Darkside alluded to disruptive action by an unspecified law enforcement agency, though it was not clear if that was the result of U.S. action or pressure from Russia ahead of Mr. Biden’s expected summit with President Vladimir V. Putin. And going quiet might simply have reflected a decision by the ransomware gang to frustrate retaliation efforts by shutting down its operations, perhaps temporarily.

The Pentagon’s Cyber Command referred questions to the National Security Council, which declined to comment.

The episode underscored the emergence of a new “blended threat,” one that may come from cybercriminals, but is often tolerated, and sometimes encouraged, by a nation that sees the attacks as serving its interests.That is why Mr. Biden singled out Russia — not as the culprit, but as the nation that harbors more ransomware groups than any other country.

“We do not believe the Russian government was involved in this attack, but we do have strong reason to believe the criminals who did this attack are living in Russia,” Mr. Biden said. “We have been in direct communication with Moscow about the imperative for responsible countries to take action against these ransomware networks.”

With Darkside’s systems down, it is unclear how Mr. Biden’s administration would retaliate further, beyond possible indictments and sanctions, which have not deterred Russian cybercriminals before. Striking back with a cyberattack also carries its own risks of escalation.

The administration also has to reckon with the fact that so much of America’s critical infrastructure is owned and operated by the private sector and remains ripe for attack.

“This attack has exposed just how poor our resilience is,” said Kiersten E. Todt, the managing director of the nonprofit Cyber Readiness Institute. “We are overthinking the threat, when we’re still not doing the bare basics to secure our critical infrastructure.”

The good news, some officials said, was that Americans got a wake-up call. Congress came face-to-face with the reality that the federal government lacks the authority to require the companies that control more than 80 percent of the nation’s critical infrastructure adopt minimal levels of cybersecurity.

The bad news, they said, was that American adversaries — not only superpowers but terrorists and cybercriminals — learned just how little it takes to incite chaos across a large part of the country, even if they do not break into the core of the electric grid, or the operational control systems that move gasoline, water and propane around the country.

Something as basic as a well-designed ransomware attack may easily do the trick, while offering plausible deniability to states like Russia, China and Iran that often tap outsiders for sensitive cyberoperations.

It remains a mystery how Darkside first broke into Colonial’s business network. The privately held company has said virtually nothing about how the attack unfolded, at least in public. It waited four days before having any substantive discussions with the administration, an eternity during a cyberattack.

Cybersecurity experts also note that Colonial Pipeline would never have had to shut down its pipeline if it had more confidence in the separation between its business network and pipeline operations.

“There should absolutely be separation between data management and the actual operational technology,” Ms. Todt said. “Not doing the basics is frankly inexcusable for a company that carries 45 percent of gas to the East Coast.”

Other pipeline operators in the United States deploy advanced firewalls between their data and their operations that only allow data to flow one direction, out of the pipeline, and would prevent a ransomware attack from spreading in.

Colonial Pipeline has not said whether it deployed that level of security on its pipeline. Industry analysts say many critical infrastructure operators say installing such unidirectional gateways along a 5,500-mile pipeline can be complicated or prohibitively expensive. Others say the cost to deploy those safeguards are still cheaper than the losses from potential downtime.

Deterring ransomware criminals, which have been growing in number and brazenness over the past few years, will certainly be more difficult than deterring nations. But this week made the urgency clear.

“It’s all fun and games when we are stealing each other’s money,” said Sue Gordon, a former principal deputy director of national intelligence, and a longtime C.I.A. analyst with a specialty in cyberissues, said at a conference held by The Cipher Brief, an online intelligence newsletter. “When we are messing with a society’s ability to operate, we can’t tolerate it.”

View Source

Colonial Pipeline Paid Roughly $5 Million in Ransom to Hackers

In a separate ransomware attack on the Washington, D.C., Metropolitan Police Department, hackers said the price the police offered to pay was “too small” and dumped 250 gigabytes of the department’s data online this week, including databases that track gang members.

In his remarks on Thursday, Mr. Biden seized on the Colonial Pipeline hack as further proof that the United States needed to improve its critical infrastructure, and he urged lawmakers to back his $2.3 trillion proposal to rebuild roads, bridges, pipelines and other projects.

Republicans have balked at the size of Mr. Biden’s proposals, accusing the president of wanting to raise taxes to pay for things that they do not consider infrastructure, like programs for home health aides. Mr. Biden has proposed to increase taxes on wealthy people and corporations to pay for his spending, but has said he is open to other ideas.

“I’m willing to negotiate, as I indicated yesterday to the House members and to the leadership,” Mr. Biden said. “But it’s clearer than ever that doing nothing is not an option.”

Gasoline prices rose by roughly 3 cents in South Carolina and Georgia from Wednesday to Thursday, about half the amount of the increases of the previous few days. But prices in Tennessee, which depends on an offshoot of the pipeline, rose by 6 cents, to $2.87 for a gallon of regular. Nationwide, the average price for a gallon of regular increased by 2 cents, to $3.03, according to the AAA auto club.

