FBI blames DarkSide ransomware operators for Colonial Pipeline incident

Colonial Pipeline said that it was aiming to “substantially” restore its pipeline operations by the end of the week.
FBI computer cyber, DOJ

The FBI on Monday said that a cybercriminal enterprise behind a ransomware variant known as DarkSide was responsible for the hack that prompted one of the country’s largest pipeline operators to temporarily shut down.

The FBI statement came as Colonial Pipeline, which says it transports some 45% of all fuel consumed on the East Coast, said that it was aiming to “substantially” restore its pipeline operations by the end of the week.

In a private advisory to U.S. companies obtained by CyberScoop, the FBI said that it had been tracking the DarkSide ransomware variant since October.

“Darkside has impacted numerous organizations across various sectors including manufacturing, legal, insurance, healthcare and energy,” the FBI advisory said. The authors of DarkSide lease their hacking tools to other criminals in a “ransomware-as-as-service” model that splits the proceeds among the perpetrators, the bureau added.


The Colonial Pipeline incident, which began Friday, is one of the more high-profile disruptions caused by ransomware criminals in the U.S. The Georgia-based company normally delivers more than 100 million gallons of gas, diesel and other products daily to customers from Texas to New York, according to its website. But the Transportation Department on Sunday issued an emergency directive to alleviate any pressure on fuel supply caused by the incident. The directive allows drivers in 17 states and the District of Columbia to work longer hours to transport fuel.

“We’re prepared to take additional steps depending on how quickly the company is able to bring its pipeline back to full operational capacity,” President Joe Biden said at press conference on Monday, adding that he has been briefed every day since the ransomware incident began on Friday.

At a separate press briefing Monday, Elizabeth Sherwood-Randall, Biden’s homeland security adviser, said that Colonial Pipeline had proactively shut its operations down to prevent the ransomware from spreading from the company’s IT networks to the “operational technology” networks that actually control the pipeline.

Marty Edwards, the former head of the Department of Homeland Security’s industrial control system security unit, told CyberScoop that Colonial Pipeline has had a laborious task in getting their networks back online.

“When organizations such as this are faced with a widespread outage due to a ransomware event, it is imperative that they carefully and methodically bring these systems back online in a safe and reliable fashion,” said Edwards, who is now vice president of operational technology at security firm Tenable.


The Colonial Pipeline incident is only the latest ransomware attack to confront U.S. officials, and follows a series of ransomware infections of hospital computer networks during the coronavirus pandemic. The Biden administration has begun multiple initiatives to try to get a grip on the ransomware problem, including a Justice Department task force that will study the incentives that victims have to pay the ransom.

The FBI has on multiple occasions taken infrastructure used by ransomware attackers offline, including an operation earlier this year against the Emotet botnet. “We expect that that will be a continued focus area,” Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said Monday of the FBI takedowns.

U.S. law enforcement officials will continue to monitor the DarkSide operatives’ activity, which has been a thorn in the side of multiple businesses in recent months. The “ransomware-as-a-service” model used by DarkSide is increasingly popular with cybercriminals looking to maximize profit and cater to an array of customers.

After setting up an extortion site, the DarkSide operators have been keen on extracting payouts from victims by stealing and encrypting data, according to Allan Liska, an intelligence analyst at the threat intelligence company Recorded Future

Their activity includes offering distributed denial of service services to criminal customers and “threatening to sell sensitive data of publicly traded victims to others who want to short the stock,” Liska said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts