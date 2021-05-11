Long lines began forming at gas stations across the East Coast this week as panicked drivers worry about supply shortages and higher prices following the shutdown of the Colonial Pipeline, a major U.S. fuel artery that was hit by a cyberattack over the weekend.
“It was unbelievable. When I was driving today, I thought it was a catastrophe coming!” Yasheeka Wiggins, of Marion, S.C., told CBS News. “I’ve seen all these cars waiting and I was like, ‘OMG. I have to fill my tank up!’ ”
The 5,500-mile Colonial Pipeline, which delivers nearly half of the fuel used on the Eastern seaboard, was the target of a ransomware attack by a Russia-based criminal group called DarkSide, the FBI confirmed Monday. The company said it was working to resume operations by the end of this week, but the temporary disruption is already wreaking havoc across the region.
Meanwhile, a Russian-speaking ransomware syndicate that stole data from the Washington, D.C., police department says negotiations over payment have broken down, with it rejecting a $100,000 payment, and it will release sensitive information that could put lives at risk if more money is not offered. The Babuk group said on its website late Monday that it would release “all the data” it stole from the Washington police department if it did not “raise the price.”
Read on for a full rundown of the consequences of these incidents and the growing threat of cybercriminals.
Q&A: What are the dangers of ransomware attacks?
What is ransomware and what happened at the pipeline?
Ransomware is malware that infects and locks computer systems until victims pay hackers a fee to unlock them. Hackers typically infect such systems by tricking unwitting computer users into clicking an email attachment or a link containing the virus.
Colonial Pipeline reported over the weekend that it became the victim of a ransomware attack that locked up its business-side computers. The company said in a statement that on Friday it "proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations." The cyberassault did not appear to infect systems operating the pipeline.
By Monday, the company reported, it was bringing back online segments of the pipeline, which supplies about 45% of jet fuel, gasoline and heating oil consumed on the East Coast. White House officials and industry analysts said the shutdown was not likely to cause fuel shortages or lead to a rise in gas prices.
"It is relatively easy to hack a business network," said James Lewis, a cybersecurity expert and a senior vice president at the Center for Strategic and International Studies. "It's harder to hack the industrial network. Colonial did everything right after it was hacked. But we don't yet know if Colonial made the right move to prevent the hackers from crossing over."
How big a problem is ransomware?
The Colonial hack shouldn't surprise anyone, said Bruce Schneier, a cybersecurity expert and lecturer at Harvard University's Kennedy School of Government.
"This happens hundreds of times a day," Schneier said. "These hackers, this time, just happened to land a big fish."
A task force of more than 60 experts from industry, government and nonprofits issued a report last month that called ransomware "a flourishing criminal industry that not only risks the personal and financial security of individuals, but also threatens national security and human life."
The report, published by the nonprofit Institute for Security and Technology, estimated that nearly 2,400 governments, healthcare facilities and schools were victims of ransomware attacks last year. Ransom payments rose to $350 million last year, a 300% increase over 2019, the report said. The average such payment topped $300,000.
The problem is growing, experts said. A cyber insurance firm told the task force that it tallied a 260% increase in ransomware attacks of its policy holders. A cybersecurity firm estimated that ransomware hacks spiked 700% in 2020 over 2019.
Christopher Krebs, the former head of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, testified before congress last week that "we are on the cusp of a global digital pandemic, driven by greed, a vulnerable digital ecosystem in an ever-widening criminal enterprise."
Why are ransomware attacks on the rise?
Cybersecurity experts say two trends are behind the increase in ransomware assaults. The first, they said, was the growth of difficult-to-trace cryptocurrency, which has allowed hackers to easily obtain large ransom payments under the nose of financial regulators.
Meanwhile, they said, foreign governments have recognized the value in allowing hackers to operate inside their borders. Such hackers pay bribes to officials and agree to only target victims overseas. Russian operatives, in particular, believe such hackers help advance their foreign policy goals by causing trouble for adversaries, according to law enforcement officials and cybersecurity experts.
