FBI identifies Dark Side as a colonial pipeline hacker

President Biden said on Monday that the United States would “confuse and prosecute” a criminal group of hackers called Dark Side, who the FBI officially accused of being huge. Ransomware attack It disrupted almost half the flow of gasoline and jet fuel supplies to the East Coast.

The FBI is clearly concerned that ransom efforts may spread, issuing emergency alerts to utilities, gas suppliers and other pipeline operators, and the colonial pipeline, a private company that manages major pipelines. I’m looking for a code that seems to have blocked. Carries gasoline, diesel and jet fuel from the Gulf of Texas to New York Harbor.

The· The pipeline remained offline Day 4 of Monday as a preemptive measure to prevent malware that infects the company’s computer network from spreading to the control systems that run the pipeline. So far, Impact on gasoline and other energy supplies Seemingly minimal, Colonial said it hopes the pipeline will be up and running again by the end of this week.

Attack prompted Emergency meeting at the White House Throughout the weekend, authorities were either purely criminal in the episode (whether it was aimed at locking the colonial computer network unless they paid a large ransom), or Russia secretly using criminal groups. Or tried to figure out if it was a job in another state.

So far, according to intelligence officials, all signs are blackmail by a group believed to have launched such ransomware deployments in Eastern Europe, perhaps Russia, in August last year. It means that there was. In the group’s own statement on Monday, there was some evidence suggesting that the group simply intended to force money from the company, cutting off major gasoline and jet fuel supplies to the East Coast. I was surprised that it happened.

The attack reveals significant vulnerabilities in major US energy conduits as hackers bravely tackle critical infrastructure such as power grids, pipelines, hospitals and water treatment facilities. did. Atlanta and New Orleans city governments, and the last few weeks Washington DC, police station, Is also a hit.

The explosive growth of ransomware makes it difficult to track the rise of cyber insurance (many companies and governments are maturing the targets of criminal organizations that they believe they will pay) and extortion payments. It is being driven by the rise of cryptocurrencies.

In this case, ransomware was not directed at pipeline control systems, but at colonial pipeline back office operations, federal officials and private detectives said. Nevertheless, the company was forced to shut down the system for fear of greater damage. This is a move that has driven a huge vulnerability in a patched network that keeps gas stations, truck stops, and airports up and running home.

Preliminary investigations have shown inadequate security practices in the colonial pipeline, according to federal and private sector officials familiar with the investigation. According to them, the revocation is likely to make the act of breaking into and locking a company’s system much easier.

The Colonial Pipeline did not answer the question about what investment it had made to protect the network and refused to say whether it was paying the ransom. And the company seemed reluctant to force federal authorities to strengthen its defenses.

“For now, they aren’t asking the federal government for cyber assistance,” Anne Neuberger, deputy national security adviser for cyber and emerging technologies, told reporters at a briefing at the White House. Told. “If the data is encrypted, there is no backup, and the data cannot be recovered, businesses are often in a difficult position,” she said, as to whether the federal government would recommend paying the ransom.

Mr. Neuberger didn’t say so, but it seems to have happened essentially to the colonial.

Mr. Biden to be announced Executive order He said there was no evidence that the Kremlin was behind the attack in the coming days to strengthen US cyber defense. But he said he would soon meet with Russian President Vladimir Putin. The two men will hold their first summit next month. The dark side is believed to have roots in Russia, and the country is a paradise for cybercriminals.

“Russia is one of those countries, with governments blinding and actively encouraging these groups,” said Christopher Painter, a former top cyber diplomat in the United States. “Pressurizing safe havens for these criminals must be part of every solution.”

The colonial pipeline supplies large storage tanks above and below the east coast, and the supply seems to be plentiful, partly due to the reduced traffic during the pandemic.Colonial Make a statement The goal is on monday Resuming service “substantially” by the weekendHowever, the company warned that the process would take a long time.

