In March 2019, Mr. Alay traveled to Moscow, just weeks after leaders of the Catalan independence movement went on trial. Three months later, Mr. Alay went again.

In Russia, according to the intelligence report, Mr. Alay and Mr. Dmitrenko met with several active foreign intelligence officers, as well as Oleg V. Syromolotov, the former chief of counterintelligence for the Federal Security Service, Russia’s domestic intelligence agency, who now oversees counterterrorism as a deputy minister at the Russian foreign ministry.

Mr. Alay denied meeting Mr. Syromolotov and the officers but acknowledged meeting Yevgeny Primakov, the grandson of a famous K.G.B. spymaster, in order to secure an interview with Mr. Puigdemont on an international affairs program he hosted on Kremlin television. Last year, Mr. Primakov was appointed by Mr. Putin to run a Russian cultural agency that, according to European security officials, often serves as a front for intelligence operations.

“Good news from Moscow,” Mr. Alay later texted to Mr. Puigdemont, informing him of Mr. Primakov’s appointment. In another exchange, Mr. Dmitrenko told Mr. Alay that Mr. Primakov’s elevation “puts him in a very good position to activate things between us.”

Mr. Alay also confirmed meeting Andrei Bezrukov, a decorated former officer with Russia’s foreign intelligence service. For more than a decade, Mr. Bezrukov and his wife, Yelena Vavilova, were deep cover operatives living in the United States using the code names Donald Heathfield and Tracey Foley.

It was their story of espionage, arrest and eventual return to Russia in a spy swap that served as a basis for the television series “The Americans.” Mr. Alay appears to have become close with the couple. Working with Mr. Dmitrenko, he spent about three months in the fall of 2020 on a Catalan translation of Ms. Vavilova’s autobiographical novel “The Woman Who Can Keep Secrets,” according to his encrypted correspondence.

Mr. Alay, who is also a college professor and author, said he was invited by Mr. Bezrukov, who now teaches at a Moscow university, to deliver two lectures.

Mr. Alay was accompanied on each of his trips by Mr. Dmitrenko, 33, a Russian businessman who is married to a Catalan woman. Mr. Dmitrenko did not respond to requests for comment. But Spanish authorities have monitored him and in 2019 rejected a citizenship application from him because of his Russian contacts, according to a Spanish Ministry of Justice decision reviewed by The Times.

The decision said Mr. Dmitrenko “receives missions” from Russian intelligence and also “does different jobs” for leaders of Russian organized crime.

A few months after Mr. Alay’s trips to Moscow, Catalonia erupted in protests.

A group calling itself Tsunami Democratic occupied the offices of one of Spain’s largest banks, closed a main highway between France and Spain for two days and orchestrated the takeover of the Barcelona airport, forcing the cancellation of more than a hundred flights.

The group’s origins have remained unclear, but one of the confidential police files stated that Mr. Alay attended a meeting in Geneva, where he and other independence activists finalized plans for Tsunami Democratic’s unveiling.

Three days after Tsunami Democratic occupied the Barcelona airport, two Russians flew from Moscow to Barcelona, the Catalan capital, according to flight records obtained by The Times.

One was Sergei Sumin, whom the intelligence report describes as a colonel in Russia’s Federal Protective Service, which oversees security for Mr. Putin and is not known for activities abroad.

The other was Artyom Lukoyanov, the adopted son of a top adviser to Mr. Putin, one who was deeply involved in Russia’s efforts to support separatists in eastern Ukraine.

According to the intelligence report, Mr. Alay and Mr. Dmitrenko met the two men in Barcelona for a strategy session to discuss the independence movement, though the report offered no other details.

Mr. Alay denied any connection to Tsunami Democratic. He confirmed that he had met with Mr. Sumin and Mr. Lukoyanov at the request of Mr. Dmitrenko, but only to “greet them politely.”

Even as the protests faded, Mr. Puigdemont’s associates remained busy. His lawyer, Mr. Boye, flew to Moscow in February 2020 to meet Vasily Khristoforov, whom Western law enforcement agencies describe as a senior Russian organized crime figure. The goal, according to the report, was to enlist Mr. Khristoforov to help set up a secret funding channel for the independence movement.

