Pipeline hackers wear a ‘bull’s‑eye.’ Will Biden act?

By Christian Vasquez | 05/11/2021 07:03 AM EDT

The hackers who shut down half the fuel supplies to the U.S. East Coast said they just wanted “to make money.”

President Biden discussed a recent cyberattack on a major U.S. fuel pipeline in the East Room of the White House yesterday.

President Biden discussed a recent cyberattack on a major U.S. fuel pipeline in the East Room of the White House yesterday. CNP / Polaris/Newscom

The hackers who shut down half the fuel supplies to the U.S. East Coast said they just wanted "to make money."

But now experts and Biden administration officials say the DarkSide group could face U.S. retaliation after the ransomware gang hit the 5,500-mile Colonial pipeline, disrupting fuel supplies up and down the Eastern Seaboard and causing worry about shortages or price hikes.

The FBI confirmed in a statement that DarkSide — believed to operate largely out of Eastern Europe — was responsible for the ransomware attack that locked up Colonial Pipeline Co.’s computer files and demanded payment for the key.


President Biden said yesterday there is no evidence that the Russian government was involved in the attack. But he said there is evidence that DarkSide’s backers are based in Russia and that he wants to speak with Russian President Vladimir Putin about the attack.

Russia has "some responsibility to deal with this," Biden told reporters at the White House. Biden has said he expects to meet with Putin next month during a trip to the United Kingdom and Belgium for NATO and Group of Seven meetings.

"The Department of Energy is working directly with Colonial to get the pipelines back online and operating at full capacity as quickly and safely as possible," Biden said, adding that agencies across the government have acted quickly to blunt any effect on the fuel supply.

DarkSide appeared to acknowledge that it may have crossed a line in an online statement.

"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives," DarkSide wrote. "Our goal is to make money, and not creating problems for society."

The group went so far as to promise "moderation" in future extortion efforts "to avoid social consequences," and it appeared to lay the blame on "partners" for the Colonial shutdown — though cybersecurity experts have warned not to take criminal hacking groups at their word.

"Initially, maybe they haven’t really fully grasped the damages that they caused and the severity and the gravity of that incident," said Assaf Dahan, senior director and head of threat research at Boston-based cybersecurity firm Cybereason.

"Because now every law enforcement agency and intelligence [agency] is basically on their tail," he said. "They really put a bull’s-eye on their backs."

DarkSide may be located in Russia: Clues in the ransomware’s code indicate that the authors could be Russian speaking, and the code is designed to avoid attacking computers and assets with a Russian language setup, Dahan said. That could be out of fear for the Russian government, giving breathing room for Russian officials to turn a blind eye to DarkSide’s operations, he added.

Dahan noted that "there’s nothing too novel or sophisticated about" DarkSide.

The group has operated since at least last August and is known for engaging in "double extortion," Dahan said — not only encrypting data but also threatening to publish stolen proprietary information if the victim refuses to pay.

Colonial has not said if it has paid the hacking group. But DarkSide could be in for another sort of payback, experts say.

William Evanina, the former director of the U.S. National Counterintelligence and Security Center, tweeted that he expects "DarkSide to shortly experience the full extent of [intelligence community and Defense Department] precision tactical deterrent capabilities."

A huge target

Colonial Pipeline tank farm. Photo credit: Kris Tripplaar/Sipa USA/Newscom
A sign outside of a Colonial Pipeline Co. tank farm is pictured in Paulsboro, N.J., in this 2016 file photo. | Kris Tripplaar/Sipa USA/Newscom

Up and down the Eastern Seaboard, millions of people every day rely on the Colonial pipeline system to fuel the cars they drive and the airplanes they fly in. The sprawling system of pipes connecting Houston and New York delivers 100 million gallons of jet fuel, gasoline and other fuel every day.

It’s the largest pipeline system in the country, and it’s owned by subsidiaries of Koch Industries Inc. and Royal Dutch Shell PLC, along with other investors.

Colonial said yesterday that it has developed a plan that is an "incremental process that will facilitate a return to service in a phased approach."

The Georgia-based company said the plan "is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week."

For most of its length, the Colonial pipeline is actually two pipelines running side by side. One carries just gasoline, and the other one, slightly smaller, carries jet fuel and other refined petroleum products.

Analysts at ClearView Energy Partners LLC said yesterday the situation could further tarnish the pipeline industry’s image.

It could, ClearView said, make people "wary of the energy on which they depend, and unhappy about it once again."

