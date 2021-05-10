The hackers who caused Colonial Pipeline Co to shut down the biggest US gasoline pipeline on Friday began their blitz against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, people familiar with the matter said.
The intruders, who are part of a cybercrime gang called DarkSide, took nearly 100 gigabytes of data out of the Alpharetta, Georgia-based company’s network in just two hours on Thursday last week, two people involved in Colonial’s investigation said.
The move was part of a double-extortion scheme that is one of the group’s hallmarks.
Photo: AP
Colonial was threatened that the stolen data would be leaked to the Internet, while the information that was encrypted by the hackers on computers inside the network would remain locked unless it paid a ransom, said the people, who asked not to be identified.
The company did not immediately respond to requests for comment.
Earlier, Colonial said that it “proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”
Colonial’s decision late on Friday to shut down a pipeline that is the main source of gasoline, diesel and jet fuel for the US’ East Coast, without saying when it would reopen, represents a dangerous new escalation in the fight against ransomware, which US President Joe Biden’s administration has identified as a priority.
It is not clear how much money the attackers demanded or whether Colonial has paid.
Ransomware demands can range from several hundred dollars to millions of dollars in cryptocurrency. Many companies pay, often facilitated by their insurers.
AXA SA, one of Europe’s top insurance companies, last week said that it would break with that trend and stop offering policies in France that reimburse customers for payments made to ransomware hackers, which could be the first in the industry, the Associated Press reported.
Last year, the US Department of Homeland Security said that an attack brought down an unnamed natural gas compressor facility for two days.
In April 2018, several natural gas pipeline operators had service interruptions because of the hack of a third-party provider whose technology enables electronic communications between the entities.
The theft of Colonial’s data, coupled with the detonation of ransomware on the company’s computers, highlights the leverage that hackers often have over their victims in such cases.
The firm said that FireEye Inc’s Mandiant digital forensics division is assisting with the investigation.
The White House said that Biden was briefed on the incident on Saturday.
