WASHINGTON – The Justice Department said on Monday that it has seized most of the ransom a major American pipeline operator paid last month to a Russian hacking collective, turning the tide of news reports. hackers by accessing a digital wallet to get millions of dollars back. by electronic money.
Investigators in recent weeks have traced 75 Bitcoins worth more than $4 million that Colonial Pipeline paid hackers when the attack shut down their computer systems, causing fuel shortages. , soaring gasoline prices and chaos at airlines.
Federal investigators tracked the ransom as it moved through a maze of at least 23 different electronic accounts belonging to DarkSide, the hacking group, before landing on one that a federal judge gave allowed them to break in, according to law enforcement officials and court documents.
The Justice Department said it seized 63.7 Bitcoins, worth about $2.3 million. (Bitcoin’s value has fallen over the past month.)
Deputy Attorney General Lisa O. Monaco said: “The sophisticated use of technology to hold businesses and even cities hostage for profit is a major challenge of the 21st century, but the question remains. The old adage ‘follow the money’ still applies. press conference at the Department of Justice.
Law enforcement officials highlighted the arrest in an effort to warn cybercriminals that the United States plans to target their profits, often obtained through cryptocurrencies like Bitcoin. It is also intended to encourage victims of ransomware attacks – which occur on average every 8 minutes – to notify authorities to help recover the ransom.
For years, victims have chosen to quietly pay cybercriminals, calculating that the payment will be cheaper than rebuilding data and services. While the FBI discourages ransom payments, they are legal and even tax deductible. But the payments — which totaled into the billions of dollars — funded and incentivized ransomware groups.
Justice Department officials say Colonial’s willingness to quickly contact the FBI helped recover the ransom, and they credit the company for its role in the first attempt by a new ransomware task force. in the suite to attack cybercriminals. group profits.
“We must continue to take cyber threats seriously and invest accordingly to strengthen our defenses,” Joseph Blount, chief executive officer of Colonial, said in a statement. . Blount said that after his company contacted the FBI and Department of Justice about the attack, investigators helped Colonial understand the hackers and their tactics.
The Justice Department’s announcement also comes ahead of President Biden’s scheduled meeting with President Vladimir V. Putin of Russia next week in Geneva, where Biden is expected to address the issue that the presidents have raised. US officials consider the Kremlin willing to provide protection for hackers. Russia generally does not arrest or extradite suspects in ransomware attacks.
The New York Times reported last month that Colonial Pipeline’s ransom had moved out of DarkSide’s Bitcoin wallet, though it’s unclear who orchestrated the move.
On Monday, the government filled in some blanks. DarkSide works by delivering ransomware to affiliates. In return, DarkSide gets a share of their profits.
Officials say they have identified a virtual currency account, commonly known as a wallet, that DarkSide used to collect money from a victim of ransomware – identified in court papers as just Victim. X multiplier, but with hack details matching Colonial. Officials say that a magistrate judge in the Northern District of California approved the order Monday to seize the funds from the wallet.
The FBI began investigating DarkSide last year and identified more than 90 victims across many sectors of the economy, including manufacturing, law, insurance, health care and energy, said Paul M. Abbate, deputy director FBI director, said at the press conference.
DarkSide first appeared in August and allegedly started as an offshoot of another Russian hacking group, called REvil, before opening its own operation last year.
Weeks after DarkSide hit Colonial, REvil used ransomware to blackmail JBS, one of the world’s largest meat processors. The attack forced the company to close nine beef plants in the United States, destroyed poultry and pork plants, and had a significant impact on grocery stores and restaurants. have to charge extra or remove meat products from their menu.
In recent weeks, ransomware has also crippled the hospital serving Florida Villages, the largest retirement community in the United States; television network; NBA and minor league baseball teams; and there are even ferries to Nantucket and Martha’s Vineyard in Massachusetts.
The episodes raised digital holes in the national consciousness. White House officials last week said they were working to address issues with cryptocurrencies, which have been triggering ransomware attacks for years.
Last week, Christopher A. Wray, the director of the FBI, likened the threat of ransomware attacks to the challenge of global terrorism in the days following the May 11 attacks. 9 year 2001.
“There are a lot of similarities, a lot of importance, and we focus a lot on preventing and breaking down,” he said. “There is a shared responsibility, not only between government agencies, but also between the private sector and even ordinary Americans.
Wray added that the FBI is investigating 100 software variants used in ransomware attacks, showing the scale of the problem.
Although US officials have been careful not to tie ransomware attacks directly to Russia, Mr. Biden, Mr. Wray and others have said the country protects cybercriminals.
In many cases, Russia considers them as state property. In a 2014 Yahoo breach, for example, Russian intelligence officers worked side-by-side with cybercriminals, allowing them to profit from stolen data and instructing them to turn over their email accounts to the FSB. , the successor to the Soviet-era KGB.
Putin likened hackers to “artists who wake up in the morning in a good mood and start painting”. U.S. officials say the fact that they give Putin and Russian intelligence agencies a legitimate denial.
Not only is Mr Biden expected to settle the matter with Mr Putin, but the State Department is also in talks with about two dozen other countries to find ways to pressure Russia to tackle cybercrime.
“If the Russian government wants to show that it’s serious about this, there’s a lot of room for them to demonstrate some real progress that we haven’t seen yet,” Wray said last week.
Anne Neuberger, deputy national security adviser for cyber and emerging technologies, warned US businesses last week that ransomware has taken a dark turn, noting that the recent shift ” from stealing data to disrupting operations”.
The hackers targeted Colonial’s payment system directly. With that freeze, executives found they had no way to charge customers and shut down operations first. A secret government assessment determined that if the pipeline were closed for even two more days, the attack could have caused chemical refineries and mass shipping, which rely on Colonial to transport oil. diesel, must give up.
The White House held emergency meetings to address the attack. The Biden administration announced that it will require pipeline companies to report significant cyberattacks, and that the government will set up 24-hour emergency centers to deal with serious hacks.
Cybersecurity experts welcomed the Justice Department’s move.
“It’s clear that we need to use some tools to stop the wave of ransomware,” said John Hultquist, vice president of cybersecurity company FireEye. “A stronger focus on disruption could detract from this behavior, which is developing in a vicious cycle.”
David E. Sanger contribution report.