In an interview, Mr. Boye acknowledged meeting in Moscow with Mr. Khristoforov, who is wanted in several countries including Spain on suspicion of financial crimes, but said they only discussed matters relating to Mr. Khristoforov’s legal cases.

By late 2020, Mr. Alay’s texts reveal an eagerness to keep his Russian contacts happy. In exchanges with Mr. Puigdemont and Mr. Boye, he said they should avoid any public statements that might anger Moscow, especially about the democracy protests that Russia was helping to disperse violently in Belarus.

Mr. Puigdemont did not always heed the advice, appearing in Brussels with the Belarusian opposition and tweeting his support for the protesters, prompting Mr. Boye to text Mr. Alay that “we will have to tell the Russians that this was just to mislead.”

View Source

>>> Don’t Miss Today’s BEST Amazon Deals! <<<<

How China Transformed Into a Prime Cyber Threat to the U.S.

Nearly a decade ago, the United States began naming and shaming China for an onslaught of online espionage, the bulk of it conducted using low-level phishing emails against American companies for intellectual property theft.

On Monday, the United States again accused China of cyberattacks. But these attacks were highly aggressive, and they reveal that China has transformed into a far more sophisticated and mature digital adversary than the one that flummoxed U.S. officials a decade ago.

The Biden administration’s indictment for the cyberattacks, along with interviews with dozens of current and former American officials, shows that China has reorganized its hacking operations in the intervening years. While it once conducted relatively unsophisticated hacks of foreign companies, think tanks and government agencies, China is now perpetrating stealthy, decentralized digital assaults of American companies and interests around the world.

Hacks that were conducted via sloppily worded spearphishing emails by units of the People’s Liberation Army are now carried out by an elite satellite network of contractors at front companies and universities that work at the direction of China’s Ministry of State Security, according to U.S. officials and the indictment.

like Microsoft’s Exchange email service and Pulse VPN security devices, which are harder to defend against and allow China’s hackers to operate undetected for longer periods.

“What we’ve seen over the past two or three years is an upleveling” by China, said George Kurtz, the chief executive of the cybersecurity firm CrowdStrike. “They operate more like a professional intelligence service than the smash-and-grab operators we saw in the past.”

China has long been one of the biggest digital threats to the United States. In a 2009 classified National Intelligence Estimate, a document that represents the consensus of all 16 U.S. intelligence agencies, China and Russia topped the list of America’s online adversaries. But China was deemed the more immediate threat because of the volume of its industrial trade theft.

But that threat is even more troubling now because of China’s revamping of its hacking operations. Furthermore, the Biden administration has turned cyberattacks — including ransomware attacks — into a major diplomatic front with superpowers like Russia, and U.S. relations with China have steadily deteriorated over issues including trade and tech supremacy.

China’s prominence in hacking first came to the fore in 2010 with attacks on Google and RSA, the security company, and again in 2013 with a hack of The New York Times.

breach of the U.S. Office of Personnel Management. In that attack, Chinese hackers made off with sensitive personal information, including more than 20 million fingerprints, for Americans who had been granted a security clearance.

White House officials soon struck a deal that China would cease its hacking of American companies and interests for its industrial benefit. For 18 months during the Obama administration, security researchers and intelligence officials observed a notable drop in Chinese hacking.

After President Donald J. Trump took office and accelerated trade conflicts and other tensions with China, the hacking resumed. By 2018, U.S. intelligence officials had noted a shift: People’s Liberation Army hackers had stood down and been replaced by operatives working at the behest of the Ministry of State Security, which handles China’s intelligence, security and secret police.

Hacks of intellectual property, that benefited China’s economic plans, originated not from the P.L.A. but from a looser network of front companies and contractors, including engineers who worked for some of the country’s leading technology companies, according to intelligence officials and researchers.

