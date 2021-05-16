



Senior cybersecurity officials testified before a key Senate committee on Tuesday after one of the country’s largest pipeline operators was hit by an ongoing major ransomware attack that forced the company to shut down operations.

CNN has learned that federal agencies and private cybersecurity firms are investigating the attack on Colonial Pipeline, but lawmakers have made it clear that the incident only adds to their broader concerns about hackers who are further exploiting in addition to the vulnerabilities of the American infrastructure.

Here are some key points from CNN’s hearing and reporting on the government’s response to the Colonial Pipeline ransomware attack. Cyber ​​attacks are becoming “ more sophisticated, frequent and aggressive ”.

A senior cybersecurity official in the Biden administration warned the Senate hearing that cyber attacks on the country’s infrastructure “are increasingly sophisticated, frequent and aggressive.”

“Malicious cyber actors are now spending time and resources finding, stealing and exploiting vulnerabilities, using more complex attacks to avoid detection and developing new techniques to target supply chains information and communications technology, “said Brandon Wales, Acting Director of the Cybersecurity and Infrastructure Security Agency. the Senate Committee for the Fatherland, whose hearing focused on a series of recent incidents impacting the United States.

His comments come as U.S. officials grapple with not only the fallout from the Colonial Pipeline ransomware attack, but also a series of other recent cyber incidents that have raised questions about the security of these critical systems.

The ransomware locks the legitimate user from a computer or computer network and holds them hostage until the victim pays a fee. Ransomware gangs have also threatened to release sensitive information in order to trick victims into responding to their requests.

“This ransomware threat is certainly not new,” Department of Homeland Security Secretary Alejandro Mayorkas said during a White House press briefing later Tuesday. “In fact, last week I spoke … about the seriousness of the threat. Over $ 350 million in losses have been attributed to ransomware attacks this year.”

He said it was over 300% increase from the previous year.

“No business is too small to suffer a ransomware attack,” Mayorkas added. “We are seeing more and more small and medium businesses come under ransomware attacks.”

There are still questions about sharing information

Senior White House officials repeatedly said on Monday that their role in resolving the latest ransomware incident was limited because Colonial Pipeline is privately held, even though it controls the gasoline supply for most of the east. the United States.

Colonial has yet to share information with the federal government about the vulnerability that ransomware group DarkSide took advantage of to infiltrate the fuel company, according to a senior CISA official. This is because the investigation is ongoing; Colonial works with the federal government and is supposed to share information when it gets it.

“We understand this is part of the investigation that Colonial’s response provider is still conducting. This information has not yet been shared with the US government,” deputy director Eric Goldstein told CNN CISA executive for cybersecurity, in a telephone interview.

However, Goldstein said various agencies across government are engaged with Colonial and as part of an interagency effort to understand the intrusion and identify information that can be shared on a large scale.

“Now we are deeply focused on sharing information with other organizations in order to protect ourselves, both from this specific actor, the Darkside ransomware group. And since we know ransomware players often use similar techniques and procedures, making sure all organizations understand the steps. that they could take to protect themselves, ”he added.

CISA is not providing technical support to Colonial Pipeline at this time, according to Goldstein.

During the Senate hearing, Wales confirmed that DHS is still awaiting further technical information on the Colonial Pipeline ransomware attack.

“I believe that at this time we are awaiting additional technical information on exactly what happened at Colonial so that we can use that information to potentially protect other potential victims on the road,” said the Country of Wales.

Wales said it was “not surprising” that they have not yet received any information since the investigation began, adding that CISA has historically had a “good relationship” with Colonial and cybersecurity companies that work on their behalf.

Colonial Pipeline also did not contact CISA following the cyberattack, according to Wales.

“They did not contact CISA directly,” he said. “We were brought in by the FBI after being briefed on the incident.”

Wales said the agency received information “quite quickly in concert with the FBI” when pressed by Rob Portman, a member of the Senate Homeland Security Rankings, whether this would have been done. useful if Colonial had contacted “immediately”.

Still, Wales admitted they didn’t think Colonial would have connected them without the involvement of the FBI.

Colonial has hired a third-party incident response company to conduct the investigation on their behalf, he said. CNN previously reported that FireEye Mandiant was tasked with handling the investigation into the response to the incident.

Biden administration officials frustrated with colonial pipeline

Officials in the Biden administration have privately expressed frustration at what they see as weak Colonial Pipeline security protocols and a lack of preparation that could have allowed hackers to complete the ransomware attack. officials with knowledge of the government’s initial investigation into the incident told CNN.

At the same time, U.S. officials are working to track down the specific actors responsible for the violation, according to two people familiar with the federal response, a key part of the larger effort to bring the various hackers to justice.

Internal tensions underscore the daunting challenge facing the administration as it continues to deal with the fallout from the brazen attack on the country’s critical infrastructure, despite limited access to private company systems and information techniques on vulnerabilities exploited by hackers.

Colonial declined to comment on the matter.

Still, US officials want to go on the offensive and believe that identifying the hackers who have targeted Colonial Pipeline is a way to deter future ransomware attacks.

Private sector companies worked with the government to stop the attack

Private sector companies have also worked with U.S. agencies to take a key server offline as late as Saturday, disrupting ongoing cyber attacks against Colonial Pipeline Co. and other ransomware victims, according to two sources familiar with the matter.

The decision to intervene, which allowed Colonial to recover some of its stolen data, was taken in response to Darkside’s attack on the pipeline company, a source told CNN, confirming the reported action for the first time by Bloomberg.

Federal agencies and private companies that control the U.S.-based servers were able to cut off the key infrastructure used by hackers to store the stolen data before that information could be relayed back to Russia, the two sources said.

Goldstein said CISA has no information on other victims at this time, but pointed out that the Darkside ransomware group is a well-known threat actor who has compromised many victims in recent months.

Darkside is known to be based in Eastern Europe and carries out ‘double extortion’ ransomware attacks, where they both encrypt a victim’s data, then steal some of the data and threaten to disclose it to harm. to reputation if the victim does not. don’t pay, he said.

Therefore, even if a victim has strong backups for their data that allow them to restore data that has been encrypted, there is still another way for the bad actor to extort the victim, he said.

“There have been discussions that this actor may be trying to refrain from attacking hospitals, schools and the like. But they are certainly seen as a pernicious ransomware group that has caused significant harm to its victims, in the United States and elsewhere, “Goldstein said.

