“Malicious cyber actors today are dedicating time and resources towards researching, stealing, and exploiting vulnerabilities, using more complex attacks to avoid detection and developing new techniques to target information and communication technology supply chains,” acting Cybersecurity and Infrastructure Security Agency Director Brandon Wales said.
The victim of the attack, Colonial Pipeline transports more than 100 million gallons of gasoline and other fuel daily from Houston to the New York Harbor.
Senior White House officials repeatedly said Monday their roles in addressing the latest ransomware incident were limited because Colonial Pipeline is a private company, even though it controls the gasoline supply to most of the eastern US.
Colonial has yet to share information with the federal government about the vulnerability the ransomware group DarkSide took advantage of to infiltrate the fuel company, according to a top official with the Cybersecurity and Infrastructure Security Agency.
“Our understanding is that that is part of the investigation that Colonial’s response vendor is still undertaking. That information has not yet been shared with the US government,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein told CNN in a phone interview.
However, Goldstein said various agencies across the government are engaged with Colonial and as part of an interagency effort to understand the intrusion and identify information that can be shared broadly.
“Now, we are deeply focused on sharing information with other organizations to protect themselves, both from this specific actor, the Darkside ransomware group. And since we know that ransomware actors often use similar techniques and procedures, making sure that all organizations understand the steps that they could take to protect themselves,” he added.
CISA is not providing technical assistance to Colonial Pipeline as of now, according to Goldstein.
Colonial has engaged a third-party incident response company that is leading the investigation on their behalf, he said. CNN previously reported that FireEye Mandiant was brought on to manage the incident response investigation.
Private sector companies also worked with US agencies to take a key server offline as recently as Saturday, disrupting ongoing cyberattacks against Colonial Pipeline Co. and other ransomware victims, according to two sources familiar with the matter.
The move to intervene, which allowed Colonial to recover some of its stolen data, was taken in response to the Darkside attack against the fuel pipeline company, one source told CNN, confirming the action first reported by Bloomberg.
Federal agencies and private companies that control the US-based servers were able to cut off key infrastructure used by the hackers to store stolen data before that information could be relayed back to Russia, both sources said.
Goldstein said CISA has no information about other victims at this time, but he pointed out that the Darkside ransomware group is a well-known threat actor that has compromised numerous victims in recent months.
DarkSide is known to be based in Eastern Europe and carries out “double extortion” ransomware attacks, which is where they will both encrypt a victim’s data, and then also steal some of the data and threaten to release it to cause reputational damage if the victim doesn’t pay, he said.
Therefore, even if a victim has strong backups for their data, that allows them to restore the data that was encrypted, the bad actor still has another way to extort the victim, he said.
“There has been some discussion that perhaps this actor tries to refrain from attacking hospitals, schools and the like. But certainly, they’re seen as a pernicious ransomware group that has caused significant harm to its victims, both in the US and elsewhere,” Goldstein said.
World News || Latest News || U.S. News