DarkSide, We Hardly Knew Ya: Ransomware Gang Behind Pipeline Hack ‘Quits’ the Business

Illustration for article titled DarkSide, We Hardly Knew Ya: Ransomware Gang Behind Pipeline Hack 'Quits' the Business

Photo: PHILIPPE HUGUEN/AFP (Getty Images)

Less than 24 hours after President Joe Biden announced that the U.S. would seek to disrupt the operations of those responsible for the Colonial Pipeline attack, the gang in question seems to be ducking for cover—and claims it will shut down its criminal operation, at least for now.

Advertisement

In posts made online Thursday, the ransomware gang DarkSide said that large parts of its IT infrastructure had been targeted by an “unknown law enforcement agency” and that some amount of its cryptocurrency had been seized, a new report from security firm Intel471 shows. Security researchers spotted the announcements on an underground forum, where the gang claimed that its “name-and-shame blog, ransom collection website, and breach data content delivery network (CDN) were all allegedly seized, while funds from their cryptocurrency wallets allegedly were exfiltrated.”

The gang further announced that it would be shutting down operations and issuing decryptors to all of its affiliates “for the targets they attacked.” An excerpt of the note, shared by Intel471, reads as follows:

A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the

blog

payment server

CDN servers

At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked.

The hosting support service doesn’t provide any information except “at the request of law enforcement authorities.” In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.

After detailing its plans to shut down operations, the group then explicitly mentioned the U.S. as having added “pressure” to their situation:

In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck. The landing page, servers, and other resources will be taken down within 48 hours.

If this is all true, it’s a swift turnaround for DarkSide—which rocketed to notoriety last week when it successfully crippled the network of Colonial Pipeline, thus managing to extort America’s largest oil and gas conduit for a reported $5 million. Until now, the gang has run a prolific ransomware-as-a-service business, wherein it loaned out its malware to criminal “affiliates,” who then conducted cyberattacks on its behalf. In the RaaS model, affiliates get paid some amount of the cut from every successful ransom secured.

According to the Intel471 report, the incident appears to have set off a shudder throughout the ransomware community, with other cybercrime forums and groups alleging similar “takedowns” and announcing new restrictions on operations. However, whether this is actually the result of some sort of law enforcement crackdown is unclear.

Advertisement

By the same token, not everyone agrees that DarkSide is actually telling the truth about its plans.

Kimberly Goody, senior manager of Financial Crime Analysis at FireEye’s Mandiant, said in a statement shared with Gizmodo that her company has not yet been able to verify the claims. Instead, she said, there is some online speculation that it could be a scam:

Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared with DARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they lost access to their infrastructure, including their blog, payment, and CDN servers and would be closing their service…We have not independently validated these claims and there is some speculation by other actors that this could be an exit scam.

Advertisement

At any rate, if the gang is indeed retreating into the digital underworld, it’s likely that it will eventually regroup and resume operations at some point in the future, experts say. “A number of the operators will most likely operate in their own [close-knit groups, resurfacing under new names and updated ransomware variants,” Intel471 says.

Ireland Shuts Down Hospital Computer Systems Nationwide After Ransomware Attack

File photo of the CEO of Ireland’s Health Service Executive (HSE) Paul Reid (center) and Chief of Staff of Ireland’s Defense Forces, Vice Admiral Mark Mellett (left) with Irish Army cadets on March 13, 2020.

File photo of the CEO of Ireland’s Health Service Executive (HSE) Paul Reid (center) and Chief of Staff of Ireland’s Defense Forces, Vice Admiral Mark Mellett (left) with Irish Army cadets on March 13, 2020.
Photo: Paul Faith/AFP (Getty Images)

Ireland’s public health care system, known as the Health Service Executive or HSE, shut down all of its computer systems nationwide Friday after hospital administrators became aware of a cyberattack late Thursday.

Advertisement

The attack is being characterized as a ransomware hack, but it’s not yet clear if the hackers succeeded at acquiring enough data to hold hostage. Ransomware hackers will steal data that hasn’t been backed up sufficiently and refuse to return it until a certain amount of money has been paid, like in the Colonial Pipeline hack in the U.S. where nearly $5 million was paid just yesterday.

“There is a significant ransomware attack on the HSE IT systems,” the HSE said in a statement posted to Twitter early Friday. “We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.”

