A previous version of this article misspelled Leo Simonovich's name and also misstated which news organization first reported details of efforts to secure stolen data. This version has been corrected.
Several cybersecurity experts said the incident represents the biggest known cyberattack on U.S. energy infrastructure. On Monday, Biden administration officials sought to assuage fears that the attack could lead to price spikes, fuel shortages or panicked buying up and down the East Coast, and Colonial announced that it had restarted some service.
New details emerged Monday that Colonial had staved off one potential effort at extortion, though it still grappled with the ransomware issue. Over the weekend, a hosting provider in New York essentially shut down a server containing the stolen data after being contacted by a cyber firm helping Colonial investigate the incident, according to a U.S. official and three people familiar with the matter. The provider contacted the FBI, which worked with Colonial on the matter. The move to isolate the server basically prevented the flow of stolen data to the hackers, whom analysts believe operate mostly out of Russia.
Reuters first reported the effort to stop the data flow.
Still, experts saw risks throughout the energy grid.
Like the Colonial pipeline, which is more than 40 years old, the country is full of “legacy assets” equipped with more recent digital technology “that’s been bolted on top,” said Leo Simonovich, a vice president at Siemens Energy specializing in security.
“As they get more connected, they also become more vulnerable,” he said.
Such “ransomware” attacks have become a global scourge, affecting banks, hospitals, universities and municipalities in recent years. Almost 2,400 organizations in the United States were victimized last year alone, one security firm reported. But the attackers are increasingly targeting industrial sectors because these firms are more willing to pay up to regain control of their systems, experts say.
Utilities, pipelines and refineries maintain a critical network of energy supply, without which the country would shut down, but they have become so much a part of Americans’ mental landscape that they typically go unnoticed, except during spectacular failures such as the Texas freeze-up in February.
“The problem is real, it’s pretty widespread, and it’s going to take a systemic approach to address it,” Simonovich said.
The FBI is investigating the attack as a criminal matter and on Monday issued an official statement confirming that DarkSide was responsible. The Washington Post reported Saturday that federal officials believed that DarkSide, a criminal ransomware group based in Eastern Europe, was behind the attack.
“So far there is no evidence from our intelligence people that Russia is involved,” President Biden said Monday. “Although there is some evidence that the actors’ ransomware is in Russia. They have some responsibility to deal with this.”
A White House task force formed to deal with the attack and the Department of Transportation temporarily relaxed rules to allow greater flexibility on fuel transport. Fuel price futures climbed more than 1 percent in anticipation of a possible shortage, but as of Monday, the average price for a gallon of gas was still $2.96, according to AAA.
“Right now there is not a supply shortage. We are providing for multiple contingencies because that’s our job,” Homeland Security Adviser Liz Sherwood-Randall said at a White House news briefing.
Some 5,500 miles of Colonial pipeline move fuel from Gulf Coast refineries to customers in the southern and eastern United States. The company says the pipeline reaches 50 million Americans and several major airports, including Hartsfield-Jackson in Atlanta.
On Monday, Colonial Pipeline said that maintaining the pipeline’s operational security and getting systems safely back online were its highest priorities.
In April, the Biden administration launched a 100-day plan to improve the cybersecurity of the electric grid, which Lee McKnight, an associate professor at Syracuse University’s School of Information Studies, said was way too optimistic.
“Even if better than nothing, the idea that there is a 100-day fix is just not realistic,” he wrote in an email.
One problem, said Marty Edwards, vice president of operational technology for Tenable, a cybersecurity firm, and a former senior DHS cyber official, is that there’s no down time for energy technology, and that makes it difficult to update software to protect against hacks.
“You can’t take the pipeline down every Patch Tuesday,” he said, referring to a routine day each month — the second Tuesday — when companies install cybersecurity updates to their systems.
Over the past decade, industrial companies have moved away from keeping their operational systems “air-gapped,” or isolated from the Internet and separated from business or “information technology” systems. “Today the IT and [operational technology] systems are so heavily converged that it’s really difficult to contain a malware infection just to one part of the network,” Edwards said.
Another factor that has tended to depress cybersecurity spending in the energy sector is the effect of rate regulators, said Robert M. Lee, chief executive and co-founder of Dragos, a cyber-incident response company. Where the utility or provider has a monopoly in the market, the regulator often caps the rates the company can charge, he said. That in turn affects cybersecurity budgets.
“Cybersecurity expenses are heavily scrutinized and very hard to justify in many industries,” he said.
