F.B.I. Identifies Group Behind Pipeline Hack
The attack by DarkSide, a relatively new criminal
group believed to have roots in Eastern Europe, exposed the remarkable
vulnerability of key American infrastructure.
President Biden said on Monday that the government had
mitigated any effect the pipeline hack might have had on the United States’
fuel supply.
David E.
SangerNicole Perlroth
By David E.
Sanger and Nicole Perlroth
May 10,
2021
President
Biden said on Monday that the United States would “disrupt and prosecute” a
criminal gang of hackers called DarkSide, which the F.B.I. formally blamed for
a huge ransomware attack that has disrupted the flow of nearly half of the
gasoline and jet fuel supplies to the East Coast.
The F.B.I.,
clearly concerned that the ransomware effort could spread, issued an emergency
alert to electric utilities, gas suppliers and other pipeline operators to be
on the lookout for code like the kind that locked up Colonial Pipelines, a
private firm that controls the major pipeline carrying gasoline, diesel and jet
fuel from the Texas Gulf Coast to New York Harbor.
The
pipeline remained offline for a fourth day on Monday as a pre-emptive measure
to keep the malware that infected the company’s computer networks from
spreading to the control systems that run the pipeline. So far, the effects on
gasoline and other energy supplies seem minimal, and Colonial said it hoped to
have the pipeline running again by the end of this week.
The attack
prompted emergency meetings at the White House all through the weekend, as
officials tried to understand whether the episode was purely a criminal act —
intended to lock up Colonial’s computer networks unless it paid a large ransom
— or was the work of Russia or another state that was using the criminal group
covertly.
So far,
intelligence officials said, all of the indications are that it was simply an
act of extortion by the group, which first began to deploy such ransomware last
August and is believed to operate from Eastern Europe, possibly Russia. There
was some evidence, even in the group’s own statements on Monday, that suggested
the group had intended simply to extort money from the company, and was
surprised that it ended up cutting off the main gasoline and jet fuel supplies
for the Eastern Seaboard.
The attack
exposed the remarkable vulnerability of a key conduit for energy in the United
States as hackers become more brazen in taking on critical infrastructure, like
electric grids, pipelines, hospitals and water treatment facilities. The city
governments of Atlanta and New Orleans, and, in recent weeks, the Washington,
D.C., Police Department, have also been hit.
The
explosion of ransomware cases has been fueled by the rise of cyberinsurance —
which has made many companies and governments ripe targets for criminal gangs
that believe their targets will pay — and of cryptocurrencies, which make
extortion payments harder to trace.
In this
case, the ransomware was not directed at the control systems of the pipeline,
federal officials and private investigators said, but rather the back-office
operations of Colonial Pipeline. Nonetheless, the fear of greater damage forced
the company to shut down the system, a move that drove home the huge
vulnerabilities in the patched-together network that keeps gas stations, truck
stops and airports running.
A
preliminary investigation showed poor security practices at Colonial Pipeline,
according to federal and private officials familiar with the inquiry. The
lapses, they said, most likely made the act of breaking into and locking up the
company’s systems fairly easy.
Colonial
Pipeline has not answered questions about what kind of investment it had made
in protecting its networks, and refused to say whether it was paying the ransom.
And the company appeared reluctant to let federal officials bolster its
defenses.
“Right now,
they’ve not asked for cybersupport from the federal government,” Anne
Neuberger, the deputy national security adviser for cyber and emerging
technology, told reporters at a briefing at the White House. She declined to
say whether the federal government would advise paying the ransom, noting that
“companies are often in a difficult position if their data is encrypted and
they do not have backups and cannot recover the data.”
While Ms.
Neuberger did not say so, that appears to be essentially what happened to
Colonial.
Mr. Biden,
who is expected to announce an executive order in the coming days to strengthen
America’s cyberdefenses, said there was no evidence that the Russian government
was behind the attack. But he said he planned to meet with President Vladimir
V. Putin of Russia soon — the two men are expected to hold their first summit
next month — and he suggested Moscow bore some responsibility because DarkSide
is believed to have roots in Russia and the country provides a haven for
cybercriminals.
“There are
governments that turn a blind eye or affirmatively encourage these groups, and
Russia is one of those countries,” said Christopher Painter, the United States’
former top cyberdiplomat. “Putting pressure on safe havens for these criminals
has to be a part of any solution.”
Colonial’s
pipelines feed large storage tanks up and down the East Coast, and supplies
seem plentiful, in part because of reduced traffic during the pandemic.
Colonial issued a statement on Monday saying its goal was to “substantially”
resume service by the end of the week, but the company cautioned that the
process would take time.
