Federal authorities dealt a blow to a criminal hacking group that forced the shutdown of the Colonial Pipeline, recovering the “majority” of the $4.4 million in cryptocurrency ransom paid to restore the energy system, Justice Department officials said Monday.
Deputy Attorney General Lisa Monaco said the FBI was able to “turn the tables” on the group known as the “DarkSide,” believed to be based in Russia.
At a Justice Department briefing, FBI Deputy Director Paul Abbate said investigators were able to trace the payment to a “virtual currency wallet,” then seized $2.3 million in cryptocurrency.
Although it is unlikely the hackers would ever face charges in the U.S., Monaco and Abbate said the action represented a significant strike against such groups, “depriving” them of the illicit benefit they seek.
“Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises,” Monaco said. “We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”
The action also comes as President Joe Biden prepares for his first meeting with Russia President Vladimir Putin, where cybersecurity and Russia’s cyber aggression is expected to be a major subject of discussion.
In the Colonial case, investigators were able to track multiple transfers of bitcoin by reviewing a public ledger, according to court documents. The transfers represented payments made by Colonial that had been transferred to an “address” whose password or “private key” was known to the FBI, which then recovered the money.
It is not the first time the FBI has had made such a recovery, Monaco said, but it comes as cyberwarfare has escalated, drawing comparisons to the terror war after 9/11.
“No organization is immune,” Monaco said. “So today I want to emphasize to leaders ofg corporations and communities alike: The threat of severe ransomware attacks poses a clear and present danger to your organization, to your company, your customers, your shareholders and your long-term success.”
Colonial CEO Joseph Blount said Monday that he was “grateful” for the FBI’s work.
“Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature,” Blount said. “The private sector also has an equally important role to play and we must continue to take cyber threats seriously and invest accordingly to harden our defenses.”
The chairman of the House Intelligence Committee, Rep. Adam Schiff, D-Calif., said it was critical for the Biden administration to use a “strong approach” in cyber attacks, given the harsh consequences.
“The operation to seize more than $2 million in Bitcoin from the cybercriminals who conducted the Colonial Pipeline ransomware attack is a significant success, sending a message to these criminal actors that we can and will impose consequences on them – despite their efforts to remain untraceable and anonymous,” Schiff said.
Tatyana Bolton, the former Cyber Policy Lead at the Cybersecurity and Infrastructure Security Agency (CISA), an arm of the Department of Homeland Security, said the action is “exactly what the government is supposed to be doing.”
“We need to put a lot more resources behind not only identifying and attributing cyberattacks but also going after the criminals that perpetrate the hacks,” Bolton said. “Because only with significant consequences are we going to stop future attacks.”
Bolton noted that Monaco praised the work of law enforcement and intelligence officials in her remarks and said such cooperation will be increasingly important as the U.S. government mobilizes against an onslaught of ransomware cases.
“It makes sense for the FBI to track the money, and then they can use whatever tools they have at their disposal to take back whatever funds were stolen,” said Bolton, who was also the senior policy director for the U.S. Cyberspace Solarium Commission, which focused on reorganizing the United States to better repel cyberattacks. “The FBI has been doing good work on this, but I think they need to invest even more resources into their cyberteams so they can do more of it. There’s just so many ransomware attacks that are happening all at once.”
Luke Dembosky, who oversaw top international ransomware cases in the Obama administration, said he was encouraged by the “level of urgency” displayed by the new administration.
“The damage has certainly reached national security proportions,” said Dembosky, who served as a deputy assistant attorney general in the National Security Division.
Dembosky was involved in leading the DOJ’s response to many of the largest cyberattacks in recent years, including against Target, Sony Pictures and Home Depot – and to the GameOver Zeus botnet that caused hundreds of millions of dollars in losses to the U.S. financial sector.
“Something has to change to break the current dynamic with ransomware,” said Dembosky, who is now in private practice at Debevoise & Plimpton. “The risks to criminals have been low and the rewards often high. It really starts with victims coming forward to law enforcement early and sharing what details they can.”
Last week, Monaco issued an extraordinary plea to the nation’s CEOs to bolster their digital systems against an expected onslaught of devastating ransomware attacks, saying the malicious hacks that shut down the Colonial Pipeline and meat supply networks were just the beginning.
“The message needs to be to the viewers here, to the CEOs around the country, that you’ve got to be on notice of the exponential increase of these attacks,” Monaco told CNBC.
Monaco stressed that the high-profile hacks of Colonial Pipeline and meat processing company JBS were only a tiny sampling of the attacks against America’s crucial infrastructure every day.
“If you are not taking steps – today, right now – to understand how you can make your company more resilient, what is your plan?” Monaco said last week.
Monaco, who spent the past two months ramping up departmental cybersecurity efforts, issued guidance last week requiring all prosecutors to alert a new national ransomware task force whenever a significant case or development arises.
The Ransomware and Digital Extortion Task Force will be run out of “Main Justice,” the department’s headquarters in Washington. Officials said the new policy and the task force are part of an urgent effort to improve coordination of the many federal ransomware investigations and prosecutions by using similar protocols put in place for terrorism cases after 9/11.
Contributing: Bart Jansen