All medical equipment at Ireland’s hospitals are reportedly still operational, according to the Irish Times, but registration and record-keeping have reverted to pen and paper. The nation’s ambulance service is also operating normally, according to the HSE, and covid-19 vaccinations are still taking place.

Ransomware hackers will also sometimes threaten to release sensitive information publicly, such as medical records, as another angle to make money. It’s not clear whether any patient records have been compromised.

Paul Reid, the CEO of HSE, told Irish radio that the attack was “significant” and they were working with the military as well as third-party experts on cybersecurity, according to the Irish Times.

“There has been no ransom demand at this stage. The key thing is to contain the issue,” said Reid.

Advertisement

Reid also said the perpetrators were an, “internationally operated criminal operation,” though didn’t go into specifics about who might be behind this attack on the Irish health system.

Fergal Malone, an administrator at the Rotunda Maternity Hospital in Dublin, told RTE Radio Ireland that his hospital was shutting down for everything deemed non-urgent and explained that doctors were currently unable to access the electronic records of patients. The radio host asked Malone when he expected the hospital would continue normal operations and he said they were simply taking it a day at a time.

Advertisement

“All appointment have been cancelled for today Friday 14th May. The only exception are for patients who are 36 weeks or over pregnant,” the Rotunda Hospital said in a statement to Ireland’s RSVP Live.

“Otherwise you are asked NOT to attend at the Rotunda unless it is an emergency. The Rotunda will issue updated information as soon as possible.”

Advertisement

Ireland’s HSE did not immediately respond to an inquiry emailed early Friday but Gizmodo will update this post if we hear back.

Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn’t Very Useful

Illustration for article titled Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn't Very Useful

Photo: JIM WATSON / AFP (Getty Images)

About a week ago, Colonial Pipeline apparently paid the ransomware group DarkSide approximately $5 million in exchange for a data decryption key that didn’t really decrypt that much data.

Advertisement

An investigation from Bloomberg found that, despite earlier reports suggesting the company had no intention of paying the cybercriminals, Colonial actually did just that “within hours of the attack,” using an untraceable cryptocurrency. In exchange for that fat stack of cash, Colonial received a decryption tool that was so slow that the company had to partially rely on its own back-ups to continue restoring service, the news outlet reports. New York Times reporter Nicole Perlroth later stated that the ransom was paid using 75 Bitcoin. Gizmodo sent multiple emails to Colonial representatives for comment and will update this story when we hear back.

The network-crippling attack on the energy giant brought the operation of its 5,500-mile oil pipeline system to an abrupt halt last week, swiftly spurring an energy crisis throughout many of the Southeastern cities to which it delivers oil. The incident led to shortages in multiple states and subsequently spurred a gas-buying binge, as panicked Americans flocked to stores and gas stations to purchase car fuel. The epidemic of End Time-type behavior even led the U.S. Consumer Product Safety Commission to helpfully remind consumers to “not fill plastic bags with gasoline,” always a helpful tip.

However, just as it looked like society might collapse, the pipeline came back online Wednesday night and began to churn oil back into America’s veins once more. In a statement published Thursday, the energy company iterated that it had regained almost full operational capacity—though getting back to a regular fuel flow is expected to take some time.

“Colonial Pipeline has made substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we service. By mid-day today, we project that each market we service will be receiving product from our system,” the company said, while also providing a map of the areas that it said were currently operational, as of 9 a.m. EST. As of noon EST, the entire system was expected to have been fully operational.

Illustration for article titled Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn't Very Useful

Screenshot: Lucas Ropek/Colonial Pipeline

President Joe Biden also addressed the nation on Thursday, hoping to quell fears about surging gas prices and to update Americans about how the government was handling the incident. The President reiterated during his remarks that the White House did not believe that the Russian government had been involved in the ransomware attack but that it would be communicating with the Kremlin to more effectively target the criminals responsible.

Advertisement

“We do not believe that the Russian government was involved in this attack—but we do have strong reason to believe that the criminals who did the attack are living in Russia,” said the President. “We have been in direct communications with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks. We’re also going to pursue a measure to disrupt their ability to operate.”

