Colonial Pipeline reportedly paid hackers nearly $5 million in ransom after cyberattack



After a debilitating and embarrassing cyberattack that crippled the supply chain for days, the Colonial Pipeline Co. buckled to the demands of hackers and paid nearly $5 million in ransom, Bloomberg reported Thursday afternoon.

NBC and CNBC confirmed the report by speaking to a source familiar with the situation and an anonymous U.S. official. Nicole Perlroth, cybersecurity reporter for the New York Times, reported Colonial paid the hackers 75 bitcoin on Monday.

"The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said," according to Bloomberg. "A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment."

Once the ransom was paid, the hackers provided Colonial Pipeline with a "decrypting tool to restore its disabled computer network," but the "tool was so slow that the company continued using its own backups to help restore the system," one of the people familiar with the company's efforts told Bloomberg.

A representative from the Colonial Pipeline Co. declined to comment on the ransom, but told Bloomberg that the company began to resume fuel shipments around 5 p.m. ET Wednesday.

"Colonial Pipeline has made substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we service," Colonial's website said in a Thursday update. "By mid-day today, we project that each market we service will be receiving product from our system."

Thursday's update that Colonial Pipeline paid the hefty ransom contradicts earlier reports that said the energy company had no intention of paying the ransom.

During a Thursday news conference, President Joe Biden was asked if he knew that Colonial paid the hackers a ransom, and he responded by saying, "No comment."

Joe Biden smirks and says "no comment" on if Colonial paid hackers ransom for the pipeline attack https://t.co/a7BCC3X15k

— RNC Research (@RNCResearch) 1620925211.0

Colonial became aware of the cyberattack around May 7 and immediately shut down its operations. The paralyzing cyberattack on the nation's largest pipeline triggered a full-scale shutdown, which led to fuel shortages, panic buying, and several governors declaring a state of emergency. The 5,500-mile pipeline runs from Houston to Linden, New Jersey, and supplies about 45% of the fuel used along the Eastern Seaboard.

By Wednesday, the pipeline shutdown helped push the national average price of gasoline to $3.008 per gallon, according to the Automobile Association of America.

Earlier this week, the FBI named a criminal gang of hackers named "DarkSide" as the culprits of the devastating cyberattack. DarkSide, which specializes in digital extortion, is suspected of operating out of Eastern Europe or Russia. President Biden said the hacker group is likely based in Russia, but does not believe the Russian government is involved.

"We do not believe the Russian government was involved in this attack, but we do have strong reason to believe that the criminals who did the attack are living in Russia, that's where it came from," Biden said Thursday.

The DarkSide group described its actions as "apolitical" in a statement provided to CNBC.

"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives," the group stated. "Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."

The FBI discourages organizations from paying a ransom in a ransomware attack because "paying a ransom doesn't guarantee you or your organization will get any data back," and it "also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity."

Anne Neuberger, the White House's top cybersecurity official, would not say if companies should pony up ransom demands.

"Typically that's a private sector decision," Anne Neuberger, deputy national security advisor for cyber and emerging technologies, told reporters at the White House on Monday. "We recognize that victims of cyberattacks often face a very difficult situation and they have to just balance often the cost-benefit when they have no choice with regards to paying a ransom. Colonial is a private company and we'll defer information regarding their decision on paying a ransom to them."

DOJ email accounts compromised in SolarWinds hack attributed to Russians



The Department of Justice on Wednesday disclosed that its computer systems were among those compromised by a massive cybersecurity breach of government networks that U.S. officials attribute to Russia.

According to the Associated Press, the DOJ said that 3% of its Microsoft Office 365 email accounts were potentially hacked. The DOJ does not believe that classified systems were breached but would not say to whom the email accounts belonged.

"On Dec. 24, 2020, the Department of Justice's Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department's Microsoft O365 email environment," the DOJ said in a statement.

"After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the O365 email environment. At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted," the statement continued.

"As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination. The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted," the DOJ said.

On Tuesday, United States intelligence agencies formally accused the Russian government of orchestrating the cyberattack on software manufactured by IT company SolarWinds. The massive breach of government networks was discovered by the company last month and is estimated to have affected some 18,000 SolarWinds customers and an as yet unknown number of federal government agencies, including the DOJ, U.S. Treasury, and the Department of Commerce. Other agencies including the Department of Homeland Security, the Department of Defense, and the Energy Department's National Nuclear Security Administration have also confirmed they were affected by the attack.

A joint statement from the FBI, the Office of the Director of National Intelligence (ODNI), the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) blamed Russia for the attack. The Hill reported these agencies had set up a cyber unified coordination group in December to investigate the extent of the SolarWinds hack.

"This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the agencies said.

