This Shockingly Invasive Malware Stole Data from 3.25 Million Windows Computers

A woman rushes by Microsoft headquarters.

Photo: Robert Giroux (Getty Images)

Between 2018 and 2020, a mysterious strain of malware infected and stole sensitive data from approximately 3.25 million Windows-based computers—taking with it a horrifying amount of intimate information about the users of those devices.


The data includes login credentials—both usernames and passwords—for dozens of online platforms, as well as billions of browser cookies, millions of user files stolen right off of infected desktops and, in some cases, pictures of the device’s user taken with the computer’s own webcam.

The malicious epidemic was uncovered recently when a large database of the stolen information was spotted on the dark web, reports NordLocker in a new analysis of the incident.

The firm characterizes the virus as Trojan-style malware that was deployed onto computers via email and by illegal software, such as pirated versions of games and Adobe Photoshop, as well as “Windows cracking” tools. The malware was unnamed and likely a cheap, customizable variant that could be purchased easily on the dark web.

“Nameless, or custom, trojans such as this are widely available online for as little as $100. Their low profile often helps these viruses stay undetected and their creators unpunished,” analysts write.

According to Nord, the malware took careful steps to catalog people it had compromised, even assigning “unique device IDs to the stolen data, so it can be sorted by the source device” and also frequently photographing the computer’s user if their device had a webcam.

As to the stolen data, it’s pretty overwhelming. The compromised login information includes 1,471,416 Facebook credentials; 261,773 Twitter credentials; 145,436 PayPal credentials; 87,282 Dropbox credentials; 1,540,650 Google account credentials, and so on. Other compromised accounts include Coinbase, Blockchain, Outlook, Skype, Netflix…you get the picture.


On top of this, the malware also apparently took screenshots of the desktops it had infected, which retroactively helped researchers piece together just how much information had been compromised. To get a better idea of how extensive the damage is, here is a little breakdown:

  • 2 billion cookies
  • 26 million login credentials
  • 6.6. million files (apparently stolen off of desktops)
  • Upwards of 1 million images (696,000 .png and 224,000 .jpg files)
  • More than 650,000 Word documents and .pdf files

So, yeah, it’s all pretty disturbing. The market for personal information on the dark web—particularly login credentials—has always been big, but it’s seen a real uptick in recent years. Hundreds of millions of passwords are compromised every year through cyberattacks and breaches, leaving victims at the mercy of money-grubbing goons. While it’s up to you to decide how to protect yourself, there’s no shortage of resources out there and, it goes without saying, they’re worth checking out.


You can check out a more detailed breakdown of all of the stolen files here.

Hackers Stole Source Code from Electronic Arts and Are Selling It Online

Illustration for article titled Hackers Stole Source Code from Electronic Arts and Are Selling It Online

Photo: Kevork Djansezian (Getty Images)

Cybercriminals have hacked and stolen large amounts of data and code from Electronic Arts, the prominent gaming publisher responsible for producing The Sims, Battlefield, and a number of other classic games.


“We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen,” an EA spokesperson said in a statement provided to Gizmodo. “No player data was accessed, and we have no reason to believe there is any risk to player privacy. Following the incident, we’ve already made security improvements and do not expect an impact on our games or our business. We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation.”

The company did not say when the incident actually occurred.

A security professional shared a link with Gizmodo to the dark website where cybercriminals appear to be selling EA’s digital goods. According to the hackers, the cache is comprised of some 780GB of data, and includes full source code for the soccer game FIFA 21, as well as source code for the company’s game engine FrostBite—a core piece of software necessary for EA’s games to run properly.

Illustration for article titled Hackers Stole Source Code from Electronic Arts and Are Selling It Online

Screenshot: Lucas Ropek

First reported by Motherboard, the attack is one of several recent cyber incidents involving gaming companies. In November, the Japanese firm Capcom suffered a breach, leading to the potential compromise of data on hundreds of thousands of current and former employees and contractors. More recently, CD Projekt Red was hacked, leading to the theft of source code for some of the company’s biggest games—including Cyberpunk 2077 and The Witcher.

The motive here, like in many other cyberattacks, is financial: selling this kind of proprietary information on the dark web can net you big money. In the case of whoever hacked EA, they apparently only want offers from big, serious buyers. Motherboard reports that the hackers wrote in a dark web post: “Only serious and rep [reputation] members all other would be ignored.”