Biden also referenced an executive order he passed Wednesday night, designed to bolster America’s defenses against cybercriminal networks. The order requires the creation of a Cyber Safety Review Board, a Department of Homeland Security team that will be in charge of investigating major cyber incidents. It also introduces measures to increase information sharing between private industry and the U.S. government on cyberattacks. And it creates a mandate for federal agencies to introduce multi-factor authentication and data encryption within a period of six months.

Advertisement

Biden did not comment at all on any financial exchange that may have occurred between Colonial and the hackers. Several high-level federal officials also refused to talk about it: “I have no knowledge of whether a ransom was paid, how much was paid, if it was paid, when it was paid,” said Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, which has been working with the embattled gas company since the attack last week.

One of the oft-made arguments for not paying ransomware gangs is that there is no guarantee that hackers will actually make good on their word to assist with decryption once money has been paid. While the ransomware business model largely hinges on criminals sticking to their promise, in many cases, decryption can be a slow, hugely imperfect process—as the Colonial episode may well demonstrate. At the same time, payment also legitimates the business model, encouraging criminals to continue seeking out new victims.

Advertisement

Senate Cyber Hawk Calls for ‘Criminal Penalties’ for Negligent CEOs After U.S. Pipeline Hack

Sen. Ron Wyden, D-Ore., chair of the Senate Finance Committee, prepares the panel for a vote on Xavier Becerra, President Joe Biden’s Health and Human Services Dept. nominee, at the Capitol in Washington, Wednesday, March 3, 2021.

Sen. Ron Wyden, D-Ore., chair of the Senate Finance Committee, prepares the panel for a vote on Xavier Becerra, President Joe Biden’s Health and Human Services Dept. nominee, at the Capitol in Washington, Wednesday, March 3, 2021.
Photo: J. Scott Applewhite (AP)

Sen. Ron Wyden, historically a leading proponent of heightened cybersecurity governance in both public and private spheres, called for congressional action Wednesday around all private firms operating in critical infrastructure sectors, saying the recent network breach at one of the largest U.S. pipelines paints a dismal picture of the nation’s susceptibility to attack.

Advertisement

The cyber intrusion detected at Colonial Pipeline Co. over the weekend forced the shutdown of a vital pipeline stretching from Houston to New Jersey, which typically ferries more than 2.5 million barrels of fuel per day. On Sunday, The FBI confirmed the breach involved a criminal ransomware gang known as DarkSide, which cybersecurity experts have linked to Russia, though not directly to the Kremlin. The group itself issued a statement on Monday claiming the breach was financially and not politically motivated, and that it intends to work toward “avoid[ing] social consequences in the future.”

In a statement to Gizmodo, Wyden, chair of the Senate Finance Committee, said the attack underscores a “massive problem” at companies running the country’s critical infrastructure, saying “dangerously negligent cybersecurity” portends more crippling attacks in the future. Failures at the highest corporate levels pose a significant threat to national security, he said, adding that Congress should immediately force critical infrastructure companies to institute heightened security safeguards.

“For far too long Wall Street has racked up profits by cutting jobs in safety and security, even when it puts lives and the country’s economy at risk,” he said. “There must be serious civil and criminal penalties—with personal accountability for CEOs—for critical infrastructure firms with lax cybersecurity, and federal agencies should be conducting regular cybersecurity audits of these firms.”

Wyden added: “Any company so vital to our economy that a cyberattack can disrupt the lives of millions of Americans, should be regularly audited by the government so that our adversaries are not the first ones to discover cybersecurity weaknesses.”

The Oregon senator’s focus on the culpability of corporate officers is hardly out of left field. Wyden has previously introduced and sponsored several bills concerning data security seeking tough penalties for corporate malpractice, including, in the case of Silicon Valley, prison time for executives who mislead regulatory bodies about their data handling practices.

The biggest impact of the pipeline breach so far appears to be a spike in concern around the country’s ability to provide fuel to residents along the Eastern Seaboard. Panic buying in several Southern states, including Tennessee and Georgia, has provoked gasoline shortages and in some areas driven up prices. The price hikes have been relatively minimal so far, roughly equivalent to annual spikes seen usually during natural disasters.

Advertisement

On Tuesday, the Biden Administration waived shipborne fuel requirements implemented under the Clean Air Act to ease fuel shortages until normal supply in the region is restored.