Dominion Voting Systems denies using SolarWinds Orion software, which was compromised by foreign hackers



On Sunday, IT company SolarWinds reported that one of its network managing products was compromised in a "highly-sophisticated, targeted and manual supply chain attack by a nation state." Further reporting from Reuters revealed that hackers believed to be working for Russia have been monitoring communications at the U.S. Treasury and Commerce Departments, two government agencies that use SolarWinds' Orion suite of network managing software.

Also, the Cybersecurity and Infrastructure Agency (CISA) issued an emergency directive calling on all federal civilian agencies to review their networks for indicators of compromise and shut down all SolarWinds Orion products immediately.

As this story developed, rumors began spreading that Dominion Voting Systems, the voting machine manufacturer assailed by allegations of election tampering made by President Donald Trump and his allies, uses SolarWinds software and may have been compromised in the same cyberattack that targeted federal agencies.

Those rumors are unproven and Dominion Voting Systems has made a public statement claiming it has never used the compromised SolarWinds Orion Platform.

What happened?

SolarWinds is a software developer that helps businesses manage their networks, systems, and technology infrastructure. The company also serves government agencies in the executive branch, the military, and intelligence services, according to Reuters.

On Sunday, the company issued a security advisory announcing that March and June 2020 updates to its Orion Platform software had been compromised by a targeted attack from a foreign government.

"We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products," SolarWinds President and CEO Kevin Thompson said in an email statement. "We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state."

U.S. government officials reportedly believe Russia is behind the hacking attack, which according to Reuters was so serious that the National Security Council met at the White House to discuss the matter. Publicly, the government has only confirmed that the Treasury and Commerce Departments were breached and has not yet officially blamed Russia.

Sources that spoke to Reuters said Russian hackers infiltrated SolarWinds' Orion platform and through it were able to monitor internal email traffic at the compromised federal agencies.

The Russian foreign ministry on social media accused the U.S. media of making unfounded allegations blaming Russia for cyberattacks on U.S. agencies.

Following reports of the compromised systems, CISA issued an emergency directive ordering federal agencies that use SolarWinds Orion products to immediately disconnect or power down computers with that software installed.

"Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed," CISA advised.

CISA Acting Director Brandon Wales also encouraged businesses in the private sector that use the Orion platform to asses their network security.

"The compromise of SolarWinds' Orion Network Management Products poses unacceptable risks to the security of federal networks," explained Wales. "Tonight's directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation."

SolarWinds' website proudly proclaims that the company services most of America's Fortune 500 companies, the top 10 U.S. telecommunications providers, all five branches of the U.S. military, the State Department, the National Security Agency, and the Office of President of the United States, Reuters reports.

The discovery of the attack on SolarWinds' Orion products came just days after the cybersecurity firm FireEye announced it had been the target of a cyberattack. In fact, FireEye stumbled across the compromised SolarWinds while investigating the attack on its own firm.

"There will unfortunately be more victims that have to come forward in the coming weeks and months," said Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye's incident response arm.

U.S. officials speaking to Reuters anonymously also indicated that cyberattack may be much bigger than currently known.

"This is a much bigger story than one single agency," said one of Reuters' sources. "This is a huge cyber espionage campaign targeting the U.S. government and its interests."

The Dominion Voting Systems rumors

Shortly after the news of the hacking attack on SolarWinds' Orion Platform broke, claims that Dominion Voting Systems used SolarWinds products and had not yet powered down those products began circulating on social media.

Ron Watkins, a former administrator on the message board website 8chan, shared a screenshot of a mobile login portal purportedly belonging to Dominion Voting Systems that appears to run on SolarWinds software.

Dominion Voting Systems uses SolarWinds products and it is still not powered down.Was Dominion Voting Systems a t… https://t.co/bqhGiRrCDh
— Ron (@Ron)1607941960.0

While the screenshot, which shows a still active page, indicates that Dominion did use some SolarWinds product, it was not clear whether Dominion used the Orion product, which was the specific SolarWinds software that was compromised.

Journalist Kim Zetter highlighted a threat on Twitter that explains Dominion does in fact use a SolarWinds product, but it's a different product from the compromised Orion software.

To everyone who sent me screenshot of Dominion Voting Systems web site saying it's proof Dominion was using SolarWi… https://t.co/k3VhhjiJeO
— Kim Zetter (@Kim Zetter)1608053955.0

In a statement made to the Daily Dot, Dominion said that it has never used the Orion software that hackers maliciously tampered with to gain access to federal agencies.

"Dominion Voting Systems does not now — nor has it ever — used the SolarWinds Orion Platform, which was subject of the DHS emergency directive dated December 12, 2020," a spokesperson for Dominion said.

TheBlaze reached out to Dominion Voting Systems for additional comment but the company did not respond.