If Colonial’s operations are restored by the end of this week, it is unlikely the shutdown will translate to major shortages or price increases, analysts said. If it goes on much longer, the picture might be far different.
There are just two major refineries on the East Coast, in Delaware City, Del., and Linden, N.J. Crude oil is delivered to them by sea and by rail, but together they produce about 345,000 barrels of various products a day, or about 14 percent of the Colonial Pipeline capacity.
The Colonial Pipeline attackers used ransomware — which locks up computer systems usually by encrypting data — while hackers demanded payment to free up the system.
DarkSide, the criminal gang suspected of carrying out the attack, said in a notice that its motivation was purely financial.
“Our goal is to make money and not creating problems for society,” the message said. “From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
DarkSide also has said it will not attack morgues, funeral homes, hospitals, or companies that develop or participate “to a large extent” in the distribution of coronavirus vaccines.
The halting of the data extortion over the weekend took place with the aid of the hosting provider DigitalOcean, which had been notified by the company helping Colonial, an incident response firm called Mandiant. As it investigated the incident, Mandiant, which is a division of the cyber firm FireEye, saw that Colonial data had been stolen and stored on a DigitalOcean server, said the people familiar with the matter, who spoke on the condition of anonymity because the investigation is ongoing.
DigitalOcean and Colonial did not immediately respond to requests for comment. FireEye declined to comment.
Criminal hackers typically store their data on a midpoint server or series of servers — sometimes in the United States — before pulling the data back to their servers overseas. They do that to help throw investigators off the trail.
Anne Neuberger, deputy national security adviser for cyber, said the FBI has been investigating DarkSide since October. She said DarkSide operates using a “ransomware as a service” model, in which a criminal group develops the ransomware and then allows an affiliate to deploy it for a fee or a cut of the proceeds. In this case, DarkSide developed the ransomware, private-sector researchers said.
The group appears to have emerged fairly recently. Cybereason, a private security firm, first took note of DarkSide only last year — in August.
“They became very active very quickly in a very organized manner,” said Lior Div, Cybereason’s chief executive. “This leads us to believe that these are experienced people who know exactly what they’re doing.”
The group refrains from hitting targets in Russia. The group’s spokesman, Darksupp, speaks Russian. And it does not hire English speakers, according to Dmitry Smilyanets, a cyberthreat intelligence expert from the cybersecurity firm Recorded Future.
Neuberger said that so far the U.S. government has not seen a connection to any foreign government. But, she added, “our intelligence community is looking for any ties to any nation-state actors.”
Moscow has long been known to harbor criminal hackers, who for their part avoid targeting victims inside Russia.
Researchers have noted that DarkSide has engaged in “double extortion,” or threatening to release a victim’s data unless a ransom is paid. This technique, Cybereason has noted, effectively renders moot the strategy of backing up data as a precaution.
Sometimes, Smilyanets said, the threat to release data is more effective than the encryption itself in coercing a victim to pay a ransom.
In April, he said, the group posted on its blog that it was willing to provide breach information related to companies publicly traded on Nasdaq and other stock exchanges to interested parties who wanted to short the stock and profit off the insider information.
Neuberger acknowledged that the FBI has traditionally advised companies not to pay the ransom to avoid encouraging further activity.
“We recognize, though,” she said, “that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data.”
That is why, she said, “we need to look thoughtfully at this area, including with our international partners, to determine what we do in addition to actively disrupting infrastructure and holding perpetrators accountable to ensure that we’re not encouraging the rise of ransomware.”
The administration learned of the shutdown on Friday night, Sherwood-Randall said.
Since then, the White House has convened an interagency team including the lead incident response agency, the Department of Energy; as well as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency; the FBI; the Treasury Department; the Pentagon; and other agencies. She said Energy has been in contact with state and local agencies to assess impacts and convened a group that includes the oil, natural gas and electric sectors to share details about the ransomware attack.
Last year, the Cybersecurity and Infrastructure Security Agency warned pipeline operators about the threat of ransomware.
CISA responded to a ransomware attack on a natural gas compression facility in which the attacker gained access to the corporate network and then pivoted to the operational network, where it encrypted on various devices. As a result, the firm shut down operations for about two days, CISA said.
The Justice Department has also launched a ransomware and digital extortion task force. And the FBI and Justice Department earlier this year worked with international partners to disrupt two criminal ransomware operations, officials said.
Julie Tate contributed to this report.