Bloomberg reported this week that U.S. agencies, including the FBI and Cybersecurity and Infrastructure Security Agency, had joined forces with a group of private-sector firms to help mitigate the impact of the DarkSide attacks, which affected more than two dozen companies. The effort provided Colonial Pipeline a means to recover some of the stolen data, which had been bound for a server in Russia.

Advertisement

While not directly implicating the Kremlin, President Biden told reporters at the White House on Monday the Russian government bears at least “some responsibility” to address cyberattacks emanating from within its borders.

Gas Is Back: Colonial Opens Up the Corpse Juice Hoses Just as Much of East Coast Runs Out

A gas station in Atlanta, Georgia, that was out of gas on Tuesday.

A gas station in Atlanta, Georgia, that was out of gas on Tuesday.
Photo: Ben Margot (AP)

Large swathes of the East Coast are running out of the precious refined corpse juice used to fuel most of the nation’s vehicles, five days after ransomware knocked out most of the 5,500-mile Colonial Pipeline system—the biggest gasoline pipeline in the country, connecting Gulf Coast refineries to cities as far north as New York. Due to a combination of panic buying, hoarding, and regular gas guzzling, some regions have now almost completely run out. (The pipeline is coming back, see update below.)

Advertisement

There’s no shortage of fossil fuels; they just can’t reach their destination thanks to malware that encrypted Colonial computer systems and forced them to shut down the pipeline as a “precautionary measure.” The Colonial Pipeline system ships 2.5 million barrels of gasoline, diesel, and jet fuel a day, which Bloomberg reports is equivalent to the capacity of the entire nation of Germany. According to CNN Business, nearly two-thirds (65%) of gas stations in North Carolina were without gas as of 12:37 p.m. ET, with similar outages at 42% of stations in Georgia, Virginia, and South Carolina. Tennesee (14%), Florida (10%), Maryland (9%), and West Virginia (4%) were also running low. Some cities were even worse off: 71% of stations in metro Charlotte, 60% in Atlanta, 72% in Raleigh, and 73% in Pensacola have run dry.

The total number of stations shut down runs over ten thousand, and gas prices broke $3 a gallon, according to AAA data. Making the situation worse, the pipeline outage coincides with a shortage of fuel truck drivers. The feds have considered waiving the Jones Act, a maritime law that requires U.S.-built and manned ships to transport goods between U.S. ports, in the hope that enlisting foreign vessels could ease the logistical difficulties currently preventing gas from reaching consumers.

Bloomberg reported on Wednesday that a solution to the issue is still days away, with three distribution hubs in Pennsylvania out of gas and long lines of tanker trucks waiting to fill up in New Jersey. The network reported that Colonial will announce on Wednesday whether it will be able to begin the process of restarting the pipeline network.

“Colonial has announced that they’re working toward full restoration by the end of this week, but we are not taking any chances,” Pete Buttigieg, the Secretary of Transportation, told reporters at a press briefing on Wednesday. “Our top priority now is getting fuel to communities that need it, and we will continue doing everything that we can to meet that goal in the coming days.”

Even then, Bloomberg reported, it will take quite a bit of time for normal service to be fully restored:

Colonial has only managed to restart a small segment of the pipeline as a stopgap measure. Even when the pipeline is restored to full service, it will take about two weeks for gasoline stored in Houston to reach East Coast filling stations, according to the most recent schedule sent to shippers. For diesel and jet fuel, the transit time is even longer — about 19 days — because they are heavier and move more slowly.

Advertisement

The FBI believes that the hackers behind the ransomware attack belong to a gang of cybercriminals called DarkSide that has been active since August 2020 and generally does not attack targets in the former Soviet bloc, according to the Associated Press. (Cybersecurity expert Brian Krebs recommends installing a Cyrillic keyboard on your PC to avoid contamination.) Ransomware functions by infiltrating a computer network, duplicating itself to connected machines, and then locking out users from access by encrypting file systems, typically prompting them with a ransom demand in cryptocurrency. Unless there’s a known flaw in the encryption technique or cybersecurity researchers have discovered the specific encryption key used in an attack, it is practically impossible to decrypt a computer network once ransomware has triggered. Hackers have used variants of the malware to attack everything in the U.S. from hospitals and school networks to entire municipal governments in recent years, causing billions in damages.