Someone Hacked the MTA

Illustration for article titled Someone Hacked the MTA

Photo: Mario Tama (Getty Images)

In late April, officials with the New York City Metropolitan Transportation Authority discovered that someone had penetrated several of the agency’s computer systems, exploiting a zero day vulnerability in the network’s VPN service as a way to get its foot in the door.


The transportation agency, which is responsible for operating a transit system whose daily ridership tops 5 million, discovered the intrusion attempt shortly after an announcement from federal authorities about a foreign hacking campaign targeted at Pulse Connect Secure, a VPN product. At the time, Pulse was widely used by state, local and federal government agencies.

The widespread hacking campaign is believed to have been at least partially the work of a sophisticated threat actor conducting espionage on behalf of China. While it’s unclear if that same actor attacked the MTA, the New York Times has reported that the hackers that targeted the transit agency are “believed to have links to the Chinese government.”

On Wednesday, MTA officials confirmed to Gizmodo that someone had exploited the Pulse security flaw to worm their way into MTA’s network, but that the hackers had apparently stopped short of stealing any data. In a statement, the agency said that three of its “systems” had been impacted by the attack, but did not elaborate on which systems they were or explain what that meant.

Separate forensic audits conducted by FireEye’s Mandiant and an IBM security team “found no evidence of account compromise, no employee information breached, no data loss or changes to our vital systems,” MTA officials said. No operational systems were affected by the attack either, they added.

In addition to post-incident audits, the Transportation Authority instituted several other security precautions — including “a forced migration off this VPN to other VPNs” and a requirement that some 3,700 employees and contractors change their passwords as an “extra layer of security,” officials said. In a statement provided to Gizmodo, Rafail Portnoy, the MTA’s Chief Technology Officer, reiterated that no data had been compromised as a result of the intrusion.

“The MTA quickly and aggressively responded to this attack, bringing on Mandiant, a leading cyber security firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems,” said Portnoy.


News of the attempted attack comes during a veritable cyberattack blitz throughout the U.S., with many attacks targeted at critical infrastructure. While the hackers in this case don’t appear to have gained access to anything of real importance, the fact that such a system could be compromised in the first place is disturbing on its face.

The New York Times reports that an MTA document shows officials have expressed concerns that the hackers “could have entered those [MTA] operational systems or that they could continue to penetrate the agency’s computer systems through a back door.” Yes, if the idea of a cyberattack paralyzing the R line somewhere between Court Street and South Ferry discomfits you, let’s just hope that public agencies like the MTA have a forward-looking plan for how to make sure scenarios like that never become a reality in the future.


Microsoft Says Russian Hackers Behind SolarWinds Currently Attacking Targets in 24 Countries

Russian President Vladimir Putin makes a video message to the participants of the Russian Congress on Pediatric Oncology on May 27, 2021.

Russian President Vladimir Putin makes a video message to the participants of the Russian Congress on Pediatric Oncology on May 27, 2021.
Photo: Sergei ILYIN / Sputnik / AFP (Getty Images)

The hackers behind the massive SolarWinds attack are currently trying to access the email systems of thousands in western governments, think tanks, and NGOs that may be opposed to the Russian government, according to a warning released late Thursday night by Microsoft.


The hackers, dubbed Nobelium by researchers, have targeted roughly 3,000 email accounts at more than 150 organizations, according to Microsoft. The hacking attempts were first identified in January of this year but they’re ongoing, according to the company.

“While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries,” Microsoft said in a statment. “At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work. Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020.”

One of the targets, according to Microsoft, was the Constant Contact account of the U.S. Agency for International Development (USAID), which is ostensibly designed for administering foreign aid and encouraging business development around the world.

“From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” Microsoft explained.

“This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network,” Microsoft’s statement continued.

Why would Russia want to go after USAID? Well, the agency has sometimes been used as an instrument of regime change, like when USAID secretly created a text-based version of Twitter for Cuba in 2010 during an effort to sow anger at the country’s leader Fidel Castro. The Associated Press broke that story in 2014 and Castro died in 2016.


But officially, Microsoft gave three reasons for the recent attacks:

First, when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.

Second, perhaps unsurprisingly, Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating. This time Nobelium targeted many humanitarian and human rights organizations. At the height of the Covid-19 pandemic, Russian actor Strontium targeted healthcare organizations involved in vaccines. In 2019, Strontium targeted sporting and anti-doping organizations. And we’ve previously disclosed activity by Strontium and other actors targeting major elections in the U.S. and elsewhere. This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organizations.