It was unclear how exactly China worked with these loosely affiliated hackers. Some cybersecurity experts speculated that the engineers were paid cash to moonlight for the state, while others said those in the network had no choice but to do whatever the state asked. In 2013, a classified U.S. National Security Agency memo said, “The exact affiliation with Chinese government entities is not known, but their activities indicate a probable intelligence requirement feed from China’s Ministry of State Security.”

announced a new policy requiring Chinese security researchers to notify the state within two days when they found security holes, such as the “zero-days” that the country relied on in the breach of Microsoft Exchange systems.

arrested its founder. Two years later, Chinese police announced that they would start enforcing laws banning the “unauthorized disclosure” of vulnerabilities. That same year, Chinese hackers, who were a regular presence at big Western hacking conventions, stopped showing up, on state orders.

“If they continue to maintain this level of access, with the control that they have, their intelligence community is going to benefit,” Mr. Kurtz said of China. “It’s an arms race in cyber.”

View Source

>>> Don’t Miss Today’s BEST Amazon Deals! <<<<

Secret Chats Show How Cybergang Became a Ransomware Powerhouse

MOSCOW — Just weeks before the ransomware gang known as DarkSide attacked the owner of a major American pipeline, disrupting gasoline and jet fuel deliveries up and down the East Coast of the United States, the group was turning the screws on a small, family-owned publisher based in the American Midwest.

Working with a hacker who went by the name of Woris, DarkSide launched a series of attacks meant to shut down the websites of the publisher, which works mainly with clients in primary school education, if it refused to meet a $1.75 million ransom demand. It even threatened to contact the company’s clients to falsely warn them that it had obtained information the gang said could be used by pedophiles to make fake identification cards that would allow them to enter schools.

Woris thought this last ploy was a particularly nice touch.

“I laughed to the depth of my soul about the leaked IDs possibly being used by pedophiles to enter the school,” he said in Russian in a secret chat with DarkSide obtained by The New York Times. “I didn’t think it would scare them that much.”

released a statement a week earlier saying it was shutting down. A customer support employee responded almost immediately to a chat request sent from Woris’s account by the Times reporter. But when the reporter identified himself as a journalist the account was immediately blocked.

Megyn Kelly pressed him in a 2018 interview on why Russia was not arresting hackers believed to have interfered in the American election, he shot back that there was nothing to arrest them for.

“If they did not break Russian law, there is nothing to prosecute them for in Russia,” Mr. Putin said. “You must finally realize that people in Russia live by Russian laws, not by American ones.”

After the Colonial attack, President Biden said that intelligence officials had evidence the hackers were from Russia, but that they had yet to find any links to the government.

“So far there is no evidence based on, from our intelligence people, that Russia is involved, though there is evidence that the actors, ransomware, is in Russia,” he said, adding that the Russian authorities “have some responsibility to deal with this.”

This month, DarkSide’s support staff scrambled to respond to parts of the system being shut down, which the group attributed, without evidence, to pressure from the United States. In a posting on May 8, the day after the Colonial attack became public, the DarkSide staff appeared to be hoping for some sympathy from their affiliates.

“There is now the option to leave a tip for Support under ‘payments,’” the posting said. “It’s optional, but Support would be happy :).”

Days after the F.B.I. publicly identified DarkSide as the culprit, Woris, who had yet to extract payment from the publishing company, reached out to customer service, apparently concerned.

“Hi, how’s it going,” he wrote. “They hit you hard.”

It was the last communication Woris had with DarkSide.

Days later, a message popped up on the dashboard saying the group was not exactly shutting down, as it had said it would, but selling its infrastructure so other hackers could carry on the lucrative ransomware business.

“The price is negotiable,” DarkSide wrote. “By fully launching an analogous partnership program it’s possible to make profits of $5 million a month.”

Oleg Matsnev contributed reporting.

View Source

>>> Don’t Miss Today’s BEST Amazon Deals! <<<<

E.U. and Britain Move to Impede Belarus’s Access to Air Travel

Airlines are often forced to adjust operations in response to major disruptions, geopolitical and otherwise. This month, for example, several U.S. airlines canceled flights to and from Israel as a conflict there escalated. Some carriers also adjusted procedures, including adding fueling stops, after the hacking of a fuel pipeline company that serves airports on the East Coast of the United States.

