By Ken Dilanian and Kelly O'Donnell - NBC News
WASHINGTON - A Russian criminal group is suspected of being responsible for a cyber attack that shut down a major US fuel pipeline, two sources familiar with the matter said Sunday.
The group, known as
DarkSide
, is relatively new, but has a sophisticated approach to the extortion business, sources said.
Commerce Secretary Gina Raimondo said Sunday that the White House was working to help Colonial Pipeline, the Georgia-based company that operates the pipeline, restart its 5,500-mile (8,800-kilometer) network.
[Biden imposes sanctions on Russia for cyberattacks and election interference]
The system, which runs from Texas to New Jersey, carries
45% of the East Coast's fuel supply
.
The company said in a statement Sunday that some smaller lateral lines were operational but
the main lines were still not operational.
"We are in the process of restoring service to other laterals and will bring our entire system back up and running only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations," the company said.
The federal government, on alert for a possible attack by Chinese hackers
March 4, 202100: 26
Raimondo noted on CBS's
Face the Nation
that the effort to restart the network was "an effort by all concerned at this time."
"We are working closely with the company and with state and local officials to make sure they get back to normal as soon as possible and there are no supply disruptions," he said.
"Unfortunately,
these types of attacks
are becoming more frequent.
They are here to stay," he
added.
A White House official said Sunday that the Department of Energy is leading the government's response.
The agencies are planning a series of scenarios in which the region's fuel supply is affected, the official said.
Colonial Pipeline on Saturday attributed the cyber attack to ransomware - a malicious program that restricts access to parts of the operating system and asks for a ransom in exchange for removing this restriction - and said some of its systems were affected.
The company said it "proactively" took "certain systems offline to contain the threat."
The company has not said what was required or who made the demand.
Although Russian hackers often work for the Kremlin, early indications suggest that
it is a criminal scheme
and not a nation-state attack, the sources said.
[The list of government agencies attacked by Russian hackers grows. This is what is known so far]
But the fact that Colonial has had to shut down the country's
largest gasoline pipeline
underscores how vulnerable America's cyberinfrastructure is to criminals and domestic adversaries such as Russia, China and Iran, experts say.
"This could be the
most shocking ransomware attack in history
, a cyber disaster turning into a real-world catastrophe," said Andrew Rubin, CEO and co-founder of Illumio, a cybersecurity company.
Hackers use smart ringtones to get your information and make fake calls
Nov. 23, 202004: 55
"It's an absolute nightmare and it's a recurring nightmare," Rubin said.
"Organizations keep relying on and investing everything in detection, as if they can prevent all breaches from happening. But this approach fails attacks time after time. Before the next inevitable breach occurs,
the President and Congress have to take action on our broken security model, "he
added.
[Tank truck driver shortage could put millions out of gas this summer]
If the culprit turns out to be a Russian criminal group, it will reveal that
Russia unleashes criminal hackers
targeting the West, said Dmitri Alperovitch, co-founder of cyber company CrowdStrike and CEO of think tank Silverado Policy Accelerator.
"Whether or not they work for the state is increasingly irrelevant, given
Russia's obvious policy of harboring and tolerating cybercrime,
" Alperovitch said.
According to a leading Reuters cybersecurity journalist, DarkSide has its own website on the dark web that features a series of leaked data from victims who it claims did not pay the ransom.
According to him, the group has made millions from cyber extortion.
/cloudfront-eu-central-1.images.arcpublishing.com/prisa/MN66YGPQPRILE3TOGBKUQ35FWI.jpg)