President Biden told reporters Monday that it did not appear that Moscow was behind the attack but there was evidence the "actor's ransomware is based in Russia."
"I'm going to be meeting with President Putin," Biden said, referring to his Russian counterpart. "They have some responsibility to deal with it."
Who targeted Colonial Pipeline?
The FBI on Monday attributed the attack to DarkSide ransomware, which is produced by an eponymous criminal organization that U.S. officials and cybersecurity experts say operates in Eastern Europe or Russia.
DarkSide is a "ransomware-as-a-service" business that relies on selling malware to hackers who then launch attacks and share proceeds with the developers, according to U.S. officials and cybersecurity experts.
The group's malware packs a dual punch: It not only locks networks but also siphons data. This kind of attack is effective even if a company or government backed up its information to mitigate the damage from ransomware because hackers can still threaten to release the data they are holding publicly or to competitors.
Cybereason, a Boston-based cybersecurity firm, reported that DarkSide's approach "effectively renders the strategy of backing up data as a precaution against a ransomware attack moot."
In a statement obtained by multiple media organizations, DarkSide said its "goal is to make money, and not creating problems for society."
What's next?
The U.S. government is taking steps to address the ransomware threat. The Justice Department last month formed a task force to combat ransomware, and the Biden administration says it is formulating a plan to tackle the problem.
Cybersecurity experts said they expect high-profile hacks like the one on Colonial Pipeline to prod potential victims to heighten security, create backups of data and come up with effective response plans.
"This problem will be greatly reduced over the next year because there is so much attention being paid to it," predicted Lewis, the cybersecurity expert at the Center for Strategic and International Studies.
Other experts are not so sanguine, saying hackers have proved adept at devising new ways to overcome cyberdefenses.
____
(Times staff writer Eli Stokols contributed to this report.
___
©2021 Los Angeles Times. Visit at latimes.com. Distributed by Tribune Content Agency, LLC.
What does U.S. fuel pipeline shutdown reveal about the dangers of cyber ransoms?
A major fuel pipeline supplying the East Coast was shut down last week after the Georgia-based company operating it became the victim of a ransomware attack.
And a Russian-speaking ransomware syndicate that stole data from the Washington, D.C., police department says negotiations over payment have broken down, with it rejecting a $100,000 payment, and it will release sensitive information that could put lives at risk if more money is not offered.
The extortion threat comes right after the pipeline disruption that's affected part of the U.S.'s fuel supply, highlighting the power of internet-savvy criminal gangs to sow mayhem from a half a world away with impunity.
Friday's hack forced Colonial Pipeline to halt operations in what it called an abundance of caution. The company said the ransomware attack targeted its information technology systems. White House officials said Monday that the pipeline did not appear to suffer any damage.
Cybersecurity experts have been warning for years about the threat posed by a ransomware attack on U.S. infrastructure in the wake of thousands of successful hacks of computer systems operated by governments, school districts, companies and hospitals.
To combat such cyberattacks, governments and businesses must beef up their defenses, better prepare to respond to intrusions and put diplomatic pressure on countries harboring cybercriminals, the experts say.
Explainer: Why ransomware attacks matter
What are the implications of the latest attack?
The Babuk ransomware group's threat may be the most serious to date, said Brett Callow, a threat analyst and ransomware expert at the security firm Emsisoft.
“This is far worse than any hack of other police departments previously,” Callow said, adding that he's never seen a law enforcement agency pay a ransom before.
Ransomware gangs have been leaking sensitive data from victims for well over a year, but experts said they’ve not seen such aggressive new tactics used before against police departments. The cybercriminal mafias mostly operate in foreign safe havens out of the reach of Western law enforcement.
The average ransom payments last year were $310,000, up 171% from 2019, according to Palo Alto Networks.
What happened in the pipeline attack?
A cyberattack on a critical U.S. pipeline is sending ripple effects across the economy, highlighting cybersecurity vulnerabilities in the nation's aging energy infrastructure. The Colonial Pipeline, which delivers about 45% of the fuel used along the Eastern Seaboard, shut down Friday after a ransomware attack by gang of criminal hackers that calls itself DarkSide. Depending on how long the shutdown lasts, the incident could impact millions of consumers.
