Colonial Pipeline hack claimed by Russian group DarkSide spurs emergency order from White House

May 11, 2021

The federal government issued a rare emergency declaration on Sunday, May 9, after a cyberattack on a major U.S. pipeline choked the transportation of oil to the East Coast, NBC News reports.

The Colonial Pipeline is the largest refined products pipeline in the United States—transporting more than 100 million gallons of fuel daily to meet the energy needs of consumers from Houston, Texas to the New York Harbor.

The pipeline shut down all its operations on Friday, May 7, after hackers broke into some of its networks, NBC News said. All four of its main lines remain offline.

The emergency declaration from the Department of Transportation aims to ramp up alternative transportation routes for oil and gas. It lifts regulations on drivers carrying fuel in 17 states across the South and eastern United States, as well as the District of Columbia—allowing them to drive between fuel distributors and local gas stations on more overtime hours and less sleep than federal restrictions normally allow. America already is dealing with a shortage of tanker truck drivers.M10, 202103:00

The emergency order extends through June 8, and can be renewed. Colonial has yet to declare a date it expects it will resume full operations.

In a statement released Monday afternoon, the company indicated it was working to slowly resume operations: “While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach,” the company said in a press release.

Industry experts already have warned that a prolonged shutdown of the pipeline could push gas prices higher and cause disruptions in eastern parts of the United States

The FBI confirmed Monday that the culprit is a strain of ransomware called DarkSide, believed to be operated by a Russian cybercrime gang referred to by the same name. Like many ransomware gangs, DarkSide makes money by hacking a victim’s network, encrypting their files so they can’t be accessed and threatening to publish them online if they’re not paid a hefty fee.

The cyberattack is believed to be the work of a Russian cybercrime gang called DarkSide. Like many ransomware gangs, it makes money by hacking a victim’s network, encrypting their files so they can’t be accessed, and threatening to publish them online if they’re not paid a hefty fee.

In a statement posted to its website, DarkSide echoed a sentiment common across ransomware gangs—that they’re an apolitical group, only interested in making mone —but seemed to acknowledge that by hampering the fuel industry, they may have crossed a line with the United States that no ransomware gang has crossed before.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment and look for other our motives,” the gang posted, misspelling “government.”

“Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

Brett Callow, a threatt analyst at the cybersecurity company Emsisoft who tracks ransomware, said there were signs in DarkSide’s malicious software that it was meant to hit targets outside Russia and eastern Europe. He noted that the software is coded to not work against computers where Russian or one of several other eastern European languages are set as the default.

“DarkSide doesn’t eat in Russia,” Callow said. “It checks the language used by the system and, if it’s Russian, it quits without encrypting.”

In any scenario, it will take some time for Colonial to recover from the event, Callow said. It can take days for any large company to restore its system from data backups. Even if Colonial were to acquire a file decryptor program from the gang itself—either through paying the ransom or if DarkSide were to voluntarily provide one— t would be a slow process because of the way it’s encoded, he said.

“Remediation and recovery is not necessarily a quick and easy process, and while essential functionality can be restored more quickly, it can take organizations weeks or even months to fully return to normal operations,” he said.

Research contact: @NBCNews

Leave a Reply

Your email address will not be published.