U.S. investigators announced Monday they have recovered most of the ransom paid to the Russian-based hackers known as DarkSide by Georgia-based Colonial Pipeline.
“Today, we have turned the tables on DarkSide,” Acting U.S. Assistant Attorney General Lisa Monaco said. “Ransomware attacks are always unacceptable, but when they target critical infrastructure we will spare no effort in our response.”
»Watch a replay of the Justice Department’s news conference:
Monaco said DarkSide and its affiliates — developers who sell or lease ransomware for cyberattacks in return for a fee — have been stalking U.S. companies since last year.
Joseph Blount, Colonial Pipeline CEO, acknowledged paying more than $4 million to the hackers because “it was the right thing to do for the country.”
Blount issued a statement after the Justice Department’s news conference Monday:
“The FBI is the premier law enforcement agency in the world and we are grateful for their swift work and professionalism in responding to this event. Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature. The private sector also has an equally important role to play and we must continue to take cyber threats seriously and invest accordingly to harden our defenses.
“When Colonial was attacked on May 7, we quietly and quickly contacted the local FBI field offices in Atlanta and San Francisco, and prosecutors in Northern California and Washington D.C. to share with them what we knew at that time. The Department of Justice and FBI were instrumental in helping us to understand the threat actor and their tactics. Their efforts to hold these criminals accountable and bring them to justice are commendable.
“As our investigation into this event continues, Colonial will continue its transparency in sharing intelligence and learnings with the FBI and other federal agencies. Our goal is to help our peers in the critical infrastructure space strengthen their cyber defenses and to collaborate across industry so that we can thwart these types of attacks before they happen. Together, through intelligence sharing and lessons learned, we can work to better protect our nation, its people, and our most critical assets.”
Late last week, it was revealed hackers gained access to Colonial Pipeline’s network using the compromised credentials of a legacy VPN account, according to Bloomberg News reporter William Turton.
NEW: hackers gained access to the network of Colonial Pipeline using the compromised credentials of a legacy VPN account. The account was not actively used and did not use multi-factor authentication. https://t.co/2bN9Wza4GN
— William Turton (@WilliamTurton) June 4, 2021
The hack, which took down the largest fuel pipeline in the nation and led to gas shortages across the Southeast, was the result of a single compromised account, Turton reported.
The account was not actively used and did not use multifactor authentication, according to Turton. Turton cited a FireEye security researcher.
The U.S. Justice Department recently announced it is planning to elevate ransomware cases — similar to the one launched against Colonial last month — to the same priority assigned to terrorism cases.
The news comes in the wake of another cyberattack launched against JBS SA, the world’s largest meat-processing plant. White House officials believe Russian-based hackers were behind both ransomware attacks. While JBS plants are getting back online after all of the company’s U.S. slaughterhouses were shut down, the cyberattack’s impact on consumers and restaurants has yet to be fully felt.
REvil, the Russian-linked hacker group the FBI said is responsible for the JBS cyberattack, has emerged as one of the most prolific — and public — ransomware groups in recent years.
Ransomware has become a thorny problem for the Biden administration, particularly after the Colonial Pipeline attack.
Blount said he authorized the ransom because executives were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back. The May 7 cyberattack locked up the company’s computer systems. The hackers didn’t take control of pipeline operations, but the Alpharetta-based company shut it down to prevent malware from affecting industrial control systems.
Blount said it will take months and cost the company “tens of millions of dollars” to fully repair the damage and restore all of its business systems.
President Joe Biden said U.S. officials do not believe the Russian government was involved, but said “we do have strong reason to believe that the criminals who did the attack are living in Russia.”
Ransomware is a type of hack in which a victim’s computer files are encrypted, rendering them unusable until a ransom is paid. Some ransomware groups steal files, too, providing another avenue for extortion. REvil maintains a page on the dark web, called the “Happy Blog,” where it leaks or auctions sensitive documents from victims as an extra incentive to pressure them to pay.
Earlier this year, REvil took credit for hacking the Taiwanese hardware supplier Quanta Computer Inc. and in the process published secret blueprints for new Apple Inc. devices. Last year, REvil executed a ransomware attack against a law firm they claimed once represented some of Donald Trump’s television enterprises.
In 2019, the group also attacked a group of Louisiana election clerks a week before Election Day.
The U.S. Department of Agriculture said in a statement last Tuesday that it “continues to work closely with the White House, Department of Homeland Security, JBS USA and others to monitor this situation closely and offer help and assistance to mitigate any potential supply or price issues.”
In recent years, hackers targeted victims with cyber insurance policies and huge volumes of sensitive consumer data that make them more likely to pay a ransom, according to cybersecurity experts.
The Associated Press contributed to this report.