In 2014, nearly 300 people were killed when Malaysia Airlines Flight 17 was shot down over Ukraine, where hostilities were raging, on its way to Kuala Lumpur from Amsterdam. Western governments blamed the Russian government and Russian-backed rebels fighting the Ukrainian government, while Moscow denied involvement. The Netherlands sued Russia in the European Court of Human Rights last year in an effort to secure evidence that would be useful to families of the victims.

From 2017 until this year, Qatar Airways was forced to avoid airspace over Saudi Arabia and several neighboring countries after they imposed an air, land and sea embargo against Qatar. In some cases, that meant flying longer routes around the Arabian Peninsula. The neighbors accused Qatar of supporting terrorism. Qatar has denied those accusations.

The movement to isolate Belarus will have little effect on U.S. passenger airlines, which rarely fly over the country, according to Flightradar24. Secretary of State Antony J. Blinken condemned the forced landing of the Ryanair flight, calling it a “shocking act” that “endangered the lives of more than 120 passengers, including U.S. citizens.” Transportation Secretary Pete Buttigieg said the safety of U.S. flights over Belarus should be assessed.

But cargo carriers could be affected. On Sunday, for example, more than a dozen flights operated by U.S. airlines flew over Belarus, according to Flightradar24, including five by FedEx, four by UPS and two by Atlas Air.

In a statement, UPS said that its network remained unaffected, but that it was “evaluating other flight route options that will provide for the safety of our crews and aircraft, as well as maintain service for our customers” in case it had to make changes. FedEx said it was “closely monitoring the issue.”

The International Federation of Air Line Pilots’ Associations and the European Cockpit Association said in a statement that aviation authorities should investigate what had happened and “take swift measures” to prevent similar disruptions. They described Sunday’s episode as a “hazard to the safety of passengers and crew.”

View Source

>>> Don’t Miss Today’s BEST Amazon Deals! <<<<

Colonial Pipeline Now Delivering ‘Millions of Gallons’ an Hour, Owner Says

HOUSTON — The Colonial Pipeline, which delivers nearly half the transportation fuel to the Southeast and New York area, resumed full operations on Saturday, eight days after it was shut down by a ransomware attack.

It will still take days before gasoline stations around Washington, D.C., and the Southeast return to normal service, since nearly 2,000 outlets ran out of fuel and it takes time to restock.

Prices at the pump have stabilized, though. Average prices of regular gasoline in Tennessee and South Carolina, two of the hardest hit states, rose by only a penny on Saturday, according to the AAA motor club. Nationwide, gasoline prices remained stable at $3.04, eight cents higher than a week ago. Prices in the states most affected by the shutdown rose by as much as 20 cents a gallon in the last week.

“We have returned the system to normal operations, delivering millions of gallons per hour to the markets we serve,” the operator of the pipeline said on Twitter.

nearly $5 million in Bitcoin to recover its stolen data.

On Friday, DarkSide said it was shutting down because of unspecified “pressure” from the United States.

View Source

DarkSide, Blamed for Colonial Pipeline Attack, Says It Is Shutting Down

Since the DarkSide account was opened in March, Elliptic said, it had received $17.5 million from 21 Bitcoin wallets, indicating the number of ransoms it had collected just this spring. Cybersecurity analysts assess that the group has been active since at least August, and has most likely used a number of different Bitcoin wallets to receive ransoms.

The intense scrutiny that followed the Colonial Pipeline attack has clearly unsettled ransomware groups. This week, the operators behind two major Russian-language ransomware platforms, REvil and Avaddon, announced strict new rules governing the use of their products, including bans on targeting government-affiliated entities, hospitals or educational institutions.

The administrator of XSS, a popular Russian-language cybercrime forum, announced an immediate ban on all ransomware activity on the forum, citing, among other things, the bad press associated with the industry. In a statement posted in the forum, the administrator called the attention a “critical mass of harm, nonsense, hype and noise,” saying even the spokesman for President Vladimir V. Putin of Russia had weighed in on the Colonial Pipe attack. (The spokesman, Dmitri S. Peskov, denied that the Kremlin had been involved in the attack on the pipeline.)