Third, nation-state cyberattacks aren’t slowing. We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules. We must continue to rally around progress made by the Paris Call for Trust and Security in Cyberspace, and more widely adopt the recommendations of the Cybersecurity Tech Accord, and the CyberPeace Institute. But, we need to do more. Microsoft will continue to work with willing governments and the private sector to advance the cause of digital peace.


The SolarWinds hack was one of the worst attacks on computers in the U.S., dropping malicious code in some of the most sensitive computer systems run by the U.S. government and its contractors. Most people believe the SolarWinds attack was executed at the behest of Russian president Vladimir Putin, and Microsoft isn’t being very subtle with their new statement about who’s behind this latest attack.

Nobelium is coming for critics of Putin and they’re not giving up, at least if you believe Microsoft, which shouldn’t be a surprise. It’s just another day in the New Cold War.


FBI: Conti Ransomware Gang Behind Ireland Attack Also Hit 16 U.S. Health and Emergency Networks

Illustration for article titled FBI: Conti Ransomware Gang Behind Ireland Attack Also Hit 16 U.S. Health and Emergency Networks

Photo: Mandel Ngan (Getty Images)

The same hackers that took down the Irish health system last week also hit at least 16 U.S. medical and first responder networks in the past year, according to a Federal Bureau of Investigation alert made public Thursday by the American Hospital Association.


As first spotted by the security news site Bleeping Computer, the FBI Cyber Division said these hackers used the strain of ransomware known as Conti to target law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities in the U.S. Ransomware is a type of malicious software that breaks into a victim’s devices and encrypts their files so cybercriminals can then extort payment in exchange for restoring access.

The FBI didn’t name specific victims of these breaches or whether ransoms were successfully extorted, saying only that these networks “are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S.” It added that the latest ransom demands have been as high as $25 million.

The hackers that crippled the Irish health system are reportedly part of “Wizard Spider,” a sophisticated cybercrime gang based in Russia that’s been increasingly active in the past year. The group’s threatened to release patient records unless Irish authorities fork over $20 million.

For the last week, this ransomware attack has cut off access to patient records, forced medical facilities to cancel appointments, and disrupted covid-19 testing in the nation. Ireland’s minister overseeing e-government, Ossian Smyth, has called it “possibly the most significant cybercrime attack on the Irish state.”

Researchers Are Trying to Create an Unhackable Computer Processor

Illustration for article titled Researchers Are Trying to Create an Unhackable Computer Processor

Photo: THOMAS SAMSON/AFP (Getty Images)

The CPU is classically considered “the brain” of a computer because, like our own head, it contains all of the circuits responsible for receiving and executing commands. However, like the rest of a machine, CPUs are not infallible. In fact, they can be fairly easy to hack. Recent years have shown egregious examples of hardware vulnerabilities that allow for the sophisticated hijacking of machines. Most famously, researchers uncovered the security flaws “Meltdown” and “Spectre,” both of which were embedded in millions upon millions of chips, and therefore put data on a majority of the world’s computers at risk.


An academic research team at the University of Michigan is currently working on a way to stop these sorts of attacks from taking place, according to IEEE Spectrum. Led by computer scientist Todd Austin, the team is working on creating a new CPU design, dubbed “Morpheus,” that is basically hack-proof. Well, sorta. The new machine would hopefully stop a large percentage of attacks, said Austin in a recent interview with the publication.

In fact, recent testing of the machine showed that its defenses work phenomenally well. During a recent virtual bug bounty program sponsored by DARPA (the Defense Advanced Research Project’s Agency), a veritable army of 580 White Hat hackers spent 13,000 hours attempting to permeate its defenses and all were unsuccessful, IEEE reports. Austin describes his team’s creation this way:

Morpheus is a secure CPU that was designed at the University of Michigan by a group of graduate students and some faculty. It makes the computer into a puzzle that happens to compute. Our idea was that if we could make it really hard to make any exploit work on it, then we wouldn’t have to worry about individual exploits. We just would essentially make it so mind bogglingly terrible to understand that the attackers would be discouraged from attacking this particular target.

