US Pursues Russia-Based Group Behind Pipeline Cyberattack

Published: 14 May 2021

Pipeline Freeport

Pipeline near Freeport, TX, U.S.A. (Photo: ENERGY.GOV, Wikimedia, License)

By Julett Pineda Sleinan

Russia is not behind the ransomware attack that left part of the U.S. East Coast without gas, but a criminal group based in Russia is, U.S. President Joe Biden said on Thursday, announcing that a new task force will from now on prosecute such hackers “to the full extent of the law.”

The biggest fuel pipeline in the country, Colonial Pipeline, resumed operations on Wednesday afternoon following a cyberattack that forced the company to shut down its network last Friday.

The Georgia-based operator transports more than 100 million gallons per day from Texas to the Northeast and supplies nearly half of the East Coast with fuel. The company said it would take several days for the delivery supply chain to return to normal.

The Federal Bureau of Investigation said on Monday that the organized crime group DarkSide was behind the cyberattack.

The hackers compromised the Colonial Pipeline network through a ransomware attack which consists of holding the attacked data or system hostage through encryption until the victim pays a ransom.

Bloomberg reported that Colonial Pipeline paid the group nearly US$5 million in Bitcoin but the company itself did not confirm this.

“We do not believe the Russian government was involved in this attack,” President Biden said during a White House briefing on Thursday. “But we do have strong reason to believe that criminals who did the attack are living in Russia.”

The White House has been communicating with Moscow “about the imperative for responsible countries to take decisive action against these ransomware networks,” he said, adding that the U.S. will also take steps to disable them.

Biden also announced that the Justice Department has launched a new task force dedicated to prosecuting ransomware hackers following the signing of an executive order to bolster the Federal Government's cybersecurity.

Meanwhile, DarkSide said it was an apolitical group and that it had no ties to the Russian government.

"Our goal is to make money and not creating problems for society," the group wrote on its website. "From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."

DarkSide’s first ransomware attacks date back to August 2020 when the group advertised on its site a ransomware-as-a-service model - a type of cyber extortion in which developers receive a share of the proceeds from their “affiliates,” cybercriminal actors who deploy the malware.

The group also claims to have a code of conduct and that it is not attacking schools, hospitals, universities, NGOs and government agencies, but that it targets exclusively profitable companies.