Biden administration officials have privately voiced frustration with what they see as Colonial Pipeline’s weak security protocols and a lack of preparation that could have allowed hackers to pull off a crippling ransomware attack, officials familiar with the government’s initial investigation into the incident told CNN.
Because their investigation is still ongoing, Colonial has yet to share information with the federal government about the vulnerability the ransomware group DarkSide took advantage of to infiltrate the fuel company, according to a top official with the Cybersecurity and Infrastructure Security Agency. The FBI initially told CISA about the attack, not Colonial Pipeline, the agency’s acting director told lawmakers on Tuesday.
Secretary of Homeland Security Alejandro Mayorkas suggested at a White House briefing Tuesday that the administration is examining Colonial Pipeline’s vulnerabilities.
“In cybersecurity, one is only as strong as one’s weakest link. And therefore we are indeed focused on identifying those weak links,” he said.
Colonial Pipeline declined to comment on the suggestion members of the administration are frustrated.
US officials are also working to track down the specific actors responsible for the breach, according to two people familiar with the federal response, a key part of the broader effort to bring the individual hackers to justice.
The internal tensions underscore the stark challenge facing the Biden administration as it continues to grapple with the fallout from the brazen ransomware attack on the country’s critical infrastructure. The administration’s probe is hampered by having limited access to the private company’s systems and technical information about the vulnerabilities exploited by the hackers.
“Our understanding is that that is part of the investigation that Colonial’s response vendor is still undertaking. That information has not yet been shared with the US government,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein told CNN in a phone interview.
Colonial Pipeline also did not contact CISA in the wake of the cyberattack, according to a senior cyber official at the agency, Brandon Wales. The company notified the FBI of the attack on Friday morning and is continuing to work with the agency regularly, a spokesperson for the company said.
“They did not contact CISA directly,” Wales told lawmakers during a hearing on Capitol Hill Tuesday. “We were brought in by the FBI after they were notified about the incident.”
Wales said CISA “received information fairly quickly in concert with the FBI” and that it was “not surprising” to be waiting for technical information, since it’s still early in the investigation.
“We have had historically good relationship with both Colonial, as well as the cybersecurity firms that are working on their behalf,” he added.
When pressed on whether it was a “problem” that CISA was not notified directly, Wales said: “I think that there’s a benefit when CISA is brought in quickly because the information that we glean, we work to share it in a broader fashion to protect other critical infrastructure.”
Colonial has also been conducting regular calls with the lead federal response agency – the Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response – as well as other federal agencies, including Federal Energy Regulatory Commission and the Department of Transportation Pipeline and Hazardous Materials Safety Administration. It has been in daily communication with the White House, the company said.
Additionally, Colonial conducted a briefing for 14 states across the pipeline footprint on Monday, which was organized by the Department of Energy.
US plans aggressive response
In a joint federal government alert issued Tuesday night, CISA and the FBI confirmed that DarkSide was used as a “ransomware-as-a-service,” in which developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.”
The “affiliate” in this case was likely Russian, according to sources familiar with the investigation. The affiliate could be a single individual, one of the sources said.
A senior law enforcement official familiar with the incident said the FBI was able to attribute the cyberattack to DarkSide “very quickly” after becoming involved in the investigation. US officials want to go on the offensive, and believe identifying the individual hackers who targeted the pipeline is one way of deterring future ransomware attacks.
“This was a gross miscalculation on the hackers’ part,” said one of the people, who noted that the hackers likely had not anticipated that their attack would lead to the shutdown of the US’ largest refined products pipeline system, spurring emergency White House meetings and a whole-of-government response.
The hackers operated under the banner of a relatively new ransomware group known as DarkSide, according to the FBI. Because DarkSide effectively operates under a “hacker services for hire” structure, US officials want to identify the specific actors who carried out the attack in the group’s name, the people familiar with the matter said.
DarkSide on Monday appeared to recognize that they had gone too far, and indicated that its “partners” had decided to target Colonial Pipeline without the hacking group’s knowledge.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” DarkSide said in a statement that was verified by independent cyber intelligence firm Binary Defense. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
But DarkSide’s statement does not necessarily speak for the individual hackers who carried out the attack using its services and sources told CNN that US officials remain focused on tracking those individuals down.
US officials are looking for any possible holes in the hackers’ operational or personal security and continue to monitor for any leads that might emerge out of the way they move their money, one of the sources familiar with the effort said.
CNN’s Josh Campbell contributed to this report.