The cyber attack which shut down a vital US pipeline was carried out by a criminal group known as DarkSide that cultivates a Robin Hood image of stealing from corporations and giving a cut to charity.
The information comes from two people close to the investigation who spoke on condition of anonymity, as the the temporary halting of operations on the the pipeline that carries gasoline and other fuel from Texas to the north-east coast stretched into a third day.
President Joe Biden’s administration says an “all-hands-on-deck” effort is underway to restore operations and avoid disruptions in the energy supply.
Experts said that gasoline prices are unlikely to be affected if the pipeline is back to normal in the next few days but that the incident — the worst cyberattack to date on critical US infrastructure — should serve as a wake-up call to companies about the vulnerabilities they face.
The pipeline, operated by Georgia-based Colonial Pipeline, delivers roughly 45% of fuel consumed on the East Coast, according to the company.
It was hit by what Colonial called a ransomware attack, in which hackers typically lock up computer systems by encrypting data, paralysing networks and then demand a large ransom to unscramble it.
On Sunday, Colonial Pipeline said it was actively in the process of restoring some of its IT systems.
It said it remains in contact with law enforcement and other federal agencies, including the Department of Energy, which is leading the federal government response. The company has not said what was demanded or who made the demand.
But two people close to the investigation, speaking on condition of anonymity, identified the culprit as DarkSide.
It is among ransomware gangs that have “professionalised” a criminal industry that has cost Western nations tens of billions of dollars in losses in the past three years.
DarkSide claims that it does not attack hospitals and nursing homes, educational or government targets and that it donates a portion of its take to charity.
It has been active since August and, typical of the most potent ransomware gangs, is known to avoid targeting organizations in former Soviet bloc nations.
Colonial did not say whether it has paid or was negotiating a ransom, and DarkSide neither announced the attack on its dark web site nor responded to an Associated Press reporter’s queries.
The lack of acknowledgment usually indicates a victim is either negotiating or has paid.
On Sunday, Colonial Pipeline said it is developing a “system restart” plan. It said its main pipeline remains offline but some smaller lines are now operational.
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here