DarkSide has tried to cultivate a reputation for only using ransomware to attack the rich, not institutions like hospitals, and has given out some of its proceeds in charitable donations. The group has also publicly announced on its website that the Colonial chaos was not intentional or motivated by political reasons. However, as Wired explains, the gang’s business model appears to be ransomware as a service, loaning out its malware and cyber infrastructure to other attackers and pocketing a slice of any profit, and it has tried to shift the blame for the Colonial incident to one of the criminal partners it works with. (Ransomware can also be indiscriminate, spreading to systems never explicitly anticipated by whoever is controlling it.) As of this time, the feds have indicated they do not believe the attack was conducted by or on behalf of a rival nation-state.

Advertisement

According to CBS, it remains unclear whether a ransom has been demanded or whether Colonial intends to pay–the FBI officially encourages ransomware victims not to pay such ransoms but has acknowledged they may feel they have no other choice. The Washington Post reported Colonial has enlisted cybersecurity firm Mandiant (a division of FireEye) to help it rebuild its system from backups, and that DarkSide’s access to the targeted systems has been cut off, meaning there may no longer be any incentive to pay up.

It’s easy to see why DarkSide has tried to distance themselves from the attack—disruption on this scale is drawing a massive federal response and U.S. authorities will be determined to track whoever did this down.

Advertisement

On Wednesday, President Biden told reporters that we should expect to “hear some good news in next 24 hours,” adding that he believes “we’ll be getting that under control.”

“I am not surprised that this happened. It was realistically only a matter of time before there was a major critical infrastructure ransomware incident,” says Brett Callow, a threat analyst at security firm Emsisoft, told Wired. “DarkSide appears to have realized that this level of attention is not a good thing and could bring governments to action. They may stay with smaller attacks now in the hope that they’ll be able to continue making money for longer.”

Advertisement

Update 5:19 PM: Secretary of Energy Jennifer Granholm confirmed moments ago that the CEO of Colonial Pipeline has informed her that pipeline operations would resume around 5 PM this afternoon. The juice will still take some time to make its way around the country.

Update: 6:20 PM: This article has been updated to clarify that the ransomware attack did not directly affect the pipeline control system, and Colonial took it offline as a precautionary measure.

Advertisement

Wanted: Colonial Pipeline Cybersecurity Manager (No, Really)

Illustration for article titled Wanted: Colonial Pipeline Cybersecurity Manager (No, Really)

Photo: JIM WATSON / AFP (Getty Images)

Sometime before the disastrous ransomware attack on its network and the East Coast gas shortage that followed, Colonial Pipeline was apparently looking for someone to help run its cybersecurity team.

Advertisement

The energy company, which manages America’s largest oil pipeline, is currently working feverishly to restore full service after being targeted by the ransomware gang DarkSide. The cyberattack, which the company says it learned about on May 7, has prompted a federal response, emergency declarations in multiple states, and spurred a panicked gas-buying melee across the Southeast.

On Wednesday, people online noticed a job listing that had recently been reposted to the job site Day Book. Colonial Pipeline was apparently looking for a “Cyber Security Manager,” as the post puts it. It’s not exactly clear when the initial job posting was created, though it would appear to have been at some point during the last few months. Colonial’s website says the listing was created “+30 days ago,” and job sites like Day Book will continually scrape sites and repost listings with new dates.

According to Colonial’s job description, the security manager would’ve been responsible for maintaining “an incident response plan and processes to address potential threats.” The company was also looking for someone who could manage “a team of cyber security certified subject matter experts and specialists including but not limited to network security engineers, SCADA & field controls network engineers and a cyber security architect.” All good stuff! The listing is still available on Colonial’s website.

Illustration for article titled Wanted: Colonial Pipeline Cybersecurity Manager (No, Really)

Screenshot: Lucas Ropek/Colonial Pipeline

Reached for comment, the company said in an email that they did not create the position in response to the DarkSide ransomware attack.

“The cybersecurity position was not created as a result of the recent ransomware attack. We have several positions open as part of our longer-term growth strategy around talent, as we are constantly recruiting top-tier talent across all functional areas of our business,” a Colonial spokesperson said in a statement.The position to support cybersecurity would be an example of that. This is a role that we have been looking to add in an effort to continue building our current cyber security team.”

Advertisement

It’s somewhat unclear whether the position was ever filled (if it wasn’t, that might explain a lot). However, the future-tense in this statement (“would be an example of that,” “looking to add”) certainly seems to suggest that the position was never actually filled.