So how, exactly, does Morpheus block attackers? The short answer is encryption. Austin says his team is using a cipher, an algorithm that initiates encryption and decryption, called “Simon.” In this case, whatever Simon says, goes: it can “make the underlying implementation of the machine [i.e., the CPU]—the undefined semantics—change every few hundred milliseconds.” In other words, it constantly encrypts parts of the machine’s functions to obscure how it works, thus blocking potential hackers from being able to exploit it. In effect, this reconfigures “key bits” of the chip’s “code and data dozens of times per second, turning any vulnerabilities into dead ends for hackers,” according to the school’s engineering department. Austin put it this way:

The way we do it is actually very simple: We just encrypt stuff. We take pointers—references to locations in memory—and we encrypt them. That puts 128 bits of randomness in our pointers. Now, if you want to figure out pointers, you’ve got to solve that problem…When you encrypt a pointer, you change how pointers are represented; you change what the layout of the address space is from the perspective of the attacker; you change what it means to add a value to a pointer.

So… that makes sense? While this encryption shield doesn’t stop things like SQL injections or more sophisticated attacks, it does prevent what Austin says are “low-level attacks,” or remote-code execution attacks (RCEs)—whereby bad actors can insert malicious programs into a machine via security flaws apparent in its programming. By obscuring how that programming functions, Morpheus is taking away much of the opportunity for such attacks to occur.

While all of this may fly over most people’s heads, the basic point is that in the not-too-distant future, we may have machines that are virtually impervious to your run-of-the-mill hardware exploits. With the cyber-maelstrom that’s been going on in the U.S. and the world lately, I think that’s something we can all get on board with.


Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn’t Very Useful

Illustration for article titled Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn't Very Useful

Photo: JIM WATSON / AFP (Getty Images)

About a week ago, Colonial Pipeline apparently paid the ransomware group DarkSide approximately $5 million in exchange for a data decryption key that didn’t really decrypt that much data.


An investigation from Bloomberg found that, despite earlier reports suggesting the company had no intention of paying the cybercriminals, Colonial actually did just that “within hours of the attack,” using an untraceable cryptocurrency. In exchange for that fat stack of cash, Colonial received a decryption tool that was so slow that the company had to partially rely on its own back-ups to continue restoring service, the news outlet reports. New York Times reporter Nicole Perlroth later stated that the ransom was paid using 75 Bitcoin. Gizmodo sent multiple emails to Colonial representatives for comment and will update this story when we hear back.

The network-crippling attack on the energy giant brought the operation of its 5,500-mile oil pipeline system to an abrupt halt last week, swiftly spurring an energy crisis throughout many of the Southeastern cities to which it delivers oil. The incident led to shortages in multiple states and subsequently spurred a gas-buying binge, as panicked Americans flocked to stores and gas stations to purchase car fuel. The epidemic of End Time-type behavior even led the U.S. Consumer Product Safety Commission to helpfully remind consumers to “not fill plastic bags with gasoline,” always a helpful tip.

However, just as it looked like society might collapse, the pipeline came back online Wednesday night and began to churn oil back into America’s veins once more. In a statement published Thursday, the energy company iterated that it had regained almost full operational capacity—though getting back to a regular fuel flow is expected to take some time.

“Colonial Pipeline has made substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we service. By mid-day today, we project that each market we service will be receiving product from our system,” the company said, while also providing a map of the areas that it said were currently operational, as of 9 a.m. EST. As of noon EST, the entire system was expected to have been fully operational.

Illustration for article titled Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn't Very Useful

Screenshot: Lucas Ropek/Colonial Pipeline

President Joe Biden also addressed the nation on Thursday, hoping to quell fears about surging gas prices and to update Americans about how the government was handling the incident. The President reiterated during his remarks that the White House did not believe that the Russian government had been involved in the ransomware attack but that it would be communicating with the Kremlin to more effectively target the criminals responsible.


“We do not believe that the Russian government was involved in this attack—but we do have strong reason to believe that the criminals who did the attack are living in Russia,” said the President. “We have been in direct communications with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks. We’re also going to pursue a measure to disrupt their ability to operate.”

Biden also referenced an executive order he passed Wednesday night, designed to bolster America’s defenses against cybercriminal networks. The order requires the creation of a Cyber Safety Review Board, a Department of Homeland Security team that will be in charge of investigating major cyber incidents. It also introduces measures to increase information sharing between private industry and the U.S. government on cyberattacks. And it creates a mandate for federal agencies to introduce multi-factor authentication and data encryption within a period of six months.