Elizabeth
Sherwood-Randall, Mr. Biden’s homeland security adviser and a former deputy
secretary of energy in the Obama administration, said that the Energy
Department was leading the federal response and had “convened the oil and
natural gas and electric sector utility partners to share details about the
ransomware attack and discuss recommended measures to mitigate further
incidents across the industry.” She noted that the federal government had
relaxed rules for drivers who transport gasoline and jet fuel by truck, in an
effort to alleviate the effects.
“Right now,
there is not a supply shortage,” she said. “We are preparing for multiple
possible contingencies.” But she said the job of getting the pipeline back
online belonged to Colonial.
To many
officials who have struggled for years to protect the United States’ critical
infrastructure from cyberattacks, the only surprise about the events of the
past few days is that they took so long to happen. When Leon E. Panetta was
defense secretary under President Barack Obama, Mr. Panetta warned of a “cyber
Pearl Harbor” that could shut off power and fuel, a phrase often used in an
effort to get Congress or corporations to spend more on cyberdefense.
During the
Trump administration, the Department of Homeland Security issued warnings about
Russian malware in the American power grid, and the United States mounted a
not-so-secret effort to put malware in the Russian grid as a warning.
But in the
many simulations run by government agencies and electric utilities of what a
strike against the American energy sector would look like, the effort was
usually envisioned as some kind of terrorist strike — a mix of cyber and
physical attacks — or a blitz by Iran, China or Russia in the opening moments
of a larger military conflict.
But this
case was different: a criminal actor who, in trying to extort money from a
company, ended up bringing down the system. One senior Biden administration
official called it “the ultimate blended threat” because it was a criminal act,
the kind the United States would normally respond to with arrests or
indictments, that resulted in a major threat to the nation’s energy supply
chain.
By
threatening to “disrupt” the ransomware group, Mr. Biden may have been
signaling that the administration was moving to take action against these
groups beyond merely indicting them. That is what United States Cyber Command
did last year, ahead of the presidential election in November, when its
military hackers broke into the systems of another ransomware group, called
Trickbot, and manipulated its command-and-control computer servers so that it
could not lock up new victims with ransomware. The fear at that time was that
the ransomware group might sell its skills to governments, including Russia,
that sought to freeze up election tabulations.
On Monday,
DarkSide argued it was not operating on behalf of a nation-state, perhaps in an
effort to distance itself from Russia.
“We are
apolitical, we do not participate in geopolitics, do not need to tie us with a
defined government and look for our motives,” it said in a statement posted on
its website. “Our goal is to make money and not creating problems for society.”
The group
seemed somewhat surprised that its actions resulted in closing a major pipeline
and suggested that perhaps it would avoid such targets in the future.
“From today
we introduce moderation and check each company that our partners want to
encrypt to avoid social consequences in the future,” the group said, though it
was unclear how it defined “moderation.”
DarkSide is
a relative newcomer to the ransomware scene, what Ms. Neuberger called “a
criminal actor” that hires out its services to the highest bidder, then shares
“the proceeds with ransomware developers.” It is essentially a business model
in which some of the ill-gotten gains are poured into research and development
on more effective forms of ransomware.
The group
often portrays itself as a sort of digital Robin Hood, stealing from companies
and giving to others. DarkSide says it avoids hacking hospitals, funeral homes
and nonprofits, but it takes aim at large corporations, at times donating its
proceeds to charities. Most charities have turned down its offers of gifts.
One clue to
DarkSide’s origins lies in its code. Private researchers note DarkSide’s
ransomware asks victims’ computers for their default language setting, and if
it is Russian, the group moves along to other victims. It also seems to avoid
victims that speak Ukrainian, Georgian and Belarusian.
Its code
bears striking similarities to that used by REvil, a ransomware group that was
among the first to offer “ransomware as a service” — essentially hackers for
hire — to hold systems hostage with ransomware.
“It appears
this was an offshoot that wanted to go into business for themselves,” said Jon
DiMaggio, a former intelligence community analyst who is now the chief security
strategist of Analyst1. “To get access to REvil’s code, you’d have to have it
or steal it because it’s not publicly available.”
DarkSide
makes smaller ransom demands than the eight-figure sums that REvil is known for
— somewhere from $200,000 to $2 million. It puts a unique key in each ransom
note, Mr. DiMaggio said, which suggests that DarkSide tailors attacks to each
victim.
David E.
Sanger is a White House and national security correspondent. In a 38-year
reporting career for The Times, he has been on three teams that have won
Pulitzer Prizes, most recently in 2017 for international reporting. His newest
book is “The Perfect Weapon: War, Sabotage and Fear in the Cyber Age.” @SangerNYT • Facebook
Nicole
Perlroth is a cybersecurity and digital espionage reporter. She is the
bestselling author of the book, “This Is How They Tell Me The World Ends,”
about the global cyber arms race. @nicoleperlroth
Sem comentários:
Enviar um comentário