The Colonial attack comes at a time when lawmakers are currently looking to improve overall cybersecurity for critical infrastructure. The Biden administration and Congress have both proposed varying solutions to make the country’s resources more secure. There’s no doubt that the sight of America’s largest oil pipeline being paralyzed by online extortionists will likely have some effect on those decisions. In the meantime, if you’re a security professional who wants a “a great place to work, where people matter most, and where safety 24/7 is paramount,” you can apply right here.

Advertisement

A Hacker Gang Has Been Trying to Extort D.C. Police for $4 Million

Illustration for article titled A Hacker Gang Has Been Trying to Extort D.C. Police for $4 Million

Photo: Brendan Smialowski/AFP (Getty Images)

A ransomware gang, Babuk Locker, has been attempting to extort the Metropolitan Police Department in Washington D.C. for $4 million, but negotiations between the cops and the criminals recently collapsed, leaked documents appear to show.

Advertisement

Several weeks ago, the cybercriminal group announced that it had stolen the MPD’s data—some 250GB that included thousands of pages of sensitive internal documents, including disciplinary files on officers, and intelligence on local gang activity and informant programs. The police department later confirmed that it had been hacked.

Since then, Babuk has been attempting to extort the agency, threatening to leak sensitive internal documents if cops did not pay them. About two weeks ago, the gang leaked a limited amount of data to the web, publishing personnel files on a select number of current or former MPD officers.

On Tuesday, an apparent communication breakdown between both groups resulted in a much larger tranche of the MPD’s data being leaked to the web, a 22.7GB file.

In a statement posted to their leak site, the criminals said:

“The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow. if during tomorrow they do not raise the price, we will release all the data.”

The criminals also posted screenshots of what appear to be conversations between themselves and police, giving an apparent window into how ransom negotiations went. The screenshots show that the hackers asked for $4 million in exchange for the data, but police claimed they were only willing to pay $100,000.

At one point, Babuk delivered a sober, dead-eyed address to the police department, claiming to only have monetary interests—not political ones. On April 28, the gang said:

BABUK: We want to inform you that we are not interested in the international politics and other issues between governments, conflicts, e.t.c. Our offer for you is to pay us for deletion of the information that we have collected plus we issue a warning statement on the website for other individuals not to intrude to the US government institutions. How does it sound to you?

Advertisement

After days of back and forth between the criminal group and the cops, the police negotiator seemed to signal a willingness to pay for the data, though not the allotted $4 million. A message dated May 10 goes as follows:

PD: Our proposal is an offer to pay $100,000 to prevent the release of the stolen data. If this offer is not acceptable, then it seems our conversation is complete. I think we both understand the consequences of not reaching an agreement. We are okay with that outcome.

BABUK: This is unacceptable on our side. Follow our web-site at midnight.

Not long after that, data from the police department began leaking out onto the group’s website. A spokesperson for the police department did not immediately return a request for comment from Gizmodo. We will update this story if we hear back.

Advertisement

The U.S. Has Ignored Pipeline Cybersecurity and Now You’re Paying the Price

Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore, Maryland on May 10, 2021.

Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore, Maryland on May 10, 2021.
Photo: Jim Watson/AFP (Getty Images)

It’s been four days since the Colonial pipeline, a major gasoline artery in the U.S., shut down following a ransomware attack—and Americans are starting to feel the impacts. As the federal government scrambles to figure out how to transport gasoline across the country and shortages are beginning to hit gas stations in some states. It’s been such a mess that the hackers themselves have kind of apologized for the whole ordeal: DarkSide, the group responsible for the attack, issued a statement Monday explaining that “our goal is to make money and not creating problems for society.”

Advertisement

Yet the problems aren’t wholly DarkSide’s fault. This whole mess may have been entirely preventable if the government had been paying attention to its own responsibilities in helping pipelines prepare for cyberattacks.

While both political parties have raised increasing concerns about cyber attacks that can target the energy grid and other pieces of critical infrastructure, pipelines, specifically, are a hugely overlooked part of this equation. Federal pipeline cybersecurity guidance and oversight have been minimal at best. The government issues only voluntary cybersecurity guidelines for pipelines, even those like Colonial that affect millions of people every day. Even those voluntary guidelines have been such a non-priority, in fact, that no one seems to have been paying much attention to the issue at all for a decade or more in some cases.

