DOJ Recovers Half of Colonial Pipeline Ransom

Some good news in the hacking wars.

Less than a month ago, Colonial Pipeline paid hackers nearly $5 million in ransom to restore the flow of fuel to the southeast. Yesterday, the Justice Department announced they had recovered some of it.

YahooNews:

The Department of Justice announced Monday that it had recovered $2.3 million in cryptocurrency from criminal hackers who compromised a major U.S. pipeline in mid-May that resulted in fuel outages and hoarding across the East Coast for six days.

The U.S. District Court for the Northern District of California issued a seizure warrant on Monday, allowing the DOJ to take action to confiscate a large chunk of the $4.4 million paid by Colonial Pipeline to the DarkSide ransomware operators, who demanded payment in exchange for unlocking their victims’ stolen digital files.

“The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st century challenge, but the old adage ‘follow the money’ still applies,” said Lisa Monaco, President Biden’s deputy attorney general, during a press conference on Monday afternoon. “Today we turned the tables on DarkSide.”

The report doesn’t explain what happened to the other half of the money or why it took so long to get a warrant. [UPDATE: The NYT report observes, “The Justice Department said it seized 63.7 Bitcoins, valued at about $2.3 million. (The value of a Bitcoin has dropped over the past month.)” Later in the report, it indicates that the total payment was 75 Bitcoins. So it may simply be a valuation issue.]

But, obviously, good news. Presumably for the insurance company rather than Colonial Pipeline. But, also, a signal to would-be hackers that getting away with it is harder than it might look. Or, maybe, to use even darker methods.

According to U.S. intelligence officials, DarkSide is a criminal group operating somewhere in Russia that sells access to its malicious tools in exchange for a cut of the profits from successful extortions.

The FBI was able to track the destination of Colonial’s payment in bitcoin to a virtual wallet used by the criminal perpetrators, Monaco said.

DarkSide’s malware is one of hundreds of ransomware variants the FBI is currently tracking, according to FBI Deputy Director Paul Abbate, who also spoke at the press conference. During its investigation into DarkSide, the FBI identified “more than 90 victims” of the same kind of attack that hit Colonial, from manufacturing companies to legal, insurance, health care and energy firms, Abbate said.

While bitcoin has a reputation of being anonymous and secretive, leading criminal operators to use it to try to disguise their activities, the online ledger of payments is actually designed to be entirely public. A bitcoin user can use a pseudonym to open a virtual wallet, for instance, but that doesn’t always prevent law enforcement from accessing it or uncovering its owner.

However, there are other, more protected forms of digital currency like Monero, the use of which requires little extra effort on the part of criminal actors. The tactics used to recover Colonial’s payment likely won’t work across the board, according to cybersecurity experts. Even so, the DOJ’s actions on Monday prevented DarkSide from accessing millions of dollars. Plus, the combination of public attention and negative consequences following the Colonial attack led DarkSide to quite literally go dark, at least temporarily. Last month, it announced it was closing up shop.

“Cutting off access to revenue is one of the most impactful consequences we can impose,” Abbate said.

The sheer volume of these attacks is somewhat surprising but not remarkable. It’s seemingly easy money and relatively low-risk. One is unlikely to get shot during a cyberattack.

The politics of this are interesting. While, the Colonial Pipeline attack happened on Biden’s watch, it would certainly have happened if Trump had been re-elected. And while this recovery happened under Biden and his appointees took the lead in the press conference, it’s obviously the professionals at the FBI, the intelligence community, and elsewhere who deserve credit.

The Biden administration has been under increasing pressure to respond to the growing tide of ransomware attacks that have so far affected U.S. cities, hospitals, infrastructure and a range of small and large private businesses. Ransomware attacks have gone up by over 300 percent in the last year, costing victims over $350 million, according to Homeland Security Secretary Alejandro Mayorkas.

The DOJ and the FBI will continue to play a role responding to attacks and assisting victims after the fact. Monaco said one of her first moves in her new role was to launch a strategic cyber review within the department. The DOJ also recently created a ransomware task force to marshal its resources against the problem. While the DOJ has seized cryptocurrency belonging to ransomware operators before, the recovery of the Colonial Pipeline ransom was the task force’s first major operation, Monaco said. According to Abbate, victims who report quickly and share information with the FBI have the best chance of recovering access to their files and allowing the FBI to investigate the perpetrators.

I’m skeptical that a newly-created task force made the difference here. Or that FBI never put together a task force to deal with these things.

In addition, according to national security adviser Jake Sullivan, who spoke during Monday’s White House press briefing, Biden will be discussing ransomware with allies during his upcoming trip to Europe, where he will meet with a range of leaders before holding a summit with Russian President Vladimir Putin.

While Biden has said he does not believe the Russian government was behind the Colonial Pipeline incident, he does expect Russia to take action against criminal actors inside its borders.

According to Sullivan, Biden will discuss an “action plan” to deal with ransomware during the G-7 summit in the United Kingdom, which will involve discussions on how to increase resilience of digital networks, share information about attacks and “deal with the cryptocurrency challenge.”

Getting much cooperation from Putin will of course be dicey. But governments absolutely have to be held accountable for widespread international crime being conducted from within their borders.

FILED UNDER: Crime, Law and the Courts
James Joyner
About James Joyner
James Joyner is Professor and Department Head of Security Studies at Marine Corps University's Command and Staff College and a nonresident senior fellow at the Scowcroft Center for Strategy and Security at the Atlantic Council. He's a former Army officer and Desert Storm vet. Views expressed here are his own. Follow James on Twitter @DrJJoyner.

Comments

  1. Jay L Gischer says:

    I saw this last night. I know nothing of the parties here or their credibility.

  2. Sleeping Dog says:

    The Biden administration has been under increasing pressure to respond to the growing tide of ransomware attacks…

    The basic problem isn’t that law enforcement, homeland security and the intelligence agencies aren’t on the issue, but that the victims of the ransomware attacks are complicit in their own victimization. Far too many businesses are unwilling to make the financial and cultural changes required to secure their networks. Many companies have decided that it is cheaper to pay the ransom than secure the network, after all that Windows 2000 server that runs a critical biz application, manages the app just fine… As far as public sector victims go, that’s simply taking candy from a baby.

    3
  3. Just nutha ignint cracker says:

    While Biden has said he does not believe the Russian government was behind the Colonial Pipeline incident, he does expect Russia to take action against criminal actors inside its borders.

    I wouldn’t be counting on Russia taking action at all–unless “taking action” is defined as demanding a cut. (Which could explain why only 63.7 Bitcoins were recoverable [or am I being too cynical again?].)

  4. Jen says:

    @Sleeping Dog:

    The basic problem isn’t that law enforcement, homeland security and the intelligence agencies aren’t on the issue, but that the victims of the ransomware attacks are complicit in their own victimization. Far too many businesses are unwilling to make the financial and cultural changes required to secure their networks.

    Emphasis added by me. There was a Bloomberg piece that had former employees of JBS saying the company didn’t want to spend money on its cyber defenses.

    I’m pleased that Colonial got some of its money back, but am concerned about the notion that the government is now expected to go chasing after ransom money paid out by companies too damn cheap to shore up their cybersecurity.

    1
  5. I am some difficulty in understanding how you seize bitcoins

  6. HarvardLaw92 says:

    @Miguel Madeira:

    You seize control of the wallet containing them. He who controls the wallet controls the bitcoin.

    1