Colonial Pipeline, the owner, halted all pipeline operations over the weekend, forcing what the company called a precautionary shutdown. U.S. officials said Monday that the "ransomware" malware used in the attack didn't spread to the critical systems that control the pipeline's operation. But the mere fact that it could have done so alarmed outside security experts.
Will there be gas shortages?
It depends on how long the shutdown lasts. Colonial said it's likely to restore service on the majority of its pipeline by Friday.
There's no imminent shortfall, and thus no need to panic buy gasoline, said Richard Joswick, head of global oil analytics at S&P Global Platts. If the pipeline is restored by Friday, there won't be much of an issue. "If it does drag on for two weeks, it's a problem," Joswick added. "You'd wind up with price spikes and probably some service stations getting low on supply. And panic buying just makes it worse."
What's the impact on gas prices?
The average gasoline price jumped six cents to $2.96 over the past week, and it's expected to continue climbing because of the pipeline closure, according to AAA. Mississippi, Tennessee and the East Coast from Georgia to Delaware are the most likely to experience limited fuel availability and higher prices, and if the national average rises by three more cents, these would be the highest prices since November 2014, according to AAA.
Who is behind the attacks and what motivates them?
The hackers are Russian speakers from DarkSide, one of dozens of ransomware gangs that specialize in double extortion, in which the criminals steal an organization's data before encrypting it. They then threaten to dump that data online if the victim doesn't pay up, creating a second disincentive to trying to recover without paying.
Ransomware gangs say they are motivated only by profit.
Are pipelines more vulnerable to attacks?
They're not necessarily at greater risk, but they do pose unique challenges. The Colonial Pipeline structure is a vast piece of critical infrastructure that provides fuel supply to states along the East Coast. Such a large network is bound to have different control systems along its path where it connects with distributors or customers.
"Every single time you connect something, you run the risk that you're going to infect something," said Kevin Book, managing director at Clearview Energy Partners. That variability can also make it harder for hackers to know where to find vulnerabilities, he said.
Over time, as pipelines expand, companies can end up with a mix of technology — some parts built within the company and others brought in from outside, said Peter McNally, global sector lead at Third Bridge. Many large energy companies have been under pressure from investors to limit reinvestment in such assets, which can be decades old, he added. That can be a problem when dealing with modern criminals.
The Federal Energy Regulatory Commission has established and enforced mandatory cybersecurity standards for the bulk electric system, but there are no comparable standards for the nearly 3 million miles of natural gas, oil and hazardous liquid pipelines that traverse the United States. "Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors," said Richard Glick, chairman of the Federal Energy Regulatory Commission, and Democratic Commissioner Allison Clements, in a joint statement. They called for the U.S. to establish mandatory pipeline security standards.
WHAT CAN BE DONE TO HALT RANSOMWARE ATTACKS?
Previous attempts to put ransomware operators out of business by attacking their online infrastructure have amounted to internet whack-a-mole. The U.S. Cyber Command, Microsoft and cross-Atlantic police efforts with European partners have only been able to put a temporary dent in the problem.
Last month, a public-private task force including Microsoft, Amazon the FBI and the Secret Service gave the White House an 81-page urgent action plan that said considerable progress could be possible in a year if a concerted effort is mounted with U.S. allies, who are also under withering attack.
Some experts advocate banning ransom payments. The FBI discourages payment, but the task force said a ban would be a mistake as long as many potential targets remain "woefully unprepared," apt to go bankrupt if they can't pay. Neuberger said Monday that sometimes companies have no real choice but to pay a ransom.
The task force said ransomware actors need to be named and shamed and the governments that harbor them punished. It calls for mandatory disclosure of ransom payments and the creation of a federal "response fund" to provide financial assistance to victims in hopes that, in many cases, it will prevent them from paying ransoms.
___
Bajak reported from Boston. AP Writer Matthew Daly contributed from Washington.