U.S. Seizes Share of Ransom From Hackers in Colonial Pipeline Attack

WASHINGTON – The Justice Department said Monday it had confiscated much of the ransom money a major U.S. pipeline operator paid to a Russian hacker collective last month and turned the tables by digging into a digital wallet to recapture millions of dollars in cryptocurrency.

Investigators have traced more than $ 4 million worth of 75 bitcoins worth more than $ 4 million in the past few weeks that Colonial Pipeline paid the hackers when the attack shut down their computer systems, causing fuel shortages, a surge in gasoline prices and mayhem Airlines led.

Federal investigators tracked the ransom as it moved through a maze of at least 23 different electronic accounts owned by the hacking group DarkSide, before ending up in one that a federal judge said law enforcement officials and court documents allowed them to break into.

The Justice Department said it seized 63.7 bitcoins worth about $ 2.3 million. (The value of a bitcoin has fallen in the last month.)

“The sophisticated use of technology to hold companies and even entire cities hostage for profit reasons is clearly a challenge for the 21st press conference at the Justice Department.

Law enforcement officials highlighted the seizure to warn cybercriminals that the United States was aiming to target its profits, which are often made through cryptocurrencies like Bitcoin. It should also encourage victims of ransomware attacks – which occur on average every eight minutes – to notify authorities to help with ransom recovery.

For years, victims have chosen to silently pay cyber criminals, assuming that paying would be cheaper than restoring data and services. Although the FBI advises against ransom payments, they are legal and even tax deductible. But the payments – which collectively amount to billions of dollars – have funded and encouraged ransomware groups.

Justice Department officials said Colonial’s willingness to rush in with the FBI helped get the ransom back, and they praised the company for its role in the division’s first-time effort to hijack a cybercrime profit the group.

“We must continue to take cyber threats seriously and invest accordingly to strengthen our defenses,” said Joseph Blount, CEO of Colonial, in a statement. Mr Blount said investigators helped Colonial understand the hackers and their tactics after his company contacted the FBI and the Justice Department to inform them of the attack.

The Justice Department’s announcement also came ahead of President Biden’s planned meeting with Russian President Vladimir V. Putin in Geneva next week, where Mr Biden is expected to address what American officials see as the Kremlin’s readiness to protect hackers. Russia typically does not arrest or extradite suspects in ransomware attacks.

The New York Times reported last month that the Colonial Pipeline ransom payment was withdrawn from DarkSide’s Bitcoin wallet, although it was not clear who orchestrated the move.

On Monday, the government filled in some of the gaps. DarkSide works by delivering ransomware to affiliates. In return, DarkSide reaps part of their profits.

Officials said they identified a virtual currency account, often called a wallet, that DarkSide used to collect payments from a ransomware victim – identified only as Victim X in court records, but the hacking details of which are the same as Colonial’s. Officials said a judge in the Northern District of California approved an arrest warrant Monday to seize funds from the wallet.

The FBI began the investigation into DarkSide last year and identified more than 90 victims in various economic sectors including manufacturing, legal, insurance, healthcare and energy, Paul M. Abbate, the FBI’s assistant director, told the news conference.

DarkSide first appeared in August and is believed to have started as a subsidiary of another Russian hacker group called REvil before opening its own operations last year.

Weeks after DarkSide attacked Colonial, REvil used ransomware to extort money from JBS, one of the largest meat processors in the world. The attack forced the company to close nine beef factories in the United States, destroyed poultry and pork operations, and had a significant impact on grocery stores and restaurants that asked for more or removed meat products from their menus.

In the past few weeks, ransomware has also crippled the hospital that serves the Villages in Florida, the largest retirement community in the United States. Television networks; NBA and minor league baseball teams; and even ferries to Nantucket and Martha’s Vineyard in Massachusetts.

The episodes raised national awareness of digital vulnerabilities. White House officials said last week that they are working to fix issues with the cryptocurrency that has enabled ransomware attacks for years.

Last week, FBI Director Christopher A. Wray compared the threat posed by ransomware attacks to the challenge of global terrorism in the days following the September 11, 2001 attacks.

“There are many parallels, a great deal of meaning, and a great focus of ours on disorder and prevention,” he said. “There is a shared responsibility, not just among government agencies, but also in the private sector and even with the average American.”

Mr Wray added that the FBI is investigating 100 variants of software used in ransomware attacks, demonstrating the scale of the problem.

Although US officials were careful not to link the ransomware attacks directly to Russia, Mr Biden, Mr Wray and others said the country protects cyber criminals.

In many cases, Russia treats them as national property. For example, in an attack on Yahoo in 2014, Russian intelligence agents worked side by side with cyber criminals who enabled them to profit from stolen data while directing them to open email accounts to the FSB, the Soviet-era successor agency to the KGB to pass on

Putin has compared hackers with “artists who wake up in a good mood in the morning and start painting”. The reality, US officials say, is that they are giving Mr. Putin and Russian intelligence agencies a level of plausible denial.

Not only is Mr Biden expected to raise the issue with Mr Putin, but the Foreign Ministry is also in talks with around two dozen other countries about ways to pressure Russia on each other to fight cybercrime.

“If the Russian government wants to show that it is serious, there is plenty of room for them to demonstrate real progress that we are not seeing,” Wray said last week.

Anne Neuberger, assistant national security advisor on cyber and emerging technologies, warned American companies last week that ransomware had taken a dark turn, noting that it had recently “gone from data theft to disruption”.

The hackers targeted Colonial’s accounting systems directly. With these frozen, executives found they had no way of billing customers and closing operations preventively. A confidential government assessment found that if the pipeline had been closed for two more days, the attack would have brought local public transport and chemical refineries that rely on Colonial for diesel transportation to their knees.

The White House held emergency meetings to combat the attack. The Biden government announced that it would require pipeline companies to report significant cyberattacks and that the government would set up 24-hour emergency centers to deal with serious hacker attacks.

Cybersecurity experts welcomed the Justice Department’s move.

“It has become clear that we need to use multiple tools to stem the tide” of ransomware, said John Hultquist, vice president of cybersecurity company FireEye. “A stronger focus on disorders can discourage this behavior, which grows in a vicious circle.”

David E. Sanger contributed to the coverage.