Gasoline supplies vary from state to state along the pipeline, in part because some places have more storage than others. In New Jersey, only 1 percent of gasoline stations lacked fuel early Thursday morning, while more than half of the stations in Virginia, North Carolina and South Carolina were out of fuel, according to GasBuddy, an app that monitors fuel supplies. Friday is traditionally the biggest day for gasoline sales.

It is likely to take at least through the weekend for supply at all gasoline stations to return to normal functioning because it takes time for fuel to pass through the pipeline.

View Source

Colonial Pipeline paid 75 Bitcoin, or roughly $5 million, to hackers.

Colonial Pipeline paid its extortionists roughly 75 Bitcoin, or nearly $5 million, to recover its stolen data, according to people briefed on the transaction.

The payment came after cybercriminals last week held up Colonial Pipeline’s business networks with ransomware, a form of malware that encrypts data until the victim pays, and threatened to release it online. Colonial Pipeline pre-emptively shut down its pipeline operations to keep the ransomware from spreading and because it had no way to bill customers with its business and accounting networks offline.

The shutdown of the company’s network, which includes 5,500 miles of pipeline that supplies nearly half the gas, diesel and jet fuel to the East Coast, triggered a cascading crisis that led to emergency meetings at the White House, a jump in gas prices, panic buying at the gas pumps, and forced some airlines to make fuel stops on long-haul flights.

The ransom payment was first reported by Bloomberg. A spokeswoman for Colonial declined to confirm or deny that the company had paid a ransom.

first reported that Colonial had shut down its pipeline partly because its billing systems were taken offline and it had no way to charge customers.

Many organizations across the United States, including police departments, have opted to pay their ransomware extortionists rather than suffer the loss of critical data or incur the costs of rebuilding computer systems from scratch.

In a separate ransomware attack on the Washington, D.C., Metropolitan Police Department, hackers said the price the police offered to pay was “too small” and dumped 250 gigabytes of the department’s data online this week, including databases that track gang members and social media preservation requests.

“This is an indicator of why we should pay,” the cybercriminals, called Babuk, said in a post online. “The police also wanted to pay us, but the amount turned out to be too small. Look at this wall of shame,” they wrote, “you have every chance of not getting there. Just pay us!”

Julian E. Barnes contributed reporting.

View Source

FBI Confirms DarkSide as Colonial Pipeline Hacker

President Biden said on Monday that the United States would “disrupt and prosecute” a criminal gang of hackers called DarkSide, which the F.B.I. formally blamed for a huge ransomware attack that has disrupted the flow of nearly half of the gasoline and jet fuel supplies to the East Coast.

The F.B.I., clearly concerned that the ransomware effort could spread, issued an emergency alert to electric utilities, gas suppliers and other pipeline operators to be on the lookout for code like the kind that locked up Colonial Pipelines, a private firm that controls the major pipeline carrying gasoline, diesel and jet fuel from the Texas Gulf Coast to New York Harbor.

The pipeline remained offline for a fourth day on Monday as a pre-emptive measure to keep the malware that infected the company’s computer networks from spreading to the control systems that run the pipeline. So far, the effects on gasoline and other energy supplies seem minimal, and Colonial said it hoped to have the pipeline running again by the end of this week.

The attack prompted emergency meetings at the White House all through the weekend, as officials tried to understand whether the episode was purely a criminal act — intended to lock up Colonial’s computer networks unless it paid a large ransom — or was the work of Russia or another state that was using the criminal group covertly.

the Washington, D.C., Police Department, have also been hit.

The explosion of ransomware cases has been fueled by the rise of cyberinsurance — which has made many companies and governments ripe targets for criminal gangs that believe their targets will pay — and of cryptocurrencies, which make extortion payments harder to trace.

In this case, the ransomware was not directed at the control systems of the pipeline, federal officials and private investigators said, but rather the back-office operations of Colonial Pipeline. Nonetheless, the fear of greater damage forced the company to shut down the system, a move that drove home the huge vulnerabilities in the patched-together network that keeps gas stations, truck stops and airports running.

A preliminary investigation showed poor security practices at Colonial Pipeline, according to federal and private officials familiar with the inquiry. The lapses, they said, most likely made the act of breaking into and locking up the company’s systems fairly easy.

executive order in the coming days to strengthen America’s cyberdefenses, said there was no evidence that the Russian government was behind the attack. But he said he planned to meet with President Vladimir V. Putin of Russia soon — the two men are expected to hold their first summit next month — and he suggested Moscow bore some responsibility because DarkSide is believed to have roots in Russia and the country provides a haven for cybercriminals.

“There are governments that turn a blind eye or affirmatively encourage these groups, and Russia is one of those countries,” said Christopher Painter, the United States’ former top cyberdiplomat. “Putting pressure on safe havens for these criminals has to be a part of any solution.”

Colonial’s pipelines feed large storage tanks up and down the East Coast, and supplies seem plentiful, in part because of reduced traffic during the pandemic. Colonial issued a statement on Monday saying its goal was to “substantially” resume service by the end of the week, but the company cautioned that the process would take time.

mounted a not-so-secret effort to put malware in the Russian grid as a warning.