Biden did not comment at all on any financial exchange that may have occurred between Colonial and the hackers. Several high-level federal officials also refused to talk about it: “I have no knowledge of whether a ransom was paid, how much was paid, if it was paid, when it was paid,” said Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, which has been working with the embattled gas company since the attack last week.

One of the oft-made arguments for not paying ransomware gangs is that there is no guarantee that hackers will actually make good on their word to assist with decryption once money has been paid. While the ransomware business model largely hinges on criminals sticking to their promise, in many cases, decryption can be a slow, hugely imperfect process—as the Colonial episode may well demonstrate. At the same time, payment also legitimates the business model, encouraging criminals to continue seeking out new victims.


Senate Cyber Hawk Calls for ‘Criminal Penalties’ for Negligent CEOs After U.S. Pipeline Hack

Sen. Ron Wyden, D-Ore., chair of the Senate Finance Committee, prepares the panel for a vote on Xavier Becerra, President Joe Biden’s Health and Human Services Dept. nominee, at the Capitol in Washington, Wednesday, March 3, 2021.

Sen. Ron Wyden, D-Ore., chair of the Senate Finance Committee, prepares the panel for a vote on Xavier Becerra, President Joe Biden’s Health and Human Services Dept. nominee, at the Capitol in Washington, Wednesday, March 3, 2021.
Photo: J. Scott Applewhite (AP)

Sen. Ron Wyden, historically a leading proponent of heightened cybersecurity governance in both public and private spheres, called for congressional action Wednesday around all private firms operating in critical infrastructure sectors, saying the recent network breach at one of the largest U.S. pipelines paints a dismal picture of the nation’s susceptibility to attack.


The cyber intrusion detected at Colonial Pipeline Co. over the weekend forced the shutdown of a vital pipeline stretching from Houston to New Jersey, which typically ferries more than 2.5 million barrels of fuel per day. On Sunday, The FBI confirmed the breach involved a criminal ransomware gang known as DarkSide, which cybersecurity experts have linked to Russia, though not directly to the Kremlin. The group itself issued a statement on Monday claiming the breach was financially and not politically motivated, and that it intends to work toward “avoid[ing] social consequences in the future.”

In a statement to Gizmodo, Wyden, chair of the Senate Finance Committee, said the attack underscores a “massive problem” at companies running the country’s critical infrastructure, saying “dangerously negligent cybersecurity” portends more crippling attacks in the future. Failures at the highest corporate levels pose a significant threat to national security, he said, adding that Congress should immediately force critical infrastructure companies to institute heightened security safeguards.

“For far too long Wall Street has racked up profits by cutting jobs in safety and security, even when it puts lives and the country’s economy at risk,” he said. “There must be serious civil and criminal penalties—with personal accountability for CEOs—for critical infrastructure firms with lax cybersecurity, and federal agencies should be conducting regular cybersecurity audits of these firms.”

Wyden added: “Any company so vital to our economy that a cyberattack can disrupt the lives of millions of Americans, should be regularly audited by the government so that our adversaries are not the first ones to discover cybersecurity weaknesses.”

The Oregon senator’s focus on the culpability of corporate officers is hardly out of left field. Wyden has previously introduced and sponsored several bills concerning data security seeking tough penalties for corporate malpractice, including, in the case of Silicon Valley, prison time for executives who mislead regulatory bodies about their data handling practices.

The biggest impact of the pipeline breach so far appears to be a spike in concern around the country’s ability to provide fuel to residents along the Eastern Seaboard. Panic buying in several Southern states, including Tennessee and Georgia, has provoked gasoline shortages and in some areas driven up prices. The price hikes have been relatively minimal so far, roughly equivalent to annual spikes seen usually during natural disasters.


On Tuesday, the Biden Administration waived shipborne fuel requirements implemented under the Clean Air Act to ease fuel shortages until normal supply in the region is restored.

Bloomberg reported this week that U.S. agencies, including the FBI and Cybersecurity and Infrastructure Security Agency, had joined forces with a group of private-sector firms to help mitigate the impact of the DarkSide attacks, which affected more than two dozen companies. The effort provided Colonial Pipeline a means to recover some of the stolen data, which had been bound for a server in Russia.