“The word ransom has become associated with a whole series of unpleasant things — geopolitics, blackmail, government cyberattacks,” the XSS administrator wrote. “This word has become dangerous and toxic.”

Even if DarkSide has shut down, the threat from ransomware has not passed. Cybercriminal networks often disband, regroup and rebrand themselves in an effort to throw off law enforcement, cybersecurity experts say.

“It’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” said Mark Arena, Intel 471’s chief executive. “A number of the operators will most likely continue to operate in their own close-knit groups, resurfacing under different aliases and ransomware names.”

Indeed, DarkSide gave no indication that its members were getting out of the ransomware business or even letting victims currently infected with the group’s malware off the hook. In its statement, DarkSide said it would hand over its decryption tools to affiliates, giving these intermediaries, who were responsible for infecting computer systems with the group’s malicious software, the ability to negotiate ransoms with victims directly.

“You will be given decryption tools for all the companies that haven’t paid yet,” the statement read. “After that, you will be free to communicate with them wherever you want in any way you want.”

Julian Barnes contributed reporting.

View Source

Biden Signs Executive Order to Bolster Federal Government’s Cybersecurity

WASHINGTON — As the East Coast suffered from the effects of a ransomware attack on a major petroleum pipeline, President Biden signed an executive order on Wednesday that placed strict new standards on the cybersecurity of any software sold to the federal government.

The move is part of a broad effort to strengthen the United States’ defenses by encouraging private companies to practice better cybersecurity or risk being locked out of federal contracts. But the bigger effect may arise from what could, over time, become akin to a government rating of the security of software products, much the way automobiles get a safety rating or restaurants in New York get a health safety grade.

The order comes amid a wave of new cyberattacks, more sophisticated and far-reaching than ever before. Over the past year, roughly 2,400 ransomware attacks have hit corporate, local and federal offices in extortion plots that lock up victims’ data — or publish it — unless they pay a ransom.

The most urgent fear is an attack on critical infrastructure, a point made clear this week to Americans, who were panic-buying gasoline. A ransomware attack on Colonial Pipeline’s information systems forced the company to shut down a critical pipeline that supplies 45 percent of the East Coast’s gasoline, diesel and jet fuel for several days.

SolarWinds hack, in which Russia’s premier intelligence agency altered the computer code of an American company’s network management software. It gave Russia broad access to 18,000 agencies, organizations and companies, mostly in the United States.

The new order also requires all federal agencies to encrypt data, whether it is in storage or while it is being transmitted — two very different challenges. When China stole 21.5 million files about federal employees and contractors holding security clearances, none of the files were encrypted, meaning they could be easily read. (Chinese hackers, investigators later concluded, encrypted the files themselves — to avoid being detected as they sent the sensitive records back to Beijing.)

Previous efforts to mandate minimum standards on software have failed to get through Congress, notably in a major showdown nine years ago. Small businesses have said the changes are not affordable, and larger ones have opposed an intrusive role of the federal government inside their systems.

But Mr. Biden decided it was more important to move quickly than to try to fight for broader mandates on Capitol Hill. His aides said it was a first step, and industry officials said it was bolder than they expected.

Amit Yoran, the chief executive of Tenable and a former cybersecurity official in the Department of Homeland Security, said the question on everyone’s mind was whether Mr. Biden’s order would stop the next Colonial or SolarWinds attacks.

“No one policy, government initiative or technology can do that,” Mr. Yoran said. “But this is a great start.”

Government officials have complained that Colonial had poor defenses, and while it established a hard shell around its computer networks, it had no way of monitoring an adversary who got inside. The Biden administration hopes the standards set out in the executive order, requiring multifactor authentication and other safeguards, will become widespread and improve security globally.

Senator Mark Warner, Democrat of Virginia and the chairman of the Senate Intelligence Committee, praised the order but said it would need to be followed by congressional action.

Mr. Warner said recent attacks “have highlighted what has become increasingly obvious in recent years: that the United States is simply not prepared to fend off state-sponsored or even criminal hackers intent on compromising our systems for profit or espionage.”

