WASHINGTON — U.S. law enforcement officials said Monday they were able to recover $2.3 million in bitcoin paid to a criminal cybergroup involved in the crippling ransomware attack on Colonial Pipeline.
“Today we turned the tables on DarkSide,” Deputy Attorney General Lisa Monaco said during a press briefing, adding that the money was seized via a court order.
At the briefing, FBI Deputy Director Paul Abbate said agents were able to identify a virtual currency wallet that the DarkSide hackers used to collect payment from Colonial Pipeline.
“Using law enforcement authority, victim funds were seized from that wallet, preventing Dark Side actors from using them,” Abbate said.
The FBI declined to say precisely how it accessed the bitcoin wallet, citing the need to protect tradecraft.
Elvis Chan, FBI assistant special agent in charge, told reporters that even foreign-based cybercriminals like DarkSide typically use American infrastructure at some point in the course of a crime. When they do, it gives the FBI a legal window to recover the funds.
DarkSide, believed to be a Russian-based criminal organization, operates as a “ransomware as a service” business model, which means its hackers develop and market ransomware hacking tools and sell them to other criminal “affiliates” who then carry out attacks.
It is still unclear who DarkSide’s affiliates were in the Colonial Pipeline attack.
DarkSide’s sweeping ransomware assault on Colonial Pipeline last month forced the company to shut down approximately 5,500 miles of American fuel pipeline, leading to a disruption of nearly half of the East Coast fuel supply and causing gasoline shortages in the Southeast and airline disruptions.
Ransomware attacks involve malware that encrypts files on a device or network that results in the system becoming inoperable. Criminals behind such cyberattacks typically demand a ransom in exchange for the release of data.
Colonial Pipeline paid nearly $5 million ransom to the hackers, one source familiar with the situation confirmed to CNBC. It was not immediately clear when the transaction took place.
The FBI has previously warned victims of ransomware attacks that paying a ransom could encourage further malicious activity.
The government has stopped short of moving to ban ransomware payments altogether, out of concern that it would have little impact on whether or not companies pay ransoms and simply discourage them from reporting attacks.
Monday’s announcement was part of a broader effort to counter the private sector’s longstanding reluctance to publicly report cyberattacks and involve the government in its responses.
“The message here today is that [if you report the attack], we will bring all of our tools to bear to go after these criminal networks,” Monaco said.
Officials stressed the advantages to be gained by companies that report cyberbreaches quickly to the FBI.
“Victim reporting not only can give us the information we need to have an immediate real-world impact on the actors. … It can also prevent future harm from occurring,” Abbate said.
“The private sector also has an equally important role to play and we must continue to take cyberthreats seriously and invest accordingly to harden our defenses,” Colonial Pipeline CEO Joseph Blount said in a statement Monday evening.
“As our investigation into this event continues, Colonial will continue its transparency in sharing intelligence and learnings with the FBI and other federal agencies,” he said.
Blount is set to testify Tuesday before the Senate Homeland Security Committee.
After the attack by DarkSide, President Joe Biden told reporters that the U.S. did not have intelligence linking the group’s ransomware attack to the Russian government.
“So far there is no evidence from our intelligence people that Russia is involved, although there is evidence that the actor’s ransomware is in Russia, they have some responsibility to deal with this,” Biden said on May 10. He added that he would discuss the situation with Russian President Vladimir Putin.
The two leaders are slated to meet in Geneva on June 16.
The Kremlin has denied that it launched cyberattacks against the United States.
“The president’s message will be that responsible states do not harbor ransomware criminals, and responsible countries must take decisive action against these ransomware networks,” White House press secretary Jen Psaki told reporters in advance of the summit.
The Biden administration is also putting pressure on the private sector to shore up its defenses against ransomware.
“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” wrote Anne Neuberger, deputy national security advisor for cyber and emerging technology, in a June 2 memo.
“To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations,” she added.
At the same time, the White House is grappling with how to modernize cybersecurity protocols and banking laws to respond to cryptocurrency and its growing role in financial crimes, from ransomware to corruption.
The prevalence of cryptocurrency in crimes like ransomware attacks has also drawn the attention of lawmakers on Capitol Hill.
“We have a lot of cash requirements in our country, but we haven’t figured out, in the country or in the world, how to trace cryptocurrency,” Sen. Roy Blunt, R-Mo., said Sunday on the NBC program “Meet the Press.”
“You can’t trace the ransomware — the ransom payment of choice now. And we’ve got to do a better job here,” he added.