While not directly implicating the Kremlin, President Biden told reporters at the White House on Monday the Russian government bears at least “some responsibility” to address cyberattacks emanating from within its borders.

Gas Is Back: Colonial Opens Up the Corpse Juice Hoses Just as Much of East Coast Runs Out

A gas station in Atlanta, Georgia, that was out of gas on Tuesday.

A gas station in Atlanta, Georgia, that was out of gas on Tuesday.
Photo: Ben Margot (AP)

Large swathes of the East Coast are running out of the precious refined corpse juice used to fuel most of the nation’s vehicles, five days after ransomware knocked out most of the 5,500-mile Colonial Pipeline system—the biggest gasoline pipeline in the country, connecting Gulf Coast refineries to cities as far north as New York. Due to a combination of panic buying, hoarding, and regular gas guzzling, some regions have now almost completely run out. (The pipeline is coming back, see update below.)


There’s no shortage of fossil fuels; they just can’t reach their destination thanks to malware that encrypted Colonial computer systems and forced them to shut down the pipeline as a “precautionary measure.” The Colonial Pipeline system ships 2.5 million barrels of gasoline, diesel, and jet fuel a day, which Bloomberg reports is equivalent to the capacity of the entire nation of Germany. According to CNN Business, nearly two-thirds (65%) of gas stations in North Carolina were without gas as of 12:37 p.m. ET, with similar outages at 42% of stations in Georgia, Virginia, and South Carolina. Tennesee (14%), Florida (10%), Maryland (9%), and West Virginia (4%) were also running low. Some cities were even worse off: 71% of stations in metro Charlotte, 60% in Atlanta, 72% in Raleigh, and 73% in Pensacola have run dry.

The total number of stations shut down runs over ten thousand, and gas prices broke $3 a gallon, according to AAA data. Making the situation worse, the pipeline outage coincides with a shortage of fuel truck drivers. The feds have considered waiving the Jones Act, a maritime law that requires U.S.-built and manned ships to transport goods between U.S. ports, in the hope that enlisting foreign vessels could ease the logistical difficulties currently preventing gas from reaching consumers.

Bloomberg reported on Wednesday that a solution to the issue is still days away, with three distribution hubs in Pennsylvania out of gas and long lines of tanker trucks waiting to fill up in New Jersey. The network reported that Colonial will announce on Wednesday whether it will be able to begin the process of restarting the pipeline network.

“Colonial has announced that they’re working toward full restoration by the end of this week, but we are not taking any chances,” Pete Buttigieg, the Secretary of Transportation, told reporters at a press briefing on Wednesday. “Our top priority now is getting fuel to communities that need it, and we will continue doing everything that we can to meet that goal in the coming days.”

Even then, Bloomberg reported, it will take quite a bit of time for normal service to be fully restored:

Colonial has only managed to restart a small segment of the pipeline as a stopgap measure. Even when the pipeline is restored to full service, it will take about two weeks for gasoline stored in Houston to reach East Coast filling stations, according to the most recent schedule sent to shippers. For diesel and jet fuel, the transit time is even longer — about 19 days — because they are heavier and move more slowly.


The FBI believes that the hackers behind the ransomware attack belong to a gang of cybercriminals called DarkSide that has been active since August 2020 and generally does not attack targets in the former Soviet bloc, according to the Associated Press. (Cybersecurity expert Brian Krebs recommends installing a Cyrillic keyboard on your PC to avoid contamination.) Ransomware functions by infiltrating a computer network, duplicating itself to connected machines, and then locking out users from access by encrypting file systems, typically prompting them with a ransom demand in cryptocurrency. Unless there’s a known flaw in the encryption technique or cybersecurity researchers have discovered the specific encryption key used in an attack, it is practically impossible to decrypt a computer network once ransomware has triggered. Hackers have used variants of the malware to attack everything in the U.S. from hospitals and school networks to entire municipal governments in recent years, causing billions in damages.

DarkSide has tried to cultivate a reputation for only using ransomware to attack the rich, not institutions like hospitals, and has given out some of its proceeds in charitable donations. The group has also publicly announced on its website that the Colonial chaos was not intentional or motivated by political reasons. However, as Wired explains, the gang’s business model appears to be ransomware as a service, loaning out its malware and cyber infrastructure to other attackers and pocketing a slice of any profit, and it has tried to shift the blame for the Colonial incident to one of the criminal partners it works with. (Ransomware can also be indiscriminate, spreading to systems never explicitly anticipated by whoever is controlling it.) As of this time, the feds have indicated they do not believe the attack was conducted by or on behalf of a rival nation-state.