The new order is the first major public part of a multilayered review of defensive, offensive and legal strategies to take on adversaries around the world. This executive order, however, focuses entirely on deepening defenses, in hopes of deterring attackers because they fear they would fail — or run a higher risk of being detected.

The Justice Department is ramping up a new task force to take on ransomware, after the discovery in recent months that such attacks are more than just extortion, they can bring down sectors of the economy.

Mr. Biden announced sanctions against Russia for the SolarWinds hack, and his national security adviser, Jake Sullivan, has said there will also be “unseen” consequences. So far, the United States has not taken similar action against China’s government for its presumed involvement in another attack, exploiting holes in a Microsoft system used by large companies around the world.

The executive order was first drafted in February in response to the SolarWinds intrusion. That attack was especially sophisticated because hackers working for the Russian government managed to change code under development by the company, which unsuspectingly distributed the malware in an update to its software packages. It was discovered during Mr. Biden’s transition and led him to declare he could not trust the integrity of federal computer systems.

The review board created under the executive order will be co-led by the secretary of homeland security and a private-sector official, based on the specific episode it is investigating at the time, in an effort to win over industry executives who fear the investigations could be fodder for lawsuits.

Because it was created by an executive order, not an act of Congress, the new board will not have the same broad powers as a safety board. But officials are still hopeful it will be valuable in learning of vulnerabilities, improving security practices and urging companies to invest more in improving their networks.

Much of the executive order is focused on information sharing and transparency. It aims to speed the time companies that have been victimized by a hack or discover vulnerabilities share that information with the Cybersecurity and Infrastructure Security Agency.

View Source

The Latest News on the Colonial Pipeline Shutdown

HOUSTON — Panicked drivers scrambled to fuel their vehicles across the Southeast on Tuesday, leaving thousands of stations without gasoline as a vital fuel pipeline remained largely shut down after a ransomware attack.

The disruption to the Colonial Pipeline, which stretches 5,500 miles from Texas to New Jersey, also left airlines vulnerable, with several saying they would send jet fuel to the region by air to ensure that service would not be disrupted.

Gasoline in Georgia and a few other states rose 3 to 10 cents a gallon on Tuesday, a jump typically seen only when hurricanes interrupt refinery and pipeline operations along the Gulf Coast.

The national average for a gallon of regular gasoline rose 2 cents on Tuesday, with higher prices reported in the Southeast, according to the AAA motor club. The average increase was nearly 7 cents in South Carolina, 6 cents in North Carolina and 3 cents in Virginia.

Gas Buddy, a service that tracks gas prices, reported.

“There’s no gas, and people are getting frustrated,” said Ariyana Ward, a 19-year-old college student in Virginia Beach who waited 45 minutes to fill up. With some motorists taking time to fill cans as well as cars, she said, “people are getting into shouting matches.”

State leaders responded with measures intended to keep the flow of fuel steady and stabilize prices.

suspend some fuel transport rules. Governor DeSantis also activated the National Guard to cope with the emergency.

South Carolina’s attorney general, Alan Wilson, announced that he was ready to invoke the state’s price-gouging law, making excessive overcharging a criminal offense. “I’m urging everyone to be careful and be patient,” Mr. Wilson said.

At the White House, Energy Secretary Jennifer M. Granholm told reporters, “We know we have gasoline; we just need to get it to the right places.” But she made no promises about when the pipeline, which was shut down to prevent the cyberattack from spreading, would resume operations, saying the company will decide on Wednesday whether it is ready to do so.

She said she expected gas station operators to act “responsibly,” adding, “We have no tolerance for price gouging.”

The administration considered other steps that might alleviate shortages, including moving gasoline, diesel and jet fuel by train, or issuing a waiver for a 1920 law known as the Jones Act, which requires that maritime shipments be on vessels owned and staffed by Americans. But it was unclear if the right kind of either rail cars or foreign-registered ships were available.

“There are no easy solutions,’’ Ms. Granholm said.

The Environmental Protection Agency administrator, Michael Regan, issued an emergency waiver for fuel air emissions on Tuesday to help alleviate fuel shortages in places affected by the pipeline shutdown, including the District of Columbia, Maryland, Pennsylvania and Virginia. The waiver will continue through next Tuesday.

