WASHINGTON – The Justice Department said Monday that it had seized much of the ransom that a major US pipeline operator had paid last month to a Russian hacker collective, turning the hackers upside down. by accessing a digital wallet to recover millions of dollars. in cryptocurrencies.
In recent weeks, researchers tracked 75 Bitcoins worth more than $ 4 million that Colonial Pipeline had paid to hackers when the attack shut down their computer systems, leading to fuel shortages, a spike in gasoline prices. and chaos on the airlines.
Federal investigators tracked the ransom as it moved through a maze of at least 23 different electronic accounts belonging to DarkSide, the hacking group, before landing on one that a federal judge allowed them to enter, according to officials tasked with making. comply with the law and court documents.
The Justice Department said it seized 63.7 Bitcoins, valued at about $ 2.3 million. (The value of a Bitcoin has fallen for the last month.)
“The sophisticated use of technology to hold companies and even entire cities hostage for profit is decidedly a challenge of the 21st century, but the old adage ‘follow the money’ still applies,” said Lisa O. Monaco, the prosecutor. Deputy General, at the press conference at the Department of Justice.
Law enforcement officials highlighted the seizure in an effort to warn cybercriminals that the United States planned to target its earnings, which are often obtained through cryptocurrencies such as Bitcoin. It was also intended to encourage victims of ransomware attacks, which occur every eight minutes, on average, to notify authorities to help recover ransoms.
For years, victims have chosen to quietly pay cybercriminals, calculating that the payment would be cheaper than rebuilding data and services. Although the FBI discourages ransom payments, they are legal and even tax deductible. But the payments, which together total billions of dollars, have financed and emboldened ransomware groups.
Justice Department officials said Colonial’s willingness to quickly loop through the FBI helped win back the ransom portion, and they gave the company credit for its role in a one-of-a-kind effort by a new ransomware task force in the department to hijack a cybercrime. group benefits.
“We must continue to take cyber threats seriously and invest accordingly to strengthen our defenses,” Colonial CEO Joseph Blount said in a statement. Blount said that after his company contacted the FBI and the Justice Department to notify them of the attack, investigators helped Colonial understand the hackers and their tactics.
The Justice Department announcement also came ahead of President Biden’s scheduled meeting with Russia’s President Vladimir V. Putin next week in Geneva, where Biden is expected to address what U.S. officials see as the Kremlin’s will to provide protection from hackers. Russia does not normally arrest or extradite suspects in ransomware attacks.
The New York Times reported last month that the Colonial Pipeline ransom payment had moved out of DarkSide’s Bitcoin wallet, although it was unclear who had orchestrated the move.
On Monday, the government filled in some of the blanks. DarkSide operates by providing affiliates with ransomware. In return, DarkSide gets a share of your profits.
Officials said they had identified a virtual currency account, often referred to as a wallet, that DarkSide was using to collect payment from a ransomware victim, identified in court documents only as Victim X, but whose hacking details match Colonial’s. . Officials said a magistrate judge in the Northern District of California had approved an order Monday to seize funds from the wallet.
The FBI began investigating DarkSide last year and identified more than 90 victims in multiple sectors of the economy, including manufacturing, law, insurance, healthcare and energy, said Paul M. Abbate, deputy director of the FBI, at the press conference. .
DarkSide first appeared in August and is believed to have started as an affiliate of another Russian hacking group, called REvil, before opening its own operation last year.
Weeks after DarkSide attacked Colonial, REvil used ransomware to try to extort money from JBS, one of the world’s largest meat processors. The attack forced the company to shut down nine beef plants in the United States, disrupted poultry and pork plants, and had significant effects on grocery stores and restaurants, which had to charge more or eliminate meat products from their menus.
In recent weeks, ransomware has also paralyzed the hospital serving Villages in Florida, the largest retirement community in the United States; TV channels; NBA and minor league baseball teams; and even ferries to Nantucket and Martha’s Vineyard in Massachusetts.
The episodes have raised digital vulnerabilities to national consciousness. White House officials said last week that they were working to address issues with cryptocurrency, which has allowed ransomware attacks for years.
Last week, Christopher A. Wray, Director of the FBI, compared the threat of ransomware attacks to the challenge of global terrorism in the days after the September 11, 2001 attacks.
“There are a lot of parallels, there are a lot of importance and we focus a lot on disruption and prevention,” he said. “There is a shared responsibility, not just between government agencies, but also between the private sector and even the average American.”
Wray added that the FBI was investigating 100 variants of software used in ransomware attacks, demonstrating the scale of the problem.
Although US officials have been careful not to directly link ransomware attacks to Russia, Biden, Wray and others have said that the country protects cybercriminals.
In many cases, Russia treats them as national assets. In a Yahoo breach in 2014, for example, Russian intelligence officers worked closely with cybercriminals, allowing them to cash in on stolen data, while directing them to pass email accounts to the FSB, the KGB’s successor agency. from the Soviet era.
Putin has liked hackers as “artists who wake up in the morning in a good mood and start painting.” The reality, US officials say, is that they give Putin and the Russian intelligence services a layer of plausible denial.
Not only is Biden expected to address the issue with Putin, but the State Department is also in talks with two dozen other countries about ways to mutually pressure Russia to tackle cybercrime.
“If the Russian government wants to show that they are serious about this issue, there is plenty of room for them to show real progress that we are not seeing,” Wray said last week.
Anne Neuberger, deputy national security advisor for emerging and cyber technologies, warned US companies last week that ransomware had taken a dark turn, pointing to a recent shift “from stealing data to disrupting operations.”
The hackers targeted Colonial’s billing systems directly. With those frozen, the executives discovered that they had no way to charge customers and close operations preemptively. A confidential government assessment determined that if the pipeline had been closed for even two more days, the attack could have brought mass transit and chemical refineries, which depend on Colonial to transport diesel, to their knees.
The White House held emergency meetings to address the attack. The Biden administration announced that it would require pipeline companies to report major cyberattacks and that the government would create 24-hour emergency centers to handle serious hackers.
Cybersecurity experts welcomed the Justice Department move.
“It has become clear that we need to use various tools to stem the tide” of ransomware, said John Hultquist, vice president of cybersecurity firm FireEye. “A greater focus on disruption can discourage this behavior, which is growing in a vicious cycle.”
David E. Sanger contributed reports.