WASHINGTON – The Justice Department said on Monday it had seized much of the ransom that a major U.S. pipeline operator paid to a Russian hacking collective last month, turning the tide on hackers by grabbing a digital wallet to collect millions of dollars in cryptocurrency.
In recent weeks, investigators have traced 75 Bitcoins worth over $ 4 million that Colonial Pipeline paid hackers as the attack shut down its computer systems, causing fuel shortages, skyrocketing prices of gasoline and chaos in the airlines.
Federal investigators tracked the ransom as it moved through a maze of at least 23 different email accounts owned by DarkSide, the hacking group, before landing in an account that a federal judge allowed them to break into. , according to law enforcement and court documents officials.
The Justice Department said it seized 63.7 Bitcoins, valued at around $ 2.3 million. (The value of a Bitcoin has fallen over the past month.)
“The sophisticated use of technology to hold businesses and even entire cities hostage for profit is definitely a challenge of the 21st century, but the old adage ‘follow the money’ still applies,” Lisa said. O. Monaco, the Deputy Attorney General, at the press conference at the Ministry of Justice.
Law enforcement officials highlighted the seizure in an attempt to warn cybercriminals that the United States planned to target their profits, which are often obtained through cryptocurrencies like Bitcoin. It also aimed to encourage victims of ransomware attacks – which occur every eight minutes on average – to notify authorities to help them recover the ransoms.
For years, victims have chosen to quietly pay cybercriminals, calculating that the payment would be cheaper than reconstructing data and services. Although the FBI discourages ransom payments, they are legal and even tax deductible. But the payments – which collectively total billions of dollars – have funded and emboldened the ransomware groups.
Justice Department officials said Colonial’s drive to shut down the FBI quickly helped recover part of the ransom, and they credited the company for its role in a one-of-a-kind effort by a new group of work on the department’s ransomware to hijack a cybercrime. group benefits.
“We must continue to take cyber threats seriously and invest accordingly to strengthen our defenses,” Joseph Blount, CEO of Colonial, said in a statement. Mr Blount said that after his company contacted the FBI and the Justice Department to inform them of the attack, investigators helped Colonial understand the hackers and their tactics.
The Justice Department’s announcement also came ahead of President Biden’s scheduled meeting with Russian President Vladimir V. Putin next week in Geneva, where Biden is expected to address what US officials see as the Kremlin’s will to protect hackers. Russia does not generally arrest or extradite suspects in ransomware attacks.
The New York Times reported last month that the Colonial Pipeline ransom payment had been removed from DarkSide’s Bitcoin wallet, although it is not clear who orchestrated the move.
On Monday, the government filled some of the blanks. DarkSide works by providing ransomware to affiliates. In return, DarkSide reaps part of its profits.
Officials said they identified a virtual currency account, often referred to as a wallet, that DarkSide used to collect payment from a ransomware victim – identified in court documents only as Victim X, but whose hack details match those of Colonial. Officials said a magistrate in the Northern District of California on Monday approved a warrant to seize funds in the wallet.
The FBI began investigating DarkSide last year and has identified more than 90 victims in several sectors of the economy, including manufacturing, law, insurance, health care and energy, said Paul M Abbate, Deputy Director of the FBI, at the press conference.
DarkSide first appeared in August and is said to have started as a subsidiary of another Russian hacking group, called REvil, before opening its own operation last year.
Weeks after DarkSide’s attack on Colonial, REvil used ransomware to attempt to extort money from JBS, one of the world’s largest meat processors. The attack forced the company to close nine beef factories in the United States, disrupted poultry and pork factories, and had a significant impact on grocery stores and restaurants, which had to charge more or cut them. meat products from their menus.
In recent weeks, ransomware has also crippled the hospital serving the Villages of Florida, the largest retirement community in the United States; television networks; NBA and minor league baseball teams; and even ferries to Nantucket and Martha’s Vineyard in Massachusetts.
The episodes elevated digital vulnerabilities in national consciousness. White House officials said last week that they are working to resolve issues with cryptocurrency, which has allowed ransomware attacks for years.
Last week, Christopher A. Wray, the director of the FBI, compared the threat of ransomware attacks to the challenge of global terrorism in the days following the September 11, 2001 attacks.
“There are a lot of parallels, there are a lot of importance and we focus a lot on disruption and prevention,” he said. “There is a shared responsibility, not only among government agencies, but across the private sector and even the average American.”
Mr Wray added that the FBI was investigating 100 software variants used in ransomware attacks, demonstrating the scale of the problem.
While U.S. officials have been careful not to directly link the ransomware attacks to Russia, Mr. Biden, Mr. Wray and others have said the country is protecting cybercriminals.
In many cases, Russia treats them as national property. During a Yahoo breach in 2014, for example, Russian intelligence operatives worked alongside cybercriminals, allowing them to profit from stolen data, while asking them to forward email accounts to the FSB, the agency. successor to the Soviet-era KGB.
Mr Putin compared hackers to “artists who wake up in the morning in a good mood and start painting.” The reality, US officials say, is that they are giving Mr. Putin and the Russian intelligence services a plausible layer of deniability.
Not only is Mr. Biden expected to address the issue with Mr. Putin, but the State Department is also in talks with around 20 other countries on ways to pressure each other on Russia to fight cybercrime.
“If the Russian government wants to show that it is serious about this issue, there is a lot of room for it to demonstrate real progress that we are not seeing,” Wray said last week.
Anne Neuberger, deputy national security adviser for cyber and emerging technologies, warned US companies last week that ransomware had taken a dark turn, noting a recent shift “from data theft to business disruption.”
The hackers targeted Colonial’s billing systems directly. With those frozen, executives discovered they had no way to bill customers and shut down operations preemptively. A confidential government assessment determined that had the pipeline been closed for another two days, the attack could have brought transit and chemical refineries, which depend on Colonial to transport the diesel, to their knees.
The White House held emergency meetings to deal with the attack. The Biden administration has announced that it will require pipeline companies to report significant cyber attacks and that the government will establish 24-hour emergency centers to handle serious hacks.
Cyber security experts hailed the Justice Ministry’s decision.
“It has become clear that there are several tools we need to use to stem the tide” of ransomware, said John Hultquist, vice president of cybersecurity firm FireEye. “A stronger focus on disruption can discourage this behavior, which develops in a vicious cycle. “
David E. Sanger contributed reports.