WASHINGTON — A Russian criminal group may be responsible for a ransomware attack that shut down a major U.S. fuel pipeline, two sources familiar with the matter said Sunday.
The group, known as DarkSide, is relatively new, but it has a sophisticated approach to the business of extortion, the sources said.
Commerce Secretary Gina Raimondo said Sunday that the White House was working to help Colonial Pipeline, the Georgia-based company that operates the pipeline, to restart its 5,500-mile network.
The system, which runs from Texas to New Jersey, transports 45 percent of the East Coast's fuel supply. In a statement Sunday, the company said that some smaller lateral lines were operational but that the main lines remained down.
"We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations," the company said.
Raimondo said on CBS' "Face the Nation" that the effort to restart the network was "an all-hands-on-deck effort right now."
"We are working closely with the company, state and local officials to make sure that they get back up to normal operations as quickly as possible and there aren't disruptions in supply," she said, adding: "Unfortunately, these sorts of attacks are becoming more frequent. They're here to stay."
A White House official said Sunday that the Energy Department is leading the government's response. Agencies are planning for a number of scenarios in which the region's fuel supply takes a hit, the official said.
On Saturday, Colonial Pipeline blamed the cyberattack on ransomware and said some of its information technology systems were affected. It said it "proactively" took "certain systems offline to contain the threat."
The company has not said what was demanded or who made the demand.
Although Russian hackers often freelance for the Kremlin, early indications suggest that this was a criminal scheme — not an attack by a nation-state — the sources said.
But the fact that Colonial had to shut down the country's largest gasoline pipeline underscores just how vulnerable the U.S. cyber infrastructure is to criminals and national adversaries, such as Russia, China and Iran, experts say.
"This could be the most impactful ransomware attack in history, a cyber disaster turning into a real-world catastrophe," said Andrew Rubin, CEO and co-founder of Illumio, a cybersecurity company.
"It's an absolute nightmare, and it's a recurring nightmare," he said. "Organizations continue to rely and invest entirely on detection, as if they can stop all breaches from happening. But this approach misses attacks over and over again. Before the next inevitable breach, the president and Congress need to take action on our broken security model."
If the culprit turns out to be a Russian criminal group, it will underscore that Russia gives free rein to criminal hackers who target the West, said Dmitri Alperovitch, a co-founder of the cyber company CrowdStrike who is executive chairman of the Silverado Policy Accelerator, a think tank.
"Whether they work for the state or not is increasingly irrelevant, given Russia's obvious policy of harboring and tolerating cybercrime," he said.
According to a top Reuters cybersecurity reporter, DarkSide has its own website on the dark web that features an array of leaked data from victims who it claims failed to pay ransom. It claims that the group has made millions from cyber extortion.