NEW YORK (NYTIMES) – President Joe Biden said on Monday (May 10) that the United States would “disrupt and prosecute” a criminal gang of hackers called DarkSide, which the FBI formally blamed for a huge ransomware attack that has disrupted the flow of nearly half of the gasoline and jet fuel supplies to the East Coast.
The FBI, clearly concerned that the ransomware effort could spread, issued an emergency alert to electric utilities, gas suppliers and other pipeline operators to be on the lookout for code like the kind that locked up Colonial Pipelines, a private firm that controls the major pipeline carrying gasoline, diesel and jet fuel from the Texas Gulf Coast to New York Harbour.
The pipeline remained offline for a fourth day Monday as a pre-emptive measure to keep the malware that infected the company’s computer networks from spreading to the control systems that run the pipeline.
The attack prompted emergency meetings at the White House all through the weekend, as officials tried to understand whether the episode was purely a criminal act – intended to lock up Colonial’s computer networks unless it paid a large ransom – or was the work of Russia or another state that was using the criminal group covertly.
Biden is expected to announce an executive order in the coming days to strengthen America’s cyberdefences.
The order, drafts of which have been circulating to government officials and corporate executives for weeks and summaries of which were obtained by The New York Times, is a new road map for the nation’s cyberdefence.
It would create a series of digital safety standards for federal agencies and contractors that develop software for the federal government, such as multi-factor authentication, a version of what happens when consumers get a second code from a bank or credit-card company to allow them to log in. It would require federal agencies to take a “zero trust” approach to software vendors, granting them access to federal systems only when necessary, and require contractors to certify that they comply with steps to ensure that the software they deliver has not been infected with malware or does not contain exploitable vulnerabilities.
And it would require that vulnerabilities in software be reported to the US government. Violators would risk having their products banned from sale to the federal government, which would, in essence, kill their viability in the commercial market.
So far, intelligence officials said, all the indications are that the pipeline attack was simply an act of extortion by the DarkSide group, which first began to deploy such ransomware in August, and is believed to operate from Eastern Europe, possibly Russia.
In this case, the ransomware was not directed at the control systems of the pipeline, federal officials and private investigators said, but rather the back-office operations of Colonial Pipeline.
A preliminary investigation showed poor security practices at Colonial Pipeline, according to federal and private officials familiar with the inquiry. The lapses, they said, most likely made the act of breaking into and locking up the company’s systems fairly easy.
Colonial Pipeline has not answered questions about what kind of investment it had made in protecting its networks, and refused to say whether it was paying the ransom. And the company appeared reluctant to let federal officials bolster its defences.
“Right now, they’ve not asked for cybersupport from the federal government,” Anne Neuberger, the deputy national security adviser for cyber and emerging technology, told reporters at a briefing at the White House. She declined to say whether the federal government would advise paying the ransom, noting that “companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data.”
While Neuberger did not say so, that appears to be essentially what happened to Colonial.