Colonial Pipeline, the company that operates the pipeline, has said it hopes to restore most operations by the end of the week. The attack, which the Federal Bureau of Investigation said had been carried out by an organized-crime group called DarkSide, has highlighted the vulnerability of the American energy system. The pipeline provides the Eastern United States with nearly half its transportation fuel.

Colonial has remained largely silent, answering no questions about the kind of protections it had in place on both its computer networks and the industrial controls that run the pipeline.

In a statement late in the day on Tuesday, Colonial said it had manually started one part of the pipeline and delivered about 41 million gallons of fuel to various locations on its system, from Atlanta, through the Carolinas and to Linden, N.J.

But the company said nothing about what factors will play into its decision on when to restart the pipeline. And it has not explained whether it found any evidence that the malware placed in its data systems could migrate to the operations of the pipeline.

Several experts noted that while the two networks are described as separate entities, they have considerable crossover. For example, one of the systems the ransomware group tied up tracks how much fuel each customer uses. Without that running, Colonial would not know how much fuel any of its customers were receiving — or how to get paid for it.

Industry analysts said the impact of the hacking would remain relatively minor as long as the artery was fully restored soon. “With a resolution to the shutdown in sight, the cyberattack is now treated as a small disturbance by the market, and prices are trimming Monday’s panic-gains,” said Louise Dickson, an oil markets analyst for Rystad Energy.

a 2018 report, the group argued that the interstate pipeline system used to supply jet fuel to airports had grown increasingly vulnerable to costly disruptions. And when disruptions occur, airlines have few good options beyond flying in extra fuel, adding stops to flights, or canceling and rerouting flights.

After the disruption last weekend, American Airlines said it had added stops to two daily flights out of Charlotte, N.C. One, to Honolulu, will stop in Dallas, where customers will change planes. The other, to London, will stop in Boston to refuel. The flights are expected to return to their original schedules on Saturday.

Southwest Airlines said it was flying in supplemental fuel to Nashville, and United Airlines said it was flying extra fuel to Baltimore; Nashville; Savannah, Ga.; and Greenville-Spartanburg International Airport in South Carolina. United, Southwest and Delta Air Lines said they had not experienced any disruptions to their operations so far.

Gillian Friedman contributed reporting.

View Source

FBI Confirms DarkSide as Colonial Pipeline Hacker

President Biden said on Monday that the United States would “disrupt and prosecute” a criminal gang of hackers called DarkSide, which the F.B.I. formally blamed for a huge ransomware attack that has disrupted the flow of nearly half of the gasoline and jet fuel supplies to the East Coast.

The F.B.I., clearly concerned that the ransomware effort could spread, issued an emergency alert to electric utilities, gas suppliers and other pipeline operators to be on the lookout for code like the kind that locked up Colonial Pipelines, a private firm that controls the major pipeline carrying gasoline, diesel and jet fuel from the Texas Gulf Coast to New York Harbor.

The pipeline remained offline for a fourth day on Monday as a pre-emptive measure to keep the malware that infected the company’s computer networks from spreading to the control systems that run the pipeline. So far, the effects on gasoline and other energy supplies seem minimal, and Colonial said it hoped to have the pipeline running again by the end of this week.

The attack prompted emergency meetings at the White House all through the weekend, as officials tried to understand whether the episode was purely a criminal act — intended to lock up Colonial’s computer networks unless it paid a large ransom — or was the work of Russia or another state that was using the criminal group covertly.

the Washington, D.C., Police Department, have also been hit.

The explosion of ransomware cases has been fueled by the rise of cyberinsurance — which has made many companies and governments ripe targets for criminal gangs that believe their targets will pay — and of cryptocurrencies, which make extortion payments harder to trace.

In this case, the ransomware was not directed at the control systems of the pipeline, federal officials and private investigators said, but rather the back-office operations of Colonial Pipeline. Nonetheless, the fear of greater damage forced the company to shut down the system, a move that drove home the huge vulnerabilities in the patched-together network that keeps gas stations, truck stops and airports running.

