A small group of private-sector companies, with help from several U.S. agencies, disrupted ongoing cyber-attacks against Colonial Pipeline and more than two dozen other victims, according to people with knowledge of the matter.
Colonial was able to recover some stolen data because of the intervention, which stopped the flow of stolen data headed to Russia — believed to be the ultimate destination, according to three people involved with or briefed about the investigation into the breach.
The takedown, which occurred on May 8, was enacted by companies that included operators of U.S.-based servers used by the hackers, the people said. The intervention involved the White House, Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and National Security Agency, and shut off key servers used by the hackers, said the people, who requested anonymity because they weren’t authorized to discuss the ongoing investigation.
Colonial was the victim of a ransomware attack last week in which the hackers stole nearly 100 gigabytes of data, a breach that caused the company to shut down operations of the biggest fuel pipeline in the U.S. The hackers were using the servers that were disabled as a repository for storing information before relaying it to computers in Russia, the people said.
But Colonial’s data hadn’t yet been sent, which allowed investigators to retrieve it, the people said.
On Monday, President Joe Biden stopped short of blaming the Kremlin but said “there’s evidence” the hackers or the software they used are “in Russia.”
“They have some responsibility to deal with this,” he told reporters at the White House, after announcing that “my administration will be pursuing a global effort of ransomware attacks.”
Representatives from the White House, FBI, NSA and the Department of Homeland Security, which overseas the Cybersecurity and Infrastructure Security Agency, didn’t immediately respond to a request for comment, nor did the Russian Embassy in Washington.
The takedown represents an unusually swift response to a cyber-attack that’s had an uncommonly large impact, throttling gasoline supplies across the eastern U.S. and threatening a spike in prices.
Besides Colonial, the more than two dozen other victims of the ransomware attacks were across a range of industries, two of the people said. They wouldn’t identify the other victims of the attacks. Reuters previously reported that investigators managed to thwart some of the data theft by taking a cloud server offline and that the server carried data from other ransomware attacks under way.
The White House had pulled together an inter-agency task force to address the breach, including exploring options for lessening the damage, according to an official. Biden can invoke an array of emergency powers to ensure supplies keep flowing to big cities and airports along the East Coast. Alpharetta, Georgia-based Colonial said Monday that it is bringing the Texas-to-New Jersey pipeline back online in stages and intends to have it fully operational by the end of the week.
The FBI confirmed that the attackers used DarkSide ransomware in the attack; others have linked the attack to a ransomware group using the same name. Among the evidence linking the group to Russia is its use of the Russian language and its exclusion of Russian companies as hacking targets, according to cybersecurity experts.
They stole nearly 100 gigabytes of data from Colonial’s network on Thursday before locking up computers with ransomware and demanding payment, Bloomberg reported. Colonial shut down its computer network and the pipeline’s operations while it assessed the damage.
In the aftermath of the takedown, DarkSide issued a statement on the dark web Monday hinting at contrition. “We are apolitical. We do not participate in geopolitics,” the message says. “Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
