WASHINGTON — A Russian criminal group may be responsible for a ransomware attack that shut down a major U.S. fuel pipeline, two sources familiar with the matter said Sunday.
The group, known as DarkSide, is relatively new but has a sophisticated approach to the business of extortion, the sources said.
Commerce Secretary Gina Raimondo said Sunday that the White House was working to help Colonial Pipeline, the Georgia-based company that operates the pipeline, to restart its 5,500-mile network.
The system runs from Texas to New Jersey and transports 45 percent of the East Coast’s fuel supply. In a statement Sunday, the company said that some smaller lateral lines were operational, but the main lines remained down.
“We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations,” the company said.
Speaking on CBS’ “Face the Nation,” Raimondo called the effort to restart the network “an all hands on deck effort right now.”
“We are working closely with the company, state and local officials, to make sure that they get back up to normal operations as quickly as possible and there aren’t disruptions in supply.”
She added, “Unfortunately, these sorts of attacks are becoming more frequent. They’re here to stay.”
A White House official said Sunday that the Department of Energy is leading the government’s response to the attack. Agencies are planning for a number of scenarios in which the region’s fuel supply takes a hit, the official said.
On Saturday, Colonial Pipeline blamed the cyberattack on ransomware and said some of its information technology systems were affected. It added that it “proactively” took “certain systems offline to contain the threat.”
The company has not said what was demanded or who made the demand.
Although Russian hackers often freelance for the Kremlin, early indications suggest this was a criminal scheme — not an attack by a nation state, the sources said.
But the fact that Colonial had to shut down the country’s largest gasoline pipeline underscores just how vulnerable American’s cyber infrastructure is to both criminals and national adversaries, such as Russia, China and Iran, experts say.
“This could be the most impactful ransomware attack in history, a cyber disaster turning into a real-world catastrophe,” said Andrew Rubin, CEO and co-founder of Illumio, a cyber security firm.
“It’s an absolute nightmare, and it’s a recurring nightmare,” he said. “Organizations continue to rely and invest entirely on detection as if they can stop all breaches from happening. But this approach misses attacks over and over again. Before the next inevitable breach, the President and Congress need to take action on our broken security model.”
If the culprit turns out to be a Russian criminal group, it will underscore that Russia gives free reign to criminal hackers who target the West, said Dmitri Alperovitch, co-founder of the cyber firm CrowdStrike and now executive chairman of a think tank, the Silverado Policy Accelerator.
“Whether they work for the state or not is increasingly irrelevant, given Russia’s obvious policy of harboring and tolerating cyber crime,” he said.
According to a top Reuters cyber security reporter, DarkSide has its own web site on the dark web that claims the group has made millions from cyber extortion and features an array of leaked data from victims who failed to pay ransom.
Tim Stelloh and The Associated Press contributed.
