US government plans to disrupt hackers behind Colonial Pipeline ransomware, Biden says
President Joe Biden suggested the U.S. intends to pursue hackers who last week infected the IT systems of the largest pipeline in the country with ransomware.
The incident led Colonial Pipeline to shut down operations for days in an effort to prevent the ransomware, which the FBI has traced back to criminal operators known as DarkSide, from spreading to its operational technology.
Now, following a spike in demand for fuel, the U.S. government is going to disrupt the hackers, who are believed to reside in Russia, Biden said.
“We have been in direct communication with Moscow for the imperative for responsible countries to take decisive action against these ransomware networks,” Biden said in remarks Thursday. “We’re also going to pursue a measure to disrupt their ability to operate.”
The president did not rule out carrying out a retaliatory cyberattack targeting the criminals, clarifying that the U.S. does not believe the Russian government was behind the attack.
“We do not believe — emphasis on we do not believe — the Russian government was involved in this attack,” Biden said. “But we do have strong reason to believe that the criminals who did the attack are living in Russia.”
Biden indicated, however, that he believes Russia bears some responsibility. One of the main topics the president said he intends to discuss with Russian President Vladimir Putin is governments that knowingly allow criminal hackers, like those working with DarkSide, to conduct ransomware operations from within their countries.
Biden did not specifically say whether the U.S. government would be targeting DarkSide, the criminal syndicate that distributes ransomware to criminal partners, or the affiliate hackers that used DarkSide ransomware to target Colonial Pipeline.
The news comes after Colonial Pipeline resumed pumping fuel across the eastern seaboard Wednesday evening, just days after it shut down operations to recover from the ransomware incident. The firm opted to pay the criminal hackers behind the attack $5 million in ransom in order to get fuel shipments back on track, Bloomberg reported on Thursday.
Even after Colonial paid the ransom, the decryption tool reportedly was slow to function, forcing the company to rely on its own backups and restoration methods, Bloomberg reported.
Biden declined to comment on whether he had been briefed on such a payment.
The reported decision to pay the hackers is likely to raise questions about Colonial Pipeline’s decision-making process, and what it means for other potential victims. The FBI and the Department of Homeland Security’s cybersecurity agency, the Cybersecurity and Infrastructure Security Agency, have both warned companies to avoid paying ransoms, as it’s not a guarantee they will get their encrypted files back.
U.S. officials also worry that it can embolden or encourage criminal hackers to go after other targets.
Copycat hackers looking to make a buck may take inspiration from the alleged payment, Allan Liska, an intelligence analyst at the threat intelligence firm Recorded Future, told CyberScoop.
“If this turns out to be true it, unfortunately, sets a dangerous precedent,” Liska said. “As we have seen with ransomware attacks on schools, hospitals and manufacturers, ransomware actors are copycats. We already know our critical infrastructure is woefully under protected and now every ransomware actor will be looking to exploit those networks hoping for an equally big pay day.”
Colonial Pipeline declined to comment through a spokesperson, citing an ongoing investigation. The National Security Council did not immediately return a request for comment.
End in sight to fuel issues
The news of the company’s apparent ransomware payment coincides with a White House scramble to blunt the impact on U.S. fuel supplies while the affected pipeline remained shutdown. In recent days, demand soared in multiple states that are typically serviced by Colonial Pipeline, with Americans panic-buying fuel and lining up around the block at gas stations in some areas.
The Biden administration issued emergency waivers meant to help transport more fuel to fill the gap in the meantime.
Now that Colonial Pipeline has restored service, most markets it services should be seeing revived shipments by midday Thursday, the company said in a statement.
“Colonial Pipeline has made substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we service,” the firm said.
The announcement “means there’s an end in sight for the supply disruptions that have affected States across the Southeast,” White House Press Secretary Jen Psaki said. “As Colonial Pipeline works to safely and fully resume operations over the next few days, we will stay in close contact with the company and will continue to offer any assistance needed.”
Many gas stations will likely need to rely on reserves for a while, however. In a recognition that supply gaps may persist temporarily, Homeland Security Secretary Alejandro Mayorkas announced a limited waiver for the Jones Act early Thursday, which will allow non-U.S. flagged ship to complete transports of fuel to the U.S. on a temporary basis.
Biden urged Americans on Thursday to continue avoiding panic-buying fuel, echoing statements from Energy Secretary Jennifer Granholm that there isn’t a shortage of fuel, just a delay in supply. Biden also urged gas stations to not price gouge customers in the meantime.
IT security front and center
The Biden administration has had a busy first few months dealing with a spate of high-profile cybersecurity incidents. Biden signed an executive order meant to help the federal government and private sector alike shore up cybersecurity in light of suspected Russian and Chinese cyber-espionage campaigns that leveraged SolarWinds and Microsoft technologies, impacting federal agencies and U.S. entities.
While the executive order had been in development for weeks before the ransomware incident, a senior administration official indicated that the directives contained in the order were aimed at boosting IT software security, which could, in theory, help organizations like Colonial Pipeline avoid the current circumstances.
A senior Biden administration official said the U.S. needs to take a hard look at critical infrastructure security as agencies act on the mandates in the executive order.
“The current market development of build, sell and maybe patch later means we routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure,” the senior official said. “The cost of the continuing status quo is simply unacceptable.”
The executive order will force federal contractors to report cyber incidents to agencies in a timely fashion and establish an entity to review major incidents. It will also establish software security standards for government acquisitions.
Cyber Command, the Department of Defense’s offensive cyber branch, declined to comment, only noting that the command supports interagency partners as needed.