Federal investigators were able to recover more than half of the $4.4 million ransom payment that Colonial Pipeline made to the hackers who froze its computers and forced the shutdown of its massive fuel distribution system, the Biden administration announced on Monday.
By tracing the payment across the ostensibly anonymous cryptocurrency ecosystem, the government was able to locate and seize $2.27 million from a virtual currency account used by the hackers.
“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st-century challenge, but the old adage ‘follow the money’ still applies,” Deputy Attorney General Lisa Monaco said during a news conference.
The announcement represents a rare bit of good news for the Biden administration as it rushes to fix digital weaknesses in the United States’ critical infrastructure, most of which is run by companies that have scant cyber expertise and are subject to little, if any, regulation.
It also bolsters federal officials’ argument that companies can help fight back against a rising tide of ransomware attacks if they cooperate with government investigations.
May’s five-day shutdown of Colonial’s pipeline — one of the East Coast’s biggest fuel suppliers — led to gasoline hoarding that produced widespread, albeit short-term, shortages and helped drive up the price at the pump. The incident refocused attention on the threat of ransomware, prompting new cyber rules for pipeline operators, a bipartisan congressional push for a hack notification law and a parade of hearings, including two this week.
The Colonial hack, and a subsequent attack last week on the world’s largest meat supplier, forced the steadily growing threat of ransomware onto the front-burner for the Biden administration.
The DarkSide ransomware used to hack Colonial is one of more than 100 variants that the FBI is tracking, Deputy Director Paul Abbate said Monday. DarkSide, which is developed by a Russian criminal group that licenses it out to less sophisticated hackers, has struck more than 90 U.S. critical infrastructure companies in sectors ranging from manufacturing and health care to energy and insurance, Abbate said.
DOJ has created a task force on ransomware attacks, and the department recently announced that it was elevating the issue to the same severity level as terrorism, creating greater coordination between U.S. attorneys’ offices and prosecutors in Washington about which cases to charge. FBI Director Christopher Wray described the ransomware epidemic as a modern version of the Sept. 11, 2001, terrorist attacks.
Wray’s analogy, which was about the importance of public-private cooperation, underscored why ransomware has continued to plague society. For years, U.S. officials have urged companies to be more forthcoming when they are hacked, both so the government can help them recover and so federal experts can analyze the attacks and warn other potential victims. But many companies still refuse to disclose their breaches, fearing the legal, financial and reputational consequences of doing so.
Monaco used Monday’s announcement as an opportunity to hammer home the government’s message about preparing for and reporting breaches. “We are all in this together,” she said.
President Joe Biden recently signed an executive order that requires federal contractors to report cyber incidents to the government, and bipartisan draft legislation would extend that obligation to critical infrastructure operators and major IT service providers.
Colonial faced criticism for its initial reluctance to share information with the federal government. It alerted the FBI to the breach, but it did not notify DHS’ Cybersecurity and Infrastructure Security Agency, the government’s primary cyber defender. It took several days for Colonial to share breach data with CISA so the agency could prepare guidance for other potential targets, and even then, CISA’s acting director said he was in the dark about Colonial’s ransom payment.
That Colonial even paid the ransom was another source of controversy, as U.S. officials routinely warn against doing so, saying it fuels more attacks. “You are encouraging the bad actors,” Energy Secretary Jennifer Granholm said on NBC’s “Meet the Press” on Sunday.
Asked on Monday whether companies could feel better about paying ransoms given the possibility of their recovery, Monaco said doing so always entailed a risk.
“We may not be able to do this in every instance,” she said.
An affidavit filed by an FBI special agent to obtain the seizure warrant reflects the challenges facing investigators as they try to recover ransom payments.
Thanks to the transparent, decentralized nature of the technology underpinning Bitcoin, it was fairly easy for the FBI to use public tools to trace Colonial’s payment as it left the digital address that the hackers provided to the company and moved from one virtual wallet to another.
But the FBI was able to recover the money only because it had separately obtained the private key for the wallet where the money ended up. Without that key, the money would have remained locked away, as is true in many other ransomware cases. Officials did not say how they obtained the key in this case.