The regulation of physical pipelines and their construction falls under the Pipeline and Hazardous Materials Safety Administration. But the digital security of pipelines is under the purview of the Transportation Safety Administration—the same agency whose agents pat you down at the airport. Yet as late as 2019, TSA employed only six staffers on its pipeline cybersecurity division, responsible for overseeing 2.7 million miles (4.4 million kilometers) of pipeline across the country.

Much of the original TSA best practices regulating pipeline cybersecurity were drafted shortly after 9/11—and many have been barely touched since then. The agency’s protocols outlining the roles of the different branches of the federal government in case of a pipeline security breach hasn’t been updated since 2010. Given how quickly the digital landscape of our lives has evolved in the past decade, let alone the sophistication of cyberattacks, the lack of attention is embarrassing.

Warnings about the cyber threats to pipelines have abounded. In 2018, Federal Energy Regulatory Commission members Neil Chatterjee (at the time, the chair of the commission) and Richard Glick wrote an op-ed for Axios detailing how unprepared the U.S. was for a cyberattack on a major pipeline. (Chatterjee retweeted the nearly 3-year-old op-ed on Saturday, suggesting that the landscape probably hasn’t changed since its publication.)

The Government Accountability Office put a fine point on some of those problems in 2019 when it took TSA to task and conducted a probe on its pipeline security protocols. In addition to the embarrassingly out-of-date documents, the GAO also found that the TSA’s plans didn’t “identify the cybersecurity roles and responsibilities of federal agencies that are identified in the plan, such as [Department of Energy], Federal Energy Regulatory Commission (FERC), or the FBI, or discuss the measures these agencies should take to prevent, respond to, or support pipeline operators following a cyber incident involving pipelines.”

Advertisement

Even with the GAO report in 2019, progress seems to have been slow on fortifying the country’s pipelines—and the loosey-goosey nature of what companies are mandated to do could be part of the reason. FedScoop reported in 2019 that following the GAO report, the industry was attempting to work with federal agencies on improving cybersecurity practices, but companies worried that sharing information could affect fuel prices on the market or make them targets to more attacks. Bill Caram, the executive director of the Pipeline Safety Trust, said in an email that “the lack of any kind of reporting requirement around these cyber security events” is “troubling.” He added that “we really have no idea how widespread they are.”

In 2020, an elaborate spearphishing campaign targeted natural gas facilities around the world, including some in the U.S., prompting the two-day shutdown of an unidentified pipeline network. It offered a rare insight into how attacks can play out. The Department of Homeland Security found the owner “did not specifically consider the risk posed by cyber attacks,” reflecting how lax oversight can leave companies unprepared.

Advertisement

It may take some time to figure out what exactly happened with the Colonial pipeline, and it’s not out of the question to think that the company could have been better equipped to face the attack.

“For Colonial itself, it will be seen whether they failed at the essential cyber hygiene (which means they were a rather easy target) or they did well in cybersecurity and the attackers had to use sophisticated methods for the attack,” Dirk Schrader, a vice president at security research at New Net Technologies, a provider of cybersecurity and compliance software, said in an emailed statement. “Based on known facts and insights, it rather seems that Colonial missed on the essentials. Some of the webservers in their infrastructure show old vulnerabilities. … In addition, there is quite an amount of knowledge about the DarkSide ransomware family to be prepared for it.”

Advertisement

But the government’s complete lack of enforcement in cybersecurity is especially ironic to consider in light of the increasing panic over the physical security of pipelines More than a dozen states have passed bills over the past few years criminalizing anti-pipeline protests, doling out heavy punishments for vague offenses like trespassing or “tampering” with construction sites. These bills have often been influenced heavily by fossil fuel interests and have come in the wake of Indigenous-led protests against the Keystone XL and Dakota Access pipelines.

Meanwhile, massive fossil fuel pipelines have been operating for years with an OK from the federal government to do so with the digital security equivalent of having your email password set to “password.” Long-term those pipelines—and the oil and gas industry in generaldo need to be wound down to address the climate crisis. But it might be time for the government—and the industry—to rearrange its priorities around what it considers “security” and what the real threats to fossil fuel infrastructure are.