But in the many simulations run by government agencies and electric utilities of what a strike against the American energy sector would look like, the effort was usually envisioned as some kind of terrorist strike — a mix of cyber and physical attacks — or a blitz by Iran, China or Russia in the opening moments of a larger military conflict.

But this case was different: a criminal actor who, in trying to extort money from a company, ended up bringing down the system. One senior Biden administration official called it “the ultimate blended threat” because it was a criminal act, the kind the United States would normally respond to with arrests or indictments, that resulted in a major threat to the nation’s energy supply chain.

By threatening to “disrupt” the ransomware group, Mr. Biden may have been signaling that the administration was moving to take action against these groups beyond merely indicting them. That is what United States Cyber Command did last year, ahead of the presidential election in November, when its military hackers broke into the systems of another ransomware group, called Trickbot, and manipulated its command-and-control computer servers so that it could not lock up new victims with ransomware. The fear at that time was that the ransomware group might sell its skills to governments, including Russia, that sought to freeze up election tabulations.

On Monday, DarkSide argued it was not operating on behalf of a nation-state, perhaps in an effort to distance itself from Russia.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” it said in a statement posted on its website. “Our goal is to make money and not creating problems for society.”

The group seemed somewhat surprised that its actions resulted in closing a major pipeline and suggested that perhaps it would avoid such targets in the future.

“From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” the group said, though it was unclear how it defined “moderation.”

DarkSide is a relative newcomer to the ransomware scene, what Ms. Neuberger called “a criminal actor” that hires out its services to the highest bidder, then shares “the proceeds with ransomware developers.” It is essentially a business model in which some of the ill-gotten gains are poured into research and development on more effective forms of ransomware.

The group often portrays itself as a sort of digital Robin Hood, stealing from companies and giving to others. DarkSide says it avoids hacking hospitals, funeral homes and nonprofits, but it takes aim at large corporations, at times donating its proceeds to charities. Most charities have turned down its offers of gifts.

One clue to DarkSide’s origins lies in its code. Private researchers note DarkSide’s ransomware asks victims’ computers for their default language setting, and if it is Russian, the group moves along to other victims. It also seems to avoid victims that speak Ukrainian, Georgian and Belarusian.

Its code bears striking similarities to that used by REvil, a ransomware group that was among the first to offer “ransomware as a service” — essentially hackers for hire — to hold systems hostage with ransomware.

“It appears this was an offshoot that wanted to go into business for themselves,” said Jon DiMaggio, a former intelligence community analyst who is now the chief security strategist of Analyst1. “To get access to REvil’s code, you’d have to have it or steal it because it’s not publicly available.”

DarkSide makes smaller ransom demands than the eight-figure sums that REvil is known for — somewhere from $200,000 to $2 million. It puts a unique key in each ransom note, Mr. DiMaggio said, which suggests that DarkSide tailors attacks to each victim.

“They’re very selective compared to most ransomware groups,” he said.

View Source

White House Weighs New Cybersecurity Approach After Failure to Detect Hacks

The question is how to set up such a system.

After revelations in 2013 by the former intelligence contractor Edward J. Snowden that set off a debate about government surveillance, American technology companies are wary of the appearance of sharing data with American intelligence agencies, even if that data is just warnings about malware. Google was stung by the revelation in the Snowden documents that the National Security Agency was intercepting data transmitted between its servers overseas. Several years later, under pressure from its employees, it ended its participation in Project Maven, a Pentagon effort to use artificial intelligence to make its drones more accurate.

Amazon, in contrast, has no such compunctions about sensitive government work: It runs the cloud server operations for the C.I.A. But when the Senate Intelligence Committee asked company officials to testify last month — alongside executives of FireEye, Microsoft and SolarWinds — about how the Russians exploited systems on American soil to launch their attacks, they declined to attend.

Companies say that before they share reporting on vulnerabilities, they would need strong legal liability protections.

The most politically palatable headquarters for such a clearinghouse — avoiding the legal and civil liberties concerns of using the National Security Agency — would be the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Mr. Gerstell described the idea as “automated computer sensors and artificial intelligence acting on information as it comes in and instantaneously spitting it back out.”

The department’s existing “Einstein” system, which is supposed to monitor intrusions and potential attacks on federal agencies, never saw the Russian attack underway — even though it hit nine federal departments and agencies. The F.B.I., lawmakers say, does not have broad monitoring capabilities, and its focus is divided across other forms of crime, counterterrorism and now domestic extremism threats.

“I don’t want the intelligence agencies spying on Americans, but that leaves the F.B.I. as the de facto domestic intelligence agency to deal with these kinds of attacks,” said Senator Angus King, a Maine independent, member of the Senate Intelligence Committee and co-chairman of the cyberspace commission. “I’m just not sure they’re set up for this.”

There are other hurdles. The process of getting a search warrant is too cumbersome for tracking nation-state cyberattacks, Mr. Gerstell said. “Someone’s got to be able to take that information from the N.S.A. and instantly go take a look at that computer,” he said. “But the F.B.I. needs a warrant to do that, and that takes time by which point the adversary has escaped.”

View Source