The task force has been working through the weekend to address the breach, including exploring options for lessening its impact on the energy supply, according to a White House official.
The victim, Colonial Pipeline, halted all operations on its systems when it was hit with ransomware late Friday and is working to restore operations as investigators assess the damage.
Meanwhile, new details emerged about the probable culprit behind the attack, a relatively new ransomware group known as DarkSide. While the inquiry remains in its early stages, some evidence has emerged linking DarkSide to Russia or elsewhere in Eastern Europe.
The attackers are known by cybersecurity experts as a “Russian-speaking group that popped up last summer,” according to Dmitri Alperovitch, the chairman of Silverado Policy Accelerator and former chief technology officer of the cybersecurity firm Crowdstrike Holdings Inc.
“Like many Russian cyber crime operations they specifically exclude Russian companies from being targeted by their malware,” he added in a statement.
Rob Lee, chief executive officer of the industrial security firm Dragos Inc., said his teams have responded to a few incidents involving DarkSide ransomware in recent months, including a U.S. power company that he declined to name. In those cases — which involve companies smaller than Colonial Pipeline — DarkSide ransoms were typically in the single-digit millions of dollars, Lee said.
Dragos investigators didn’t pinpoint the group’s location. But Lee said that IP and email addresses found in the investigations were based in Russia. In addition, he said, DarkSide doesn’t typically work on systems operating in Russian and other Eastern European languages.
The hackers stole almost 100 gigabytes of data from Colonial Pipeline’s networks in just two hours on Thursday, before locking its computers with ransomware and demanding payment, according to two people familiar with the investigation.
DarkSide has been identified as the suspected hacking group by two people familiar with the investigation and by Allen Liska, a senior threat analyst at the cybersecurity firm Recorded Future. The group first surfaced in August 2020, according to a blog post by the cybersecurity firm Cybereason.
On Sunday, Colonial Pipeline said it was still developing a plan for restarting the pipeline, which is critical for supplies along the East Coast.
The Transportation Security Administration, which is responsible for working to enhance pipeline security, said in a statement it has been in contact with Colonial Pipeline.
Senator Angus King, independent from Maine, and Representative Mike Gallagher, Republican from Wisconsin, who are co-chairs of the CyberSpace Solarium Commission, said in a statement the Colonial Pipeline attack underscores the need for more robust cybersecurity measures.
“We are disappointed, though unsurprised, to learn of the cyber-attack that shut down 5,500 miles of pipeline,” they said. “This interruption of the distribution of refined gasoline and jet fuel underscores the vulnerability of our national critical infrastructure in cyberspace and the need for effective cybersecurity defenses.”