Elizabeth Sherwood Randall, Biden’s land security adviser and former Deputy Secretary of Energy for the Obama administration, said the Department of Energy is leading the federal response to “utilities in the oil, gas and electricity sectors.” We convened our partners to share the details. ” Discuss ransomware attacks and recommended measures to mitigate further incidents across the industry. She said the federal government has relaxed rules for drivers who truck gasoline and jet fuel to mitigate the impact.

“For now, there is no shortage of supplies,” she said. “We are prepared for a number of possible contingencies,” she said, but the job of bringing the pipeline back online is in the colonial.

For many officials who have struggled for years to protect their critical U.S. infrastructure from cyberattacks, the only surprise about what happened in the last few days was that they took so long to happen. is. When Leon E. Panetta was Secretary of Defense under President Barack Obama, Panetta warned of “Pearl Harbor,” which could cut off electricity and fuel.

During the Trump administration, the Department of Homeland Security issued a warning about the US power grid and Russian malware in the US. Launched a less secretive effort to place malware on the Russian grid As a warning.

However, in many simulations performed by government agencies and power companies on what a strike against the US energy sector would look like, the effort is usually some sort of terrorist strike (a mixture of cyber and physical attacks) or Envisioned as an Iranian strike, China or Russia at the first moment of a larger military conflict.

But this case was different. A criminal who tried to force money from the company eventually brought down the system. A senior Biden administration official called it “ultimate” because it was a criminal offense, a criminal offense that the United States would normally respond to with arrests and prosecutions, which poses a major threat to the country’s energy supply chain. I called it a “mixed threat.”

By threatening to “confuse” the ransomware groups, Biden may have shown that the administration is moving to take action against these groups, rather than just prosecuting them. .. Prior to the presidential election in November last year, US cyber forces broke into another ransomware group’s system called Trickbot and operated a command-and-control computer server to prevent it. Ransomware traps new victims. Fear at that time The ransomware group said it could sell its skills to governments, including Russia, which tried to freeze election tally.

On Monday, DarkSide claimed that it was not acting on behalf of the nation-state, perhaps to stay away from Russia.

“We are apolitic, do not participate in geopolitics, and do not have to connect us with a defined government to look for our motives,” he said in a statement posted on that website. I am. “Our goal is to make money and not cause problems for society.”

The group seemed somewhat surprised that the action resulted in the closure of a major pipeline, suggesting that it would probably avoid such a goal in the future.

“Starting today, we will introduce moderation and check each company that partners want to encrypt to avoid future social impacts,” the group said, but the definition of “moderation” is It was unknown.

DarkSide is a relatively newcomer to the ransomware scene, what Newberger calls a “criminal”, serving the highest bidders and “sharing revenue with ransomware developers.” This is essentially a business model in which some of the unearned profits are devoted to the research and development of more effective forms of ransomware.

This group often describes itself as a kind of digital Robin Hood that steals from businesses and gives to others. DarkSide says it avoids hacking hospitals, funeral homes and nonprofits, but it also targets large corporations and may donate revenue to charities. Most charities refuse to offer gifts.

One clue to the origin of DarkSide is in its code. Private researchers point out that DarkSide ransomware requires the victim’s computer to set a default language setting, and if it is Russian, the group will move to another victim. It also seems to avoid victims who speak Ukrainian, Georgian and Belarusian.

The code is very similar to the code used by REvil, the ransomware group that first provided “ransomware as a service” (essentially hiring hackers) to hostage the system with ransomware. I am.

“It seems that this was a sect that wanted to start their own business,” said John DiMaggio, a former intelligence community analyst and now chief security strategist at Analyst 1. “To access REvil’s code, you need to get or steal the code because it’s not publicly available.”

DarkSide requires less ransom than the 8-digit amount known for REvil. This ranges from $ 200,000 to $ 2 million. According to DiMaggio, this puts a unique key on each ransom note. This suggests that Dark Side coordinates the attacks on each victim.

“They are very selective compared to most ransomware groups,” he said.

FBI identifies Dark Side as a colonial pipeline hacker

Source link FBI identifies Dark Side as a colonial pipeline hacker

Back to top button