A top Biden administration cybersecurity official warned that cyberattacks on the nation’s infrastructure are “growing more sophisticated, frequent and aggressive,” at a Tuesday hearing focused on a spate of recent incidents impacting the US.
“Malicious cyber actors today are dedicating time and resources towards researching, stealing, and exploiting vulnerabilities, using more complex attacks to avoid detection and developing new techniques to target information and communication technology supply chains,” acting Cybersecurity and Infrastructure Security Agency Director Brandon Wales said.
His comments come as one of the nation’s largest pipeline operators remains sidelined in the wake of a ransomware attack that forced the company to shut down operations.
The victim of the attack, Colonial Pipeline transports more than 100 million gallons of gasoline and other fuel daily from Houston to the New York Harbor.
Senior White House officials repeatedly said Monday their roles in addressing the latest ransomware incident were limited because Colonial Pipeline is a private company, even though it controls the gasoline supply to most of the eastern US.
Colonial yet to share information about vulnerability with government
Colonial has yet to share information with the federal government about the vulnerability the ransomware group DarkSide took advantage of to infiltrate the fuel company, according to a top official with the Cybersecurity and Infrastructure Security Agency.
“Our understanding is that that is part of the investigation that Colonial’s response vendor is still undertaking. That information has not yet been shared with the US government,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein told CNN in a phone interview.
However, Goldstein said various agencies across the government are engaged with Colonial and as part of an interagency effort to understand the intrusion and identify information that can be shared broadly.
“Now, we are deeply focused on sharing information with other organizations to protect themselves, both from this specific actor, the Darkside ransomware group. And since we know that ransomware actors often use similar techniques and procedures, making sure that all organizations understand the steps that they could take to protect themselves,” he added.
CISA is not providing technical assistance to Colonial Pipeline as of now, according to Goldstein. Wales confirmed Tuesday that DHS is still awaiting additional technical information from the Colonial Pipeline ransomware attack.
“I think right now we are waiting for additional technical information on exactly what happened at Colonial so we can use that information to potentially protect other potential victims down the road,” Wales said.
Wales said it’s “not surprising” that they haven’t yet received information, since it’s early in the investigation, adding that CISA has historically had a “good relationship” with both Colonial and the cybersecurity firms that are working on their behalf.
But Colonial Pipeline also did not contact CISA in the wake of the cyberattack, according to Wales.
“They did not contact CISA directly,” he said. “We were brought in by the FBI after they were notified about the incident.”
Wales said the agency received information “fairly quickly in concert with the FBI,” when pressed by Senate Homeland Security Ranking Member Rob Portman on whether it would have been helpful if Colonial reached out “immediately.”
Yet, Wales acknowledged that he did not believe Colonial would have connected them without the FBI involvement.
Colonial has engaged a third-party incident response company that is leading the investigation on their behalf, he said. CNN previously reported that FireEye Mandiant was brought on to manage the incident response investigation.
Private sector companies worked with government to disrupt attack
Private sector companies also worked with US agencies to take a key server offline as recently as Saturday, disrupting ongoing cyberattacks against Colonial Pipeline Co. and other ransomware victims, according to two sources familiar with the matter.
The move to intervene, which allowed Colonial to recover some of its stolen data, was taken in response to the Darkside attack against the fuel pipeline company, one source told CNN, confirming the action first reported by Bloomberg.
Federal agencies and private companies that control the US-based servers were able to cut off key infrastructure used by the hackers to store stolen data before that information could be relayed back to Russia, both sources said.
Goldstein said CISA has no information about other victims at this time, but he pointed out that the Darkside ransomware group is a well-known threat actor that has compromised numerous victims in recent months.
DarkSide is known to be based in Eastern Europe and carries out “double extortion” ransomware attacks, which is where they will both encrypt a victim’s data, and then also steal some of the data and threaten to release it to cause reputational damage if the victim doesn’t pay, he said.
Therefore, even if a victim has strong backups for their data, that allows them to restore the data that was encrypted, the bad actor still has another way to extort the victim, he said.
“There has been some discussion that perhaps this actor tries to refrain from attacking hospitals, schools and the like. But certainly, they’re seen as a pernicious ransomware group that has caused significant harm to its victims, both in the US and elsewhere,” Goldstein said.