CNN has learned that federal agencies and private cybersecurity firms are investigating the attack on Colonial Pipeline but lawmakers made clear that the incident only adds to their broader concerns about hackers who are increasingly exploiting vulnerabilities in US infrastructure.
Here are some key takeaways from the hearing and CNN’s reporting on the government’s response to the Colonial Pipeline ransomware attack.
“Malicious cyber actors today are dedicating time and resources towards researching, stealing, and exploiting vulnerabilities, using more complex attacks to avoid detection and developing new techniques to target information and communication technology supply chains,” acting Cybersecurity and Infrastructure Security Agency Director Brandon Wales told the Senate Homeland Committee, whose hearing was focused on a spate of recent incidents impacting the US.
His comments come as US officials are not only grappling with fallout from the Colonial Pipeline ransomware attack but a series of other recent cyberincidents that have raised questions about the security of these essential systems.
Ransomware locks out the rightful user of a computer or computer network and holds it hostage until the victim pays a fee. Ransomware gangs have also threatened to leak sensitive information in order to get victims to meet their demands.
“That threat of ransomware is certainly by no means new,” Department of Homeland Security Secretary Alejandro Mayorkas said at a press briefing at the White House later Tuesday. “As a matter of fact, last week I spoke … about the gravity of the threat. More than $350 million in losses are attributable to ransomware attacks this year. ”
He said that was more than a 300% increase over the previous year.
“There’s no company too small to suffer a ransomware attack,” Mayorkas added. “We are seeing increasingly small- and medium-sized businesses suffer ransomware attacks.”
There are still questions about information sharing
Senior White House officials repeatedly said Monday their roles in addressing the latest ransomware incident were limited because Colonial Pipeline is a private company, even though it controls the gasoline supply to most of the eastern US.
Colonial has yet to share information with the federal government about the vulnerability that the ransomware group DarkSide took advantage of to infiltrate the fuel company, according to a top official with the CISA. This is because the investigation is ongoing; Colonial is working with the federal government and is expected to share information when it gets it.
“Our understanding is that that is part of the investigation that Colonial’s response vendor is still undertaking. That information has not yet been shared with the US government,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein told CNN in a phone interview.
However, Goldstein said various agencies across the government are engaged with Colonial and as part of an interagency effort to understand the intrusion and identify information that can be shared broadly.
“Now, we are deeply focused on sharing information with other organizations to protect themselves, both from this specific actor, the Darkside ransomware group. And since we know that ransomware actors often use similar techniques and procedures, making sure that all organizations understand the steps that they could take to protect themselves,” he added.
CISA is not providing technical assistance to Colonial Pipeline as of now, according to Goldstein.
In the Senate hearing, Wales confirmed that DHS is still awaiting additional technical information from the Colonial Pipeline ransomware attack.
“I think right now we are waiting for additional technical information on exactly what happened at Colonial so we can use that information to potentially protect other potential victims down the road,” Wales said.
Wales said it’s “not surprising” that they haven’t yet received information since it’s early in the investigation, adding that CISA has historically had a “good relationship” with both Colonial and the cybersecurity firms that are working on their behalf.
Colonial Pipeline also did not contact CISA in the wake of the cyberattack, according to Wales.
“They did not contact CISA directly,” he said. “We were brought in by the FBI after they were notified about the incident.”
Wales said the agency received information “fairly quickly in concert with the FBI,” when pressed by Senate Homeland Security Ranking Member Rob Portman on whether it would have been helpful if Colonial reached out “immediately.”
Yet, Wales acknowledged that he did not believe Colonial would have connected them without the FBI involvement.
Colonial has engaged a third-party incident response company that is leading the investigation on their behalf, he said. CNN previously reported that FireEye Mandiant was brought on to manage the incident response investigation.
Biden administration officials frustrated with Colonial Pipeline
At the same time, US officials are working to track down the specific actors responsible for the breach, according to two people familiar with the federal response, a key part of the broader effort to bring the individual hackers to justice.
The internal tensions underscore a stark challenge facing the administration as it continues to grapple with the fallout from the brazen attack on the country’s critical infrastructure despite having limited access to the private company’s systems and technical information about the vulnerabilities exploited by the hackers.
Colonial declined to comment on the matter.
Still, US officials want to go on the offensive, and believe identifying the individual hackers who targeted Colonial Pipeline is one way of deterring future ransomware attacks.
Private sector companies worked with government to disrupt attack
Private sector companies also worked with US agencies to take a key server offline as recently as Saturday, disrupting ongoing cyberattacks against Colonial Pipeline Co. and other ransomware victims, according to two sources familiar with the matter.
Federal agencies and private companies that control the US-based servers were able to cut off key infrastructure used by the hackers to store stolen data before that information could be relayed back to Russia, both sources said.
Goldstein said CISA has no information about other victims at this time, but he pointed out that the Darkside ransomware group is a well-known threat actor that has compromised numerous victims in recent months.
Darkside is known to be based in Eastern Europe and carries out “double extortion” ransomware attacks, which is where they will both encrypt a victim’s data and then also steal some of the data and threaten to release it to cause reputational damage if the victim doesn’t pay, he said.
Therefore, even if a victim has strong backups for their data that allows them to restore the data that was encrypted, the bad actor still has another way to extort the victim, he said.
“There has been some discussion that perhaps this actor tries to refrain from attacking hospitals, schools and the like. But certainly, they’re seen as a pernicious ransomware group that has caused significant harm to its victims, both in the US and elsewhere,” Goldstein said.
CNN’s Ellie Kaufman contributed to this report.