WASHINGTON — The Justice Department said Monday it has seized the majority of the ransom that a major US pipeline operator paid to a Russian hacking group last month, turning the tables on hackers to recover millions of dollars. Accessed the digital wallet. in cryptocurrency.
In recent weeks, investigators have unearthed 75 bitcoins worth more than $4 million. Colonial Pipeline paid For hackers when the attack shut down his computer system, leading to a lack of fuel, a hike in petrol prices And the chaos in the airlines.
Federal investigators tracked the ransom as it went through a maze of at least 23 different electronic accounts belonging to Darkside, the hacking group, before descending into one that a federal judge allowed them to break into, according to law enforcement officials. was given and court documents.
The Justice Department said it confiscated 63.7 bitcoins worth approximately $2.3 million. (Bitcoin’s value has dropped over the past month.)
Deputy Attorney General Lisa O’Monaco said, “The sophisticated use of technology to hold businesses and even entire cities hostage for profit is certainly a challenge of the 21st century, but the old adage ‘follow the money’ still applies.” Press conference at the Department of Justice.
Law enforcement officials highlighted the seizure in an attempt to warn cybercriminals that the United States plans to target their profits, which are often obtained through cryptocurrencies such as bitcoin. It was also intended to encourage victims of ransomware attacks – which do happen every eight minutes, on average—notifying authorities to help with ransom recovery.
For years, victims have quietly opted to pay cybercriminals, calculating that payment will be cheaper than rebuilding data and services. Although the FBI discourages ransom payments, they are legal and even tax deductible. But the payments – which collectively total billions of dollars – have funded and encouraged ransomware groups.
Justice Department officials said Colonial’s willingness to quickly loop in the FBI helped recoup part of the ransom, and they’ve seen the first of its kind by a new ransomware task force in the department to hijack cybercrime. Credited the company’s role in the first attempt. group advantage.
“We must continue to take cyber threats seriously and invest accordingly to strengthen our defenses,” Colonial chief executive Joseph Blount said in a statement. Mr Blount said that after his company contacted the FBI and the Justice Department to report the attack, investigators helped Colonial understand the hackers and their tactics.
The Justice Department’s announcement also came ahead of President Biden’s scheduled meeting with Russian President Vladimir V. Putin in Geneva next week, where Mr Biden was asked to address US officials as part of the Kremlin’s willingness to provide protection for hackers. are supposed to. Russia generally does not arrest or extradite suspects in ransomware attacks.
The New York Times reported Colonial Pipeline’s ransom payment was taken out of Darkside’s bitcoin wallet last month, though it was unclear who carried out the move.
On Monday, the government filled some vacancies. Darkside works by providing ransomware to affiliates. In return, Darkside takes a cut of its profits.
Officials said they have identified a virtual currency account, often referred to as a wallet, used to collect payments from the Darkside ransomware victim – identified only in court papers as Victim X, but Whose hacking description matches Colonial. A magistrate judge in the Northern District of California approved a warrant Monday to seize money from the wallet, officials said.
The FBI launched an investigation into Darkside last year and has identified more than 90 victims in multiple sectors of the economy, including manufacturing, law, insurance, health care and energy, FBI Deputy Director Paul M. Abbett said at the news conference.
Darkside first surfaced in August and is believed to have started as an affiliate of another Russian hacking group called Revil, before opening its own operation last year.
weeks after darkside Colonial attacked, Revil used ransomware to try Extortion recovery from JBSOne of the largest meat processors in the world. The attack forced the company to close nine beef plants in the United States, disrupted poultry and pork plants, and had a significant impact on grocery stores and restaurants, which were charged more than their menus. Had to take or remove meat products.
In recent weeks, ransomware has also crippled the hospital that serves villages in Florida, the largest retirement community in the United States; television network; NBA and minor league baseball teams; And even ferries to Nantucket and Martha’s Vineyard in Massachusetts.
The episode has raised digital vulnerabilities to the national consciousness. White House officials said last week that they were working to resolve issues with the cryptocurrency, which has enabled ransomware attacks for years.
Last week, FBI Director Christopher A. Ransomware Attack Threats Compared To the challenge of global terrorism in the days following the September 11, 2001 attacks.
“There are a lot of similarities, a lot of importance, and we have a lot of focus on disruption and prevention,” he said. “There is a shared responsibility, not only in government agencies, but in the private sector and even among the average American.”
Mr Ray said the FBI was investigating 100 software variants used in the ransomware attacks, which demonstrates the scale of the problem.
While US officials have cautioned not to directly link ransomware attacks on Russia, Mr Biden, Mr Ray and others have said the country protects cybercriminals.
In many respects, Russia regards them as national assets. in 2014 breach of yahooFor example, Russian intelligence officers worked side-by-side with cybercriminals, allowing them to take advantage of stolen data, while instructing them to pass email accounts to the FSB, the successor agency of the Soviet-era KGB. Given.
Mr Putin likened the hackers to “artists who wake up in the morning in a good mood and start painting.” US officials say the reality is they give Mr Putin and the Russian intelligence services a layer of laudable denial.
Mr Biden is expected to address the issue not only with Mr Putin, but the State Department is also in talks with some two dozen other countries to mutually pressure Russia to address cybercrime .
“If the Russian government wants to show that it is serious about this issue, there is a lot of room for them to demonstrate some real progress that we are not seeing,” Mr Ray said last week.
Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies US businesses warned Ransomware took a dark turn last week, with a recent shift focused on “from stealing data to disrupting operations”.
The hackers directly targeted Colonial’s billing system. With those frozen, executives found they had no way of charging customers and shutting down operations pre-emptively. a confidential government assessment It was determined that if the pipeline was closed for two more days, the attacks could bring mass transit and chemical refineries to their knees, which depended on Colonial to transport diesel.
The White House held emergency meetings to address the attack. Biden Administration Announces It Will Require Pipeline Companies Report critical cyber attacks And the government will create a 24-hour emergency center to deal with serious hacking.
Cyber security experts have welcomed the Justice Department’s move.
“It has become clear that we need to use multiple tools to stem the tide of ransomware,” said John Hultquist, vice president of cybersecurity firm FireEye. “A strong focus on disengagement can discourage this behavior, which is spiraling into a vicious cycle.”
David E. Sanger Contributed reporting.