A preliminary investigation showed poor security practices at Colonial Pipeline, according to federal and private officials familiar with the inquiry. The lapses, they said, most likely made the act of breaking into and locking up the company’s systems fairly easy.

executive order in the coming days to strengthen America’s cyberdefenses, said there was no evidence that the Russian government was behind the attack. But he said he planned to meet with President Vladimir V. Putin of Russia soon — the two men are expected to hold their first summit next month — and he suggested Moscow bore some responsibility because DarkSide is believed to have roots in Russia and the country provides a haven for cybercriminals.

“There are governments that turn a blind eye or affirmatively encourage these groups, and Russia is one of those countries,” said Christopher Painter, the United States’ former top cyberdiplomat. “Putting pressure on safe havens for these criminals has to be a part of any solution.”

Colonial’s pipelines feed large storage tanks up and down the East Coast, and supplies seem plentiful, in part because of reduced traffic during the pandemic. Colonial issued a statement on Monday saying its goal was to “substantially” resume service by the end of the week, but the company cautioned that the process would take time.

mounted a not-so-secret effort to put malware in the Russian grid as a warning.

But in the many simulations run by government agencies and electric utilities of what a strike against the American energy sector would look like, the effort was usually envisioned as some kind of terrorist strike — a mix of cyber and physical attacks — or a blitz by Iran, China or Russia in the opening moments of a larger military conflict.

But this case was different: a criminal actor who, in trying to extort money from a company, ended up bringing down the system. One senior Biden administration official called it “the ultimate blended threat” because it was a criminal act, the kind the United States would normally respond to with arrests or indictments, that resulted in a major threat to the nation’s energy supply chain.

By threatening to “disrupt” the ransomware group, Mr. Biden may have been signaling that the administration was moving to take action against these groups beyond merely indicting them. That is what United States Cyber Command did last year, ahead of the presidential election in November, when its military hackers broke into the systems of another ransomware group, called Trickbot, and manipulated its command-and-control computer servers so that it could not lock up new victims with ransomware. The fear at that time was that the ransomware group might sell its skills to governments, including Russia, that sought to freeze up election tabulations.

On Monday, DarkSide argued it was not operating on behalf of a nation-state, perhaps in an effort to distance itself from Russia.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” it said in a statement posted on its website. “Our goal is to make money and not creating problems for society.”

The group seemed somewhat surprised that its actions resulted in closing a major pipeline and suggested that perhaps it would avoid such targets in the future.

“From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” the group said, though it was unclear how it defined “moderation.”

DarkSide is a relative newcomer to the ransomware scene, what Ms. Neuberger called “a criminal actor” that hires out its services to the highest bidder, then shares “the proceeds with ransomware developers.” It is essentially a business model in which some of the ill-gotten gains are poured into research and development on more effective forms of ransomware.

The group often portrays itself as a sort of digital Robin Hood, stealing from companies and giving to others. DarkSide says it avoids hacking hospitals, funeral homes and nonprofits, but it takes aim at large corporations, at times donating its proceeds to charities. Most charities have turned down its offers of gifts.

One clue to DarkSide’s origins lies in its code. Private researchers note DarkSide’s ransomware asks victims’ computers for their default language setting, and if it is Russian, the group moves along to other victims. It also seems to avoid victims that speak Ukrainian, Georgian and Belarusian.

Its code bears striking similarities to that used by REvil, a ransomware group that was among the first to offer “ransomware as a service” — essentially hackers for hire — to hold systems hostage with ransomware.

“It appears this was an offshoot that wanted to go into business for themselves,” said Jon DiMaggio, a former intelligence community analyst who is now the chief security strategist of Analyst1. “To get access to REvil’s code, you’d have to have it or steal it because it’s not publicly available.”

DarkSide makes smaller ransom demands than the eight-figure sums that REvil is known for — somewhere from $200,000 to $2 million. It puts a unique key in each ransom note, Mr. DiMaggio said, which suggests that DarkSide tailors attacks to each victim.

“They’re very selective compared to most ransomware groups,” he said.

View Source