The Colonial Pipeline, responsible for the country’s largest fuel pipeline, shut down all its operations Friday after hackers broke into some of its networks.
“While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach,” the company said in a press release.
In a press briefing Monday, Homeland Security Advisor Elizabeth Sherwood-Randall said that Colonial initially shut down its networks as a precautionary measure, and that while the hackers broke into networks devoted to the company’s business operations, it did not reach computers that control the physical infrastructure that transports gasoline and other fuel.
The FBI confirmed Monday that the culprit is a strain of ransomware called DarkSide, believed to be operated by a Russian cybercrime gang referred to by the same name. .
The FBI said that "the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks.
In a statement posted to its website, DarkSide echoed a sentiment common across ransomware gangs — that they’re an apolitical group, only interested in making money — but seemed to acknowledge that by hampering the fuel industry, they may have crossed a line with the United States that no ransomware gang has crossed before.
Many Russian cybergangs work as independent operations, though they are sometimes recruited to work for Russian intelligence — and they generally avoid attacking targets in Russia.
Brett Callow, an analyst at the cybersecurity company Emsisoft who tracks ransomware, said there were signs in DarkSide's malicious software that it was meant to hit targets outside Russia and eastern Europe