White House weighs in

Biden noted the Department of Transportation issued an emergency order to loosen restrictions on truck drivers to allow more fuel to be transported via tanker and that the administration is prepared to take additional steps depending on how quickly Colonial is able to bring the pipeline back.

"My administration takes this very seriously," he said of efforts to disrupt and prosecute ransomware culprits. He noted the administration will be pursuing a global effort to combat the transnational criminals who often use global money-laundering networks to carry the attacks out.

Anne Neuberger, deputy national security adviser for cyber and emerging technologies, told reporters at the White House that the administration is "aggressively investigating the incident and its culprits."

She said Colonial has not asked for any cyber support from the federal government and would not say whether the company paid a ransom.

"We recognize that victims of cyberattacks often face a very difficult situation, and they have to just balance, often, the cost benefit when they have no choice with regard to paying a ransom," she said. "Colonial is a private company, and we’ll defer information regarding their decision on paying a ransom to them."

She added that the administration had not offered any advice on whether to pay ransoms but is debating recommendations. The FBI under past administrations has publicly recommended not to pay hackers.

"Given the rise in ransomware, that is one area we’re definitely looking at now, to say what should be the government’s approach to ransomware actors and to ransoms overall," Neuberger said.

Asked whether there were any retaliatory measures being considered by the U.S., Neuberger said "absolutely." She described DarkSide as a "new and very troubling variant," noting its ransomware-as-a-service model, in which cybercriminals rent out ransomware in exchange for a cut of future payments.

Colonial has told the administration the pipeline has not been damaged and it believes it can bring the pipeline back online "relatively quickly," said Elizabeth Sherwood-Randall, Biden’s deputy national security adviser.

Sherwood-Randall said there is no current fuel supply shortage but that the administration is "preparing for multiple possible contingencies" and looking at what else it may need to do to mitigate disruptions to the supply chain.

The Department of Homeland Security is preparing a release to go to the broader critical infrastructure community to ensure it has relevant information on the ransomware attack, Sherwood-Randall said.

She noted Colonial is responsible for returning the pipeline to service and that the federal government’s role is to analyze the effect of the shutdown on the delivery of gasoline, diesel and aviation fuel in states served by the pipeline — and to identify federal options for alleviating supply shortfalls should they develop.

Energy Secretary Jennifer Granholm told Bloomberg Television that the cyberthreat to critical infrastructure, "especially energy infrastructure, is not going away."

She called the attack on Colonial "a serious example of what we’re seeing across the board in many places, and it tells you that we need to invest in our systems, our transmission grid for electricity; we need to invest in cyberdefense in these energy systems."

She called for the private sector "to step up to the plate," adding that "many are, but there’s quite a few who have been slow to do so, and I think that these will serve as examples of why it’s important to accelerate."

What can Biden do?

But even as the Biden administration works to contain the Colonial pipeline incident, ransomware has been a thorny problem for years.

Although the Department of Justice has indicted numerous state-sponsored hackers under recent administrations, few have led to arrests, leading many experts to criticize the measures as ineffective (Energywire, Oct. 20, 2020).

One challenge is that ransomware gangs tend to be based in areas where the U.S. has no jurisdiction or where countries are unwilling to extradite suspects.

"Changing that dynamic is going to require a long-term, large-scale strategy that more aggressively tries to build a coalition of like-minded countries to develop a diplomatic program to rein recasting countries into the fold," said Paul Rosenzweig, former federal prosecutor and former senior DHS official.

That approach can mean a combination of indictments, sanctions or naming-and-shaming campaigns to bring hackers to account. "Basically, the whole nine yards," said Rosenzweig, who is now a resident senior fellow for cybersecurity and emerging threats at the R Street Institute think tank.

Jamil Jaffer, senior vice president for strategy, partnerships and corporate development at IronNet Cybersecurity and founder of the National Security Institute at George Mason University, said the severity of the Colonial attack calls for a robust federal response.

"We’ve got to take them down," he said. "Whether that means arrest, OK. If it means working with our allies, if it needs some real punch back … at some point, you’ve got to be willing to say enough is enough."

The Biden administration should create a joint collaborative environment for both the private and public sector to work on countering the threat, Jaffer said.

He noted that many companies can’t defend themselves against criminal hackers such as ransomware attackers — let alone hackers backed by nation-states.

"We’ve got to get companies working with one another because individually they just can’t defend against these threats on their own," Jaffer said.

Reporters Lesley Clark and Mike Soraghan contributed.