The cyberattack on America’s largest fuel pipeline shows the fragility of the U.S. energy infrastructure system

In what many considered the most significant, successful cyber attack ever on the U.S. energy infrastructure, last Saturday the main pipeline carrying gasoline and diesel fuel to the Eastern parts of the United States was shut down by its operator after being hit with a cyberattack, according to a report from the Wall Street Journal.

The attack on the 5,500-mile pipeline system that takes fuel from the refineries of the Gulf Coast to the New York metro area also shows how vulnerable and unprepared the United States in the event of cyberattacks on energy infrastructure.

The demand for gasoline rose more than 40% on Monday in five states alone — Georgia, Florida, South Carolina, North Carolina, and Virginia — gasoline demand rose more than 40% on Monday,  according to GasBuddy analyst Patrick De Haan.

According to the pipeline operator, the Alpharetta, GA-based Colonial Pipeline Co., the company said it learned a day before the media coverage that it was a victim of a cyberattack and “took certain systems offline to contain the threat, which has temporarily halted all pipeline operations.”

Then, in an update Saturday afternoon, Colonial said it found that the cyberattack on its pipeline involved ransomware, a type of code that attempts to seize computer systems and demand payment from the victim to have them unlocked. Colonial also added that the attack only struck its IT networks, not operational networks.

“The company learned of the attack on some of its ‘information technology’ or corporate network systems” but “proactively took certain systems offline to contain the threat”

As expected, it didn’t take long before the mainstream media blamed the attack on the “Russians” even before any evidence is publicly made available. In a headline titled, “Criminal group originating from Russia believed to be behind pipeline cyberattack,” CNN said, “A criminal group originating from Russia named ‘DarkSide’ is believed to be responsible for a ransomware cyberattack on the Colonial Pipeline, according to a former senior cyber official.”

Another piece from the New York Times also said that the FBI has confirmed that the attack was  perpetrated by DarkSide, “a relatively new criminal group believed to have roots in Eastern Europe, exposed the remarkable vulnerability of key American infrastructure.”

However, there was a key caveat to the misleading story of the “Russia-linked hacking” headline. Even though Russian hackers have worked on behalf of the Kremlin in the past, early indications suggest that this was a criminal scheme — not an attack by a nation-state — the sources said.”

To further support this point, according to Boston-based Cybereason, DarkSide is an organized group of hackers set up along the “ransomware as a service” (RaaS) business model, meaning the DarkSide hackers develop and market ransomware hacking tools, and sell them to other criminals who then carry out attacks. “Think of it as the evil twin of a Silicon Valley software startup,” CNBC also reported.

According to another report from Kela, an Israeli cyber intelligence startup company, the new version of Darkside ransomware includes faster encryption speed, VoIP calling, and virtual machine targeting. Kela also claims that the Windows version of Darkside 2.0 “encrypts files faster than any other ransomware-as-a-service (RaaS), and is twice as fast as the previous version. It means that victims have even less time “to pull the plug” if they discover that their network is infected.”

Cash, Not Chaos.

Then yesterday, DarkSide released the following statement on its website that appears to address the Colonial Pipeline shutdown. Under the heading, “About the latest news,” DarkSide claimed it’s not political and only wants to make money without causing problems for society.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” the statement said. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

The hacker group’s message later turned weird saying that it will donate a portion of its profits to charities, although some of the charities have turned down the contributions.

“No matter how bad you think our work is, we are pleased to know that we helped change someone’s life,” the hackers wrote. “Today we sended [sic] the first donations.”

Meanwhile, typical ransom demands range from $200,000 to $20 million. As cybersecurity firm Cybereason said, the hacker group gathered detailed intelligence on their victims, learning the size and scope of the company as well as who the key decision-makers are inside the firm.