Because their investigation is still ongoing Colonial has yet to share information with the federal government about the vulnerability the ransomware group DarkSide took advantage of to infiltrate the fuel company, according to a top official with the Cybersecurity and Infrastructure Security Agency. The FBI initially told CISA about the attack, not Colonial Pipeline, the agency’s acting director told lawmakers on Tuesday.
Secretary of Homeland Security Alejandro Mayorkas suggested at a White House briefing Tuesday that the administration is examining Colonial Pipeline’s vulnerabilities.
“In cybersecurity, one is only as strong as one’s weakest link. And therefore we are indeed focused on identifying those weak links,” he said.
Colonial Pipeline declined to comment on the suggestion members of the administration are frustrated.
US officials are also working to track down the specific actors responsible for the breach, according to two people familiar with the federal response, a key part of the broader effort to bring the individual hackers to justice.
The internal tensions underscore the stark challenge facing the Biden administration as it continues to grapple with the fallout from the brazen ransomware attack on the country’s critical infrastructure. The administration’s probe is hampered by having limited access to the private company’s systems and technical information about the vulnerabilities exploited by the hackers.
“Our understanding is that that is part of the investigation that Colonial’s response vendor is still undertaking. That information has not yet been shared with the US government,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein told CNN in a phone interview.
Colonial Pipeline also did not contact CISA in the wake of the cyberattack, according to a senior cyber official at the agency, Brandon Wales.
“They did not contact CISA directly,” he told lawmakers during a hearing on Capitol Hill Tuesday. “We were brought in by the FBI after they were notified about the incident.”
Still, US officials want to go on the offensive, and believe identifying the individual hackers who targeted Colonial Pipeline is one way of deterring future ransomware attacks.
“This was a gross miscalculation on the hackers’ part,” said one of the people, who noted that the hackers likely had not anticipated that their attack would lead to the shutdown of the US’ largest refined products pipeline system, spurring emergency White House meetings and a whole-of-government response.
The hackers operated under the banner of a relatively new ransomware group known as DarkSide, according to the FBI. Because DarkSide effectively operates under a “hacker services for hire” structure, US officials want to identify the specific actors who carried out the attack in the group’s name, the people familiar with the matter said.
DarkSide on Monday appeared to recognize that they had gone too far, and indicated that its “partners” had decided to target Colonial Pipeline without the hacking group’s knowledge.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” DarkSide said in a statement that was verified by independent cyber intelligence firm Binary Defense. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
But DarkSide’s statement does not necessarily speak for the individual hackers who carried out the attack using its services and sources told CNN that US officials remain focused on tracking those individuals down.
US officials are looking for any possible holes in the hackers’ operational or personal security and continue to monitor for any leads that might emerge out of the way they move their money, one of the sources familiar with the effort said.