According to CBS, it remains unclear whether a ransom has been demanded or whether Colonial intends to pay–the FBI officially encourages ransomware victims not to pay such ransoms but has acknowledged they may feel they have no other choice. The Washington Post reported Colonial has enlisted cybersecurity firm Mandiant (a division of FireEye) to help it rebuild its system from backups, and that DarkSide’s access to the targeted systems has been cut off, meaning there may no longer be any incentive to pay up.

It’s easy to see why DarkSide has tried to distance themselves from the attack—disruption on this scale is drawing a massive federal response and U.S. authorities will be determined to track whoever did this down.


On Wednesday, President Biden told reporters that we should expect to “hear some good news in next 24 hours,” adding that he believes “we’ll be getting that under control.”

“I am not surprised that this happened. It was realistically only a matter of time before there was a major critical infrastructure ransomware incident,” says Brett Callow, a threat analyst at security firm Emsisoft, told Wired. “DarkSide appears to have realized that this level of attention is not a good thing and could bring governments to action. They may stay with smaller attacks now in the hope that they’ll be able to continue making money for longer.”


Update 5:19 PM: Secretary of Energy Jennifer Granholm confirmed moments ago that the CEO of Colonial Pipeline has informed her that pipeline operations would resume around 5 PM this afternoon. The juice will still take some time to make its way around the country.

Update: 6:20 PM: This article has been updated to clarify that the ransomware attack did not directly affect the pipeline control system, and Colonial took it offline as a precautionary measure.


Wanted: Colonial Pipeline Cybersecurity Manager (No, Really)

Illustration for article titled Wanted: Colonial Pipeline Cybersecurity Manager (No, Really)

Photo: JIM WATSON / AFP (Getty Images)

Sometime before the disastrous ransomware attack on its network and the East Coast gas shortage that followed, Colonial Pipeline was apparently looking for someone to help run its cybersecurity team.


The energy company, which manages America’s largest oil pipeline, is currently working feverishly to restore full service after being targeted by the ransomware gang DarkSide. The cyberattack, which the company says it learned about on May 7, has prompted a federal response, emergency declarations in multiple states, and spurred a panicked gas-buying melee across the Southeast.

On Wednesday, people online noticed a job listing that had recently been reposted to the job site Day Book. Colonial Pipeline was apparently looking for a “Cyber Security Manager,” as the post puts it. It’s not exactly clear when the initial job posting was created, though it would appear to have been at some point during the last few months. Colonial’s website says the listing was created “+30 days ago,” and job sites like Day Book will continually scrape sites and repost listings with new dates.

According to Colonial’s job description, the security manager would’ve been responsible for maintaining “an incident response plan and processes to address potential threats.” The company was also looking for someone who could manage “a team of cyber security certified subject matter experts and specialists including but not limited to network security engineers, SCADA & field controls network engineers and a cyber security architect.” All good stuff! The listing is still available on Colonial’s website.

Illustration for article titled Wanted: Colonial Pipeline Cybersecurity Manager (No, Really)

Screenshot: Lucas Ropek/Colonial Pipeline

Reached for comment, the company said in an email that they did not create the position in response to the DarkSide ransomware attack.

“The cybersecurity position was not created as a result of the recent ransomware attack. We have several positions open as part of our longer-term growth strategy around talent, as we are constantly recruiting top-tier talent across all functional areas of our business,” a Colonial spokesperson said in a statement.The position to support cybersecurity would be an example of that. This is a role that we have been looking to add in an effort to continue building our current cyber security team.”


It’s somewhat unclear whether the position was ever filled (if it wasn’t, that might explain a lot). However, the future-tense in this statement (“would be an example of that,” “looking to add”) certainly seems to suggest that the position was never actually filled.

The Colonial attack comes at a time when lawmakers are currently looking to improve overall cybersecurity for critical infrastructure. The Biden administration and Congress have both proposed varying solutions to make the country’s resources more secure. There’s no doubt that the sight of America’s largest oil pipeline being paralyzed by online extortionists will likely have some effect on those decisions. In the meantime, if you’re a security professional who wants a “a great place to work, where people matter most, and where safety 24/7 is paramount,” you can apply right here.