Colonial Pipeline Ransom Mostly Recouped

The US recovered almost all the Bitcoin ransom paid to the perpetrators of the cyber-attack on Colonial Pipeline Company last month in a sign that law enforcement is capable of pursuing online criminals even when they operate outside the nation’s borders.

US officials said the 7^th June that they captured about 63.7 Bitcoin traced to recipients of a 75-Bitcoin ransom paid by Colonial soon after the early May attack which resulted in a shutdown of the nation’s largest gas pipeline. The shutdown had caused fuel shortages across the east coast just ahead of the Memorial Day weekend.

The announcement came as Colonial CEO Joseph Blount was set to testify before a Senate committee on the 8^th June and on the 9^th June before a House panel.

Because of the declining value of Bitcoin since the ransom was paid, the US seizure in late May amounted to US$2.3 million, just over half the US$4.4 million paid weeks earlier after the ransom was demanded.

Deputy FBI Director Paul Abbate said at a Justice Department briefing announcing the seizure that law enforcement identified a virtual wallet used in the ransom payment and then recovered the funds. He said investigators found more than 90 companies victimised by DarkSide, a Russia-linked cybercrime group blamed in the pipeline attack.

“Today we turned the tables on DarkSide,” Deputy Attorney General Lisa Monaco said, as she called on companies to invest more to protect their critical infrastructure and intellectual property. “DarkSide and its affiliates have been digitally stalking US companies for the better part of last year.”

The action signals US law enforcement’s ability, in some cases at least, to track cryptocurrency, identify digital wallets and seize funds, a potentially powerful tool in combating ransomware attacks in particular. The operation also reveals how quickly hacking operations can be identified by the FBI, which Mr Abbate said has been investigating DarkSide since last year.

The FBI was able to find the Bitcoin by uncovering the digital addresses the hackers used to transfer the funds, according to an eight-page seizure warrant released by the Justice Department on the 7^th June.

“New financial technologies which attempt to anonymise payments will not provide a curtain from behind which criminals will be permitted to pick the pockets of hard-working Americans,” Stephanie Hinds, acting US Attorney for the Northern District of California, said at the news conference alongside Ms Monaco and Mr Abbate.

While the government’s efforts were significant, they also underscored the difficulty in going after the perpetrators of ransomware attacks. To date, no one behind the Colonial Pipeline attack has been publicly indicted, and the hackers still made off with a small portion of the ransom. Even if the people behind the attack are charged, they probably will remain out of reach of US law enforcement agencies.

The attack in May caused fuel shortages at gasoline stations in several states and even affected operations by some airlines and airports. It was part of an increasing trend of such acts against critical infrastructure which is posing an early test of President Joe Biden’s administration.

Colonial Pipeline said on the 7^th June that it quickly contacted the FBI and federal prosecutors after it was attacked and praised the government for recovering much of the ransom.

“Holding cyber criminals accountable and disrupting the ecosystem which allows them to operate is the best way to deter and defend against future attacks of this nature,” Joseph Blount, chief executive officer of the Alpharetta, Georgia-based company, said in a statement.

“We must continue to take cyber threats seriously and invest accordingly to harden our defences”

US intelligence and law enforcement officials say stopping hacking attacks has become a national security priority, and the issue has raised tensions between the US and Russia.

Mr Biden plans to bring up hacking attacks when he meets with Russian President Vladimir Putin next week, White House Press Secretary Jen Psaki has said.

The message at the one-on-one meeting in Geneva on the 16^th June will be that “responsible states do not harbour ransomware criminals, and responsible countries must take decisive action against those ransomware networks,” Ms Psaki said. Mr Putin has denied knowing about or being involved in ransomware attacks.

In another episode, Brazilian-based JBS SA, the world’s largest meat processor, restarted beef production last week after a ransomware attack forced it to halt operations across the globe.

“Ransomware attacks are always unacceptable, but when they target critical infrastructure we will spare no effort in our response,” Ms Monaco said.

Source: Rigzone