The Biden administration on Monday confronted another major cyberattack with apparent links to Russia while the U.S. energy industry slowly got back on its feet after a crippling assault on the Colonial Pipeline underscored deep vulnerabilities in critical American infrastructure that security experts say must be fixed.
The FBI pinned the ransomware attack, in which key data is locked or stolen and held for ransom, on the mysterious hacker group DarkSide, which believed to have headquarters in Eastern Europe, possibly Russia. White House officials were quick to stress that they believe the Colonial Pipeline was targeted by a criminal enterprise, not a government.
But President Biden suggested that the line between the two is increasingly thin when it comes to Russian hacking. He told reporters that Moscow bears at least some of the blame for DarkSide’s actions.
Mr. Biden hinted that top Russian officials may have tacitly signed off on the cyberattack, which temporarily knocked out a pipeline that provides nearly half of all fuel consumed on the East Coast.
“So far, there is no evidence based on, from our intelligence people, that Russia is involved. Although there’s evidence that the actors, ransomware, is in Russia,” the president said. “They have some responsibility to deal with this.”
The Colonial Pipeline was targeted Saturday, just weeks after the Biden administration slapped sanctions on Moscow for the devastating SolarWinds hack of the U.S. government and private industry.
Analysts say the two cyberattacks are different from a technical perspective. But taken together, they seem to prove that the U.S. is ill-prepared to fend off 21st-century digital strikes from rival governments, highly sophisticated cybercriminal networks, or a combination of the two.
As the FBI and other arms of the federal government mount a worldwide investigation into the latest hack, the White House said it is preparing for “multiple possible contingencies” in the event that the 5,500-mile pipeline remains partially offline longer than expected.
Gas prices were inching up Monday, and analysts predicted fuel costs could soar dramatically in the coming days. The federal government temporarily lifted restrictions on the movement of fuel on the nation’s highways to fend off any energy shortages.
The Colonial Pipeline Co., meanwhile, said it hopes to be back up and running by the end of the week but must move slowly given the complexity of the attack.
“While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach,” the company said in a statement. “This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week.”
White House officials said the federal government is working closely with Colonial. They also said it’s crucial for the government and industry to partner on cybersecurity because the incident exposed how attacks on private companies can have far-reaching effects on society.
“When those companies are attacked … we depend on the effectiveness of their defenses,” said Elizabeth Sherwood-Randall, White House deputy national security adviser.
But analysts say those defenses are often weak and can be compromised easily by such factors as employees working from home during the COVID-19 pandemic.
“All the people behind these ransomware attacks need is someone running a laptop in an unauthorized fashion on a nonsecure network, such as a home Wi-Fi system,” said Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers. “And they are delighted to find an employee who is tapping into key systems remotely on a personal cellphone or other device that has not been authorized for such access.”
‘Sophisticated and well-designed’
Federal authorities and energy industry leaders are still assessing the extent of the damage caused by the ransomware attack, but the FBI wasted little time in naming the culprit.
“The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks,” the bureau said in a statement Monday. “We continue to work with the company and our government partners on the investigation.”
DarkSide claims to have hacked at least 80 companies since August and says its membership includes experienced ransomware creators who have made millions of dollars carrying out such attacks.
The organization has also threatened to publicly release its victims’ data and personal information if they don’t pay up. The group has tried to cultivate something of a Robin Hood-type image, claiming to extort money from private corporations and redistribute some of it to worthy causes.
DarkSide said in a statement that its only goal is to make money, and it denied any ties to a foreign government.
“We are apolitical, we do not participate in geopolitics,” the statement said. “Our goal is to make money and not creating problems for society.”
White House cybersecurity officials described the incident as a “ransomware-as-a-service” attack, in which ransomware developers offer their products to criminals who carry out the strike. The two parties typically split the profits from a company or individual who pays to regain access to information.
Colonial Pipeline did not indicate in its statement whether or not the company had paid a ransom. White House officials said it was a “private-sector decision.”
Specialists say the targeting of a high-value piece of infrastructure such as the Colonial Pipeline would have required extensive planning and cutting-edge technical know-how. It’s also highly difficult to pin down the specific individuals responsible.
“It works in a ransomware-as-a-service model, where it leverages a partner program to execute its cyberattacks. This means we know very little on the real threat actor behind the attack on Colonial, who can be any one of the partners of DarkSide,” said Lotem Finkelstein, head of threat intelligence at Check Point, a leading cyberintelligence firm. “What we do know is that to take down extensive operations like the Colonial pipeline reveals a sophisticated and well-designed cyberattack. This attack also requires a proper time frame to allow lateral movement and data exhilaration.”
Russian officials indirectly denied any involvement with the attack.
Russia’s state-run Tass news agency posted a story citing CNN reports of DarkSide’s involvement and denounced that narrative.
“Russia repeatedly denied U.S. allegations of malicious behavior in cyberspace. The U.S. groundlessly alleges that Russia makes cyberattacks against its resources and does not want to cooperate in cyberspace,” the Tass story quoted Secretary of the Russian Security Council Nikolai Patrushev as saying.
⦁ Jeff Mordock, Ryan Lovelace and Dave Boyer contributed to this report.