Advertisement

Hackers Threatening East Coast’s Fuel Supply Claim They’re Not Trying to Cause Anybody Trouble

Illustration for article titled Hackers Threatening East Coast's Fuel Supply Claim They're Not Trying to Cause Anybody Trouble

Photo: Michael M. Santiago (Getty Images)

Over the weekend, a cyberattack by the Russia-based ransomware gang DarkSide managed to hamstring America’s largest oil pipeline, Colonial, threatening to choke off significant energy flows to the East Coast.

Advertisement

Per Bloomberg News, the gang pilfered approximately 100GB of data from the company’s IT network in just two hours on Thursday. The attack was part of what is known as a “double extortion scheme,” a tactic used by criminal groups in which they steal and then threaten to leak significant amounts of data from a high-value target in an effort to extort money from the victim. A coalition of private companies, along with major government agencies like the FBI, the NSA, and CISA, apparently worked together to stop further data theft from occurring.

The Biden administration acknowledged the attack Monday, with the President calling the incident a “criminal act, obviously.” Biden also said that he planned to meet with Russian President Vladimir Putin about the attack and that he would encourage him to take “some responsibility to deal with this.”

Like all unscrupulous businessmen, the members of DarkSide have sought to impress upon their victims that the attack was just business, and nothing personal. On Monday, a statement published to the gang’s website emphasized that their “goal is to make money” and that they are not interested in “creating problems for society.” The group stated:

We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment [sic] and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.

The gang originally emerged last summer, with the first known sighting of it in August, said Ekhram Ahmad of security firm Check Point Research. DarkSide operates via a Ransomware-as-a-Service model, by which it sells its malware to affiliate groups, who then use it in attacks. The malware has been used in other previous attacks against other energy companies. “What we do know is that to take down extensive operations like the Colonial pipeline reveals a sophisticated and well-designed cyber attack,” said Lotem Finkelsteen, head of threat intelligence with Check Point.

You’d think it would be hard to stand out in a year that has seen a veritable blitz of cyberattacks, each one seemingly more disastrous than the next (see: SolarWinds, Microsoft Exchange, the PulseVPN attacks, and more). Yet this is exactly what DarkSide has managed to do—both via its Batman villain-like ability to spur a coastal energy crisis, and its sheepish apology for, like, causing trouble or whatever.

Advertisement

As disastrous as the incident may be for Colonial, it is likely a boon to the current, ongoing efforts to elevate U.S. cyber policy. The political impact of the attack will likely only be to further strengthen the argument that America needs to take a more aggressive, proactive and organized approach when it comes to tracking and combatting cybercriminal groups—something that those in the cyber community have been lobbying for for some time.

On top of this, the fact that a coalition of private sector companies led the charge to assist in containing the fallout from the incident only further belies the argument, oft made by security professionals, that the solution to these attacks will be forged in a holistic alliance between the public and private sector.

Advertisement

You Should Definitely Update Your Dell Computer Right Now

A flaw dating back to 2009 enables access to Dell and Alienware computers through faulty drivers.

A flaw dating back to 2009 enables access to Dell and Alienware computers through faulty drivers.
Photo: Sam Rutherford / Gizmodo

A public service announcement for anyone who, like me, is using a years-old Dell computer as their primary machine: Dell has released a security patch for a security vulnerability affecting close to 400 different computer models manufactured between 2009 and right now. That’s, uh, a lot of laptops.

Advertisement

The vulnerability was discovered by security research firm SentinelLabs in a driver used by Dell and Alienware’s firmware update utilities. The flaw allows an attacker to access full kernel-level permissions in Windows. Dell’s information page says it has no evidence that the vulnerability has been exploited and that the attacker would have to have direct access to the computer to take advantage of the flaw. But that’s possible through malware, phishing, or granting remote access privileges to, say, someone pretending to be Dell customer service.

Be sure to check Dell’s list of affected computers if you think you fit the criteria. Some of the latest XPS 13 and 15 models are affected, as are Dell’s G-series gaming laptops. There’s also a list of mid-range Inspiron models from over the years and even some workstation towers.

Dell is pushing a security update via its update clients. The FAQ says to expect it by May 10. If you wish to remove affected the driver yourself, there are instructions at the link for locating it on both 32- and 64-bit versions of Windows.