Colonial pays to free pipes
A major fuel pipeline firm in the US has paid hackers millions to regain control of its infrastructure.
US fuel supplies were put at risk in recent weeks, after a ransomware attack locked Colonial Pipeline out of its own system.
It now appears that Colonial Pipeline paid $6.5 million to ransomware group DarkSide hours to unlock its systems, despite earlier saying it had no intention of paying to restore the largest fuel pipeline in the country.
The ransom was allegedly paid to DarkSide in cryptocurrency just hours after the cyber attack, and reports say US officials have been told of the payment.
Insiders say Colonial did not use a decryption tool provided to it by DarkSide, bringing in a third-party cyber security company to resolve the problem so it would not have to rely on the hacker-supplied fix.
Colonial was able to restart fuel shipments last Thursday. However, this was after more than two-thirds of petrol stations in North Carolina and nearly half of all pumps in South Carolina and Georgia were left without fuel.
The hack pushed the price of petrol in the US above $US3 a gallon for the first time since 2014.
Adam Meyers, vice-president of intelligence at cyber security company CrowdStrike, has told Nine Media reporters that the DarkSide ransomware system is well-known in cyber crime circles.
“We associated DarkSide as a criminal entity we track as CarbonSpider. CarbonSpider has been around since probably 2013 and they were kind of targeting Russian financial organisations, which is generally bad for your health, especially if you live in that region,” he told the AFR.
“In 2016, the financial group that was targeting Russia split off and we track that as a different group now. The group that remained was engaged in a lot of targeting of point of sales data, stuff like that, and since last summer [Australian winter] been getting in on ransomware, which is big business for these various threat actors.”
He said many would be surprised at how formalised the ransomware system is.
“I think the important thing to understand is that this is what we call ransomware as a platform or ransomware as a service. So CarbonSpider, the group that’s behind this, they built this platform and they manage the payment infrastructure and the actual ransomware tools, and they make this available to affiliates,” Mr Meyers said.
“The affiliates can effectively demonstrate that they know what they’re doing, they’ve got the capabilities, and they’re not cops or whatever … once they pass to some degree of vetting, then they’re able to use the platform to conduct the attacks and CarbonSpider takes a percentage off the top.”
IFM Investors - a group of Australian union- and employer-backed industry superannuation funds - owns a 16 per cent stake in Colonial Pipeline.
Liberal MP Tim Wilson - chair of the House of Representatives economics committee - has managed to tie the situation into his parliamentary inquiry into the superannuation sector.
“The threats of cyber attacks and ransoms are an ever-growing threat, and when Australians’ superannuation savings are overly exposed into unlisted assets it increases the risk they’ll land in the accounts of crooks over citizens,” Mr Wilson said.
“It’s important industry super’s mega fund, IFM Investors, is transparent in the action they’re taking to ensure Australians’ super isn’t funding criminal gangs and the like.
“We will shortly be putting to IFM Investors questions about these risks and what measures they’ve taken and will be taking into the future to ensure Australian’s superannuation is being invested for retirement citizen’s savings, not underwriting criminal syndicates.”