A cyberattack that paralyzed a vital U.S. pipeline supplying millions of Americans with gasoline underscores the growing threat to America’s critical infrastructure posed by Russian-speaking ransomware gangs that operate outside the reach of the law.
The 5,500-mile Colonial Pipeline, which runs from Texas to New Jersey and supplies nearly half the fuel used on the East Coast, was forced to shut down after being hit by ransomware attackers Friday.
Ransomware developed by a gang called DarkSide is responsible for the attack, the FBI said in a statement, adding it continued to work with Colonial and other government agencies on the investigation. The attack shows the growing audacity of tech-savvy criminal gangs, many of which are believed to be based in Russia and former Soviet republics, that are amassing untold riches by holding companies to ransom.
While oil and gasoline futures prices dipped Monday morning, a prolonged shutdown could lead to higher gasoline prices, experts say.
Ransomware gangs encrypt crucial data on a victim’s computer network and then demand a ransom, which can run into the millions of dollars, usually payable in Bitcoin, in return for a key to unscramble the data.
In a recent tweak of their technique, gangs also often steal confidential data and threaten to publish it online unless a ransom is paid. Companies that have backed up their data can recover from an attack without paying, but the process is often costly and time consuming.
The gangs have moved on from attacking small businesses with lax cybersecurity to universities, hospitals, and manufacturing and energy companies like Colonial that form a crucial part of America’s energy supply network.
Coveware, a ransomware negotiating firm, said that the average ransom payment in the first three months of this year was $220,000, up a staggering 43% from the previous quarter.
Andrei Barysevich, CEO of U.S. fraud-tracking firm Gemini Advisory, said the attack on Colonial was one of the most serious ransomware incidents so far.
“The fact they can disrupt the entire gasoline supply of the entire East Coast of the U.S. for God knows how long makes it definitely very serious,” Barysevich told Fortune.
The Russian-speaking DarkSide gang, active since August 2020, operates a “ransomware-as-a-service” model, whereby gangs license their hacking tools to affiliates, so it is unclear whether DarkSide or an affiliate may be responsible in this case. Barysevich said the attackers likely didn’t understand what Colonial did or the extent of the disruption the hack would cause, as the high-profile attack will draw unwelcome attention to DarkSide’s activities.
“Everybody is looking into them right now. From what I understand, there are six or seven different (government) agencies actively looking into this gang,” he said.
The DataBreaches.net cybersecurity website said DarkSide posted a statement on its leaks site Monday, saying it was apolitical and not tied to any government. “Our goal is to make money, and not creating problems for society,” it said.
“From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” the statement said, seeming to indicate that a DarkSide affiliate had carried out the attack.
Colonial, which said it proactively took some systems offline to contain the threat from Friday’s ransomware attack, said Monday that segments of its pipeline were being brought back online in phases and that it aimed to substantially restore operational service by the end of the week. The company did not answer a question about whether it was negotiating with the ransomware attackers.
The pipeline attack, which lays bare flaws in the nation’s critical infrastructure and vulnerabilities in national security, will be deeply worrying to the Biden administration, which recently unveiled a $2.3 trillion plan to upgrade aging U.S. infrastructure. The administration issued an emergency exemption Sunday allowing fuel to be carried by road instead of the pipeline.
In February last year, the U.S. government’s Cybersecurity and Infrastructure Security Agency alerted operators to a ransomware attack on an unidentified natural gas compression facility, but there has been nothing previously on the scale of the Colonial incident.
The cyberattack will prompt calls for more energetic action by the U.S. and other governments to crack down on the ransomware gangs. That has so far proved difficult because the gangs are often beyond the reach of Western law enforcement in Russia or areas such as the rebel-held Donetsk region of eastern Ukraine.
“All of the ransomware gangs pretty much know they have a bullseye on them. It’s just a matter of time before the U.S. government is going to start looking for them, but they operate with impunity … right now,” Barysevich said.
“I doubt that the Russian government actively sponsors the attackers, but they are definitely looking the other way,” he added.
Barysevich said North Koreans, thousands of whom speak fluent Russian, could also be involved in ransomware attacks.
Asked by a reporter if Russia was involved in the Colonial attack, President Biden said: “So far there is no evidence from our intelligence people that Russia is involved, although there is evidence that the actors, ransomware, is in Russia. They have some responsibility to deal with this.”
There are signs of a growing focus in Washington on combating the ransomware plague.
The Justice Department recently created a new task force to combat the onslaught of ransomware attacks, while a group comprising tech companies and law enforcement agencies from the U.S., U.K. and Canada called last month for “coordinated, international diplomatic and law enforcement efforts” to combat ransomware.
The Biden administration imposed new sanctions on Russia last month over its interference in elections and the SolarWinds hack of U.S. government agencies and private companies.
