pipeline.

The hack of Colonial Pipeline, which supplies gasoline, diesel and jet fuel across 5,500 miles to the East Coast, on Friday night is believed to be the largest successful assault on US energy infrastructure in history.

Colonial Pipeline said it was forced to shut down all pipeline operations as a precaution after it became the victim of a ransomware cyberattack - a technique where the victim's computer systems are hacked and then payment is demanded to unlock them.

DarkSide, a Russian hacking outfit, is believed to be behind the attack, according to government sources. Colonial has not said whether it has paid or is negotiating a ransom.

The US government and Colonial are still working to secure the network as the shutdown to halt the ransomware cyberattack entered its fourth day on Monday.

It comes as Commerce Secretary Gina Raimondo warned that technological attacks such as these were 'here to stay.'

'This is what businesses now have to worry about,' she said. 'Unfortunately, these sorts of attacks are becoming more frequent... and we have to work in partnership with business to secure networks to defend ourselves.'

The Department of Transportation issued a regional emergency declaration on Sunday that relaxes hours-of-service regulations for drivers carrying gasoline, diesel, jet fuel and other refined petroleum products in 17 states and the District of Columbia.

It lets them work extra or more flexible hours to make up for any fuel shortage related to the pipeline outage.

The states are: Alabama, Arkansas, DC, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia.

Commerce Secretary Gina Raimondo had earlier warned Sunday: 'This is what businesses now have to worry about. 'Unfortunately, these sorts of attacks are becoming more frequent'

The Colonial Pipeline runs from Texas to New Jersey and carries 100 million gallons of fuel daily

DarkSide: The Russian hacking outfit linked to Colonial Pipeline that styles itself as a Robin Hood

The cyberextortion attempt that has forced the shutdown of a vital US pipeline was carried out by a Russian criminal gang known as DarkSide, sources say.

DarkSide cultivates a Robin Hood image of stealing from corporations and giving a cut to charity. The group, which first emerged in August 2020, are relatively new but very organized, experts say.

Cybersecurity experts who have tracked DarkSide said it appears to be composed of veteran cybercriminals who are focused on squeezing out as much money as they can from their targets.

'They're very new but they're very organized,' Lior Div, the chief executive of Boston-based security firm Cybereason, said. 'It looks like someone who's been there, done that.'

DarkSide is one of a number of increasingly professionalized groups of digital extortionists, with a mailing list, a press center and a victim hotline to help facilitate ransom payments.

Experts say DarkSide was likely composed of ransomware veterans and that it came out of nowhere in the middle of last year and immediately unleashed a digital crimewave.

'It's as if someone turned on the switch,' said Div, who noted that more than 10 of his company's customers have fought off break-in attempts from the group in the past few months.

According to data security firm Arete, DarkSide finds vulnerabilities in a network, gains access to administrator accounts and then harvests data from the victim's server and encrypts it.

The software leaves a ransom note text file with demands.

Ransoms average more than $6.5 million and the attacks lead to an average of five days of downtime for the business.

Ransom software works by encrypting victims' data and typically hackers will then offer the victim a key in return for cryptocurrency payments that can run into the hundreds of thousands or even millions of dollars.

If the victim resists, hackers threaten to leak confidential data in a bid to pile on the pressure.

DarkSide's site on the dark web hints at their hackers' past crimes with claims they previously made millions from extortion and that just because their software was new 'that does not mean that we have no experience and we came from nowhere'.

The site also features a Hall of Shame-style gallery of leaked data from victims who haven't paid up. It advertises stolen documents from more than 80 companies across the US and Europe.

One of the more recent victims featured on its list was Georgia-based rugmaker Dixie Group Inc, which publicly disclosed a digital shakedown attempt affecting 'portions of its information technology systems' last month.

They are believed to be based out of Russia. Like many others DarkSide seems to spare Russian, Kazakh and Ukrainian-speaking companies, suggesting a link to the former Soviet republics.

In Russia, hackers are essentially allowed to act without penalty. Cyber experts say Russia gives free reign to hackers who target Western countries.

DarkSide has previously targeted Enterprise rental cars, Canadian real estate firm Brookfield Residential and an Office Depot subsidiary.

They have publicly stated that they prefer not to attack hospitals, schools, non-profits, and governments. They instead go after big organizations that can afford to pay large ransoms and donates a portion of its take to charity

Colonial said earlier Sunday that it had opened some smaller delivery lines, but the main system was not yet back up and running.

'While our mainlines remain offline, some smaller lateral lines between terminals and delivery points are now operational,' Colonial said in a statement, adding it would 'bring our full system back online only when we believe it is safe to do so.'

'We have remained in contact with law enforcement and other federal agencies, including the Department of Energy who is leading the Federal Government response,' it added.

'Maintaining the operational security of our pipeline, in addition to safely bringing our systems back online, remain our highest priorities.'

Bloomberg News, citing people familiar with the matter, said hackers took nearly 100 gigabytes of data out of Colonial's network on Thursday a day ahead of the pipeline shutdown before demanding a ransom.

Experts said that the incident should serve as a wake-up call to companies about the vulnerabilities they face. Sen. Bill Cassidy said: 'The implications for this, on our national security, cannot be overstated.'

A prolonged shutdown of the line, described as the 'jugular of infrastructure' by one analyst, would cause prices to spike at gasoline pumps ahead of peak summer driving season, a potential blow to U.S. consumers and the economy.

The hackers are likely a professional cybercriminal group, and a group dubbed 'DarkSide' was among the potential suspects, two U.S. government officials told Reuters.

DarkSide is known for deploying ransomware and extorting victims - while avoiding targets in post-Soviet states. It is believed to be based in Russia.

DarkSide first emerged in August 2020, and has used its ransomware on companies including CompuCom, an Office Depot subsidiary, as well as a Canadian division of rental car company Enterprise.

According to data security firm Arete, DarkSide finds vulnerabilities in a network, gains access to administrator accounts, and then harvests data from the victim's server and encrypts it.

The software leaves a ransom note text file with demands.

Ransoms average more than $6.5 million, Arete said, and the attacks lead to an average of five days of downtime for the business.

There are now fears of a major spike in gas, oil and diesel prices after the 'jugular' of the U.S. fuel pipeline system was forced to suspend operations.

The Colonial Pipeline is responsible for transporting more than 100 million gallons of fuel - 2.5 million barrels - daily through pipelines laid out between Texas and New Jersey.

It also serves some of the largest U.S. airports, including Atlanta's Hartsfield Jackson Airport, the world's busiest by passenger traffic.

One energy expert telling Politico it is 'the most significant and successful attack on energy infrastructure we know of in the United States.'

The Georgia-based company has hired an outside cybersecurity firm to investigate the nature and scope of the attack and federal agencies have been called in to assist.

Other experts predict that a prolonged shutdown could cause a surge in the price of gas, oil and diesel - particularly across the eastern half of the country.

One told Newsweek that motorists should expect a price surge at the pump if the outage lasts five or more days, which would result in a shortage.

However, another energy analyst is pleading for calm at the present moment.

'The challenges brought on by the Colonial Pipeline shut down would likely not appear for several days or longer,' Patrick De Haan told the publication.

'My guess is they'll be able to restart the pipeline before any major issues develop.'

The price of diesel, gas and oil previously spiked in 2017, following a temporary shutdown of the Colonial Pipeline caused by a leak.

Colonial Pipeline is responsible for the largest spill in North Carolina's history and one of the largest in the country's history, when 1.2 million gallons flowed out in Huntersville in August 2020.

The only reason it was discovered was when two teenagers stumbled across the site and reported it.

No comments: