US law enforcement has seized $2.3m worth of bitcoin cryptocurrency paid to the ransomware extortionists who targeted the Colonial Pipeline in a high-profile hack last month.

Officials at the Department of Justice said “multiple transfers” of bitcoin were traced from the ransom payment to a specific digital account known to the FBI, which had then been able to access the approximately 63.7 bitcoin using a “private key”, or password.

The 5,500-mile Colonial Pipeline was taken fully offline for five days when attackers – who have been linked by the FBI to a hacker group known as DarkSide – locked the company out of its computer network, demanding a bounty in return for restoring access.

Soon after the security breach on 7 May, company executives paid the $4.4m ransom, stirring up fresh debate about whether organisations should give in to the demands of hackers. In an interview with the Wall Street Journal, Colonial’s CEO Joseph Blount said he believed paying the ransom was “the right thing to do for the country”.

Yet even after the decryption tools were provided and the IT network started to be restored, it took several days to bring the pipeline back to its full capacity of transporting around 2.5 billion barrels daily.

 

Bitcoin recovery highlights strong federal response to Colonial Pipeline hack

Nearly half of the fuel products consumed along the US East Coast are supplied by the Colonial Pipeline, and its shutdown caused huge disruption including fuel shortages in several states and a spike in prices at the pump as many customers began panic buying.

A major federal response was launched, and the unusual recovery of a ransomware bounty highlights the vigour with which law enforcement officials conducted their investigations.

“Following the money remains one of the most basic, yet powerful tools we have,” said US deputy attorney general Lisa Monaco.

“Ransomware attacks are always unacceptable, but when they target critical infrastructure we will spare no effort in our response. The United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.”

She added DarkSide, known to government agencies as a ransomware-as-a-service collective operating out of Russia, and its affiliates have been “digitally stalking US companies for the better part of last year”.

“Today, we turned the tables on DarkSide,” Monaco added.

Georgia-based Colonial Pipeline said it will continue to share information with federal agencies, with the aim of helping other critical infrastructure operators strengthen their own cyber defences.

“Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature,” said Blount. “The private sector also has an equally-important role to play and we must continue to take cyber threats seriously and invest accordingly to harden our defenses.”

Widespread digitalisation across energy systems has significantly enlarged the “attack surface” exposed to hackers in recent years, and while the Colonial incident is a rare example of attackers targeting such an integral piece of critical infrastructure it underscores the vulnerability of these networks to ransomware extortion.

In the wake of last month’s security breach, the US Department of Homeland Security issued new rules for pipeline operators aimed at bolstering their cyber defences – including an immediate review of existing cybersecurity practices and a report of any existing vulnerabilities to federal authorities within 30 days.