The Colonial Pipeline, which supplies 45% of oil and gas for the East Coast, was preemptively shut down on May 7, Friday evening, to prevent a reported cyberattack which locked up the company’s software from infecting the operative side of the pipeline. Colonial said on May 9 that they were restoring some of their IT systems. They also stated: “We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.” It is generally thought that the country has 4-5 days before the shutdown multiplies to bigger problems.
Over the May 8-9 weekend, the White House created an “interagency working group” for all contingencies. Late on May 9, the U.S. government declared a state of emergency, lifting limits on the transport of fuels by road in a bid to keep gas supply lines open as fears of shortages spiked. “This Declaration addresses the emergency conditions creating a need for immediate transportation of gasoline, diesel, jet fuel, and other refined petroleum products and provides necessary relief,” stated the Department of Transportation.
Despite Colonial indicating on May 8 that they were the victim of ransomware and not a state actor, the media are already contorting matters into an attack by Russia on America. FireEye, the company that played an early and major role in the “SolarWinds” operation, is said to be working for Colonial on the cyberattack. It and others are pointing at “DarkSide” as the likely source of the attack, and then suggesting that it must be a Russian operation. BBC cited an anonymous cybersecurity firm that it is “likely to be based in a Russian-speaking country” since none of its targets have been Russian. CNN cited an unnamed “former senior official” that the ransomware “originated from Russia.” And on May 10, the FBI stated that “the DarkSide ransomware is responsible….”
DarkSide is described as a “Robin Hood” operation that targets profitable companies and gives a share of the ransom to charities. According to an Avertium cybersecurity firm report from March, on Aug. 20, 2020, DarkSide operators announced their malware in a dark web press release. Avertium claims that DarkSide’s average ransom demand is $6.5 million and the average downtime is five days. DarkSide primarily targets Windows systems. Then, a month after the announcement by DarkSide operators came the “Russia” link — a “Russian-speaking cybercriminal using the handle ‘darksupp’ posted several announcements regarding Darkside, including an official recruitment for affiliates to participate in the Darkside RaaS [Ransomware-as-a-Service] affiliate program, a pledge not to attack hospitals, schools, nonprofits or government targets and to only attack businesses who can afford to pay a ransom” (sic Avertium’s spellings).dd If ransom is not paid, encrypted data is published for a six-month period. Evidently, other companies have been hit over the last nine months and have paid a ransom.
The AP adds their interpretation of the situation: DarkSide, like “the most potent ransomware gangs, is known to avoid targeting organizations in former Soviet bloc nations. Colonial didn’t say whether it has paid or was negotiating a ransom, and DarkSide neither announced the attack on its dark web site nor responded to an Associated Press reporter’s queries. The lack of acknowledgment usually indicates a victim is either negotiating or has paid.”
This afternoon, President Biden stated: “So far there’s no evidence from our intelligence people that Russia is involved.” Then he adopted a backup position: Since the ransomware “is in Russia,” they have “some responsibility to deal with this” and he would bring it up with Putin. Dmitri Alperovitch of the infamous CrowdStrike “no evidence” gang summed it up: “Whether they work for the state or not is increasingly irrelevant.…”
