Colonial Pipeline ransomware attack

Last updated

Colonial Pipeline ransomware attack
Date
  • May 6, 2021 (data stolen) [1]
  • May 7, 2021 (malware attack)
  • May 12, 2021 (pipeline restarted)
LocationUnited States
Type Cyberattack, data breach, ransomware
Target Colonial Pipeline
Suspects DarkSide [2] [3]

On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that afflicted computerized equipment managing the pipeline. [4] [5] [6] The Colonial Pipeline Company halted all pipeline operations to contain the attack. [7] [8] [9] [10] Overseen by the FBI, the company paid the amount that was asked by the hacker group (75 bitcoin or $4.4 million USD) within several hours; [11] [12] upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state. [12]

Contents

The Federal Motor Carrier Safety Administration issued a regional emergency declaration for 17 states and Washington, D.C., to keep fuel supply lines open on May 9. [13] It was the largest cyberattack on an oil infrastructure target in the history of the United States. [2] The FBI and various media sources identified the criminal hacking group DarkSide as the responsible party. [14] The same group is believed to have stolen 100 gigabytes of data from company servers the day before the malware attack. [1]

On June 7, the Department of Justice announced that it had recovered 63.7 of the bitcoins (about 84% of the original payment) from the ransom payment, [15] but due to a crash in the value of Bitcoin in late May, [16] the recovered bitcoins were worth only around $2.3 million USD, [15] roughly half of their original value.

This was one of first high profile corporate cyber attacks which started from a breached employee personal password likely found on the dark web rather than a direct attack on the company's systems. [17]

Background

The pipeline network managed by The Colonial Pipeline Company carries gasoline, diesel and jet fuel from Texas to as far away as New York. About 45% of all fuel consumed on the East Coast arrives via the pipeline system. [18] The attack came amid growing concerns over the vulnerability of infrastructure (including critical infrastructure) to cyberattacks after several high-profile attacks, including the 2020 SolarWinds hack that hit multiple federal government agencies, including the Defense, Treasury, State, and Homeland Security departments. [6] [19]

Attack

The attackers gained access to the system by means of a compromised password for a disused VPN account. [20] [21] The account did not have Multi-factor authentication enabled. [20]

Consequences

Panic buying caused widespread gasoline shortages 2021-05-15 14 33 28 Out-of-service gas pumps due to panic buying after the Colonial Pipeline cyberattack at the Wawa along Air and Space Museum Parkway in Oak Hill, Fairfax County, Virginia.jpg
Panic buying caused widespread gasoline shortages
Some filling stations were without fuel for several days 2021-05-14 20 59 41 An out-of-service gas pump due to panic buying after the Colonial Pipeline cyberattack at the Sunoco gas station in the Franklin Farm Village Shopping Center in the Franklin Farm section of Oak Hill, Fairfax County, Virginia.jpg
Some filling stations were without fuel for several days

The primary target of the attack was the billing infrastructure of the company. The actual oil pumping systems were still able to work. According to CNN sources in the company, the inability to bill the customers was the reason for halting the pipeline operation. [22] Colonial Pipeline reported that it shut down the pipeline as a precaution due to a concern that the hackers might have obtained information allowing them to carry out further attacks on vulnerable parts of the pipeline. The day after the attack, Colonial could not confirm at that time when the pipeline would resume normal functions. [7] The attackers also stole nearly 100 gigabytes of data and threatened to release it on the internet if the ransom was not paid. [1] It was reported that within hours after the attack the company paid a ransom of nearly 75 Bitcoins ($4.4 million USD) to the hackers in exchange for a decryption tool, which proved so slow that the company's business continuity planning tools were more effective in bringing back operational capacity. [23] [24]

On May 9, Colonial stated they planned to substantially repair and restore the pipeline's operations by the end of the week. [25]

In response to fuel shortages at Charlotte Douglas International Airport caused by the pipeline shutdown, American Airlines changed flight schedules temporarily. [26] At least two flights (to Honolulu and London) had fuel stops or plane changes added to their schedules for a four-day period. The shortage also required Hartsfield–Jackson Atlanta International Airport to use other fuel suppliers, and there are at least five other airports directly serviced by the pipeline. [27]

Fuel shortages began to occur at filling stations amid panic buying as the pipeline shutdown entered its fourth day. [28] [29] Alabama, Florida, Georgia, North Carolina, and South Carolina all reported shortages. [28] Areas from northern South Carolina to southern Virginia were hardest hit, with 71% of filling stations running out of fuel in Charlotte on May 11 [30] and 87 percent of stations out in Washington, D.C., on May 14. [31] Average fuel prices rose to their highest since 2014, reaching more than $3 a gallon. [32]

Experts have stated that the attacks were preventable, but the essential protective measures were not established. While the shortage of gasoline that the East Coast faced and Darkside attaining the ransom were harmful consequences, they were not the most significant implications of the incident. The deeper concerns lay in the vulnerabilities involving cybersecurity and their ramifications for various facets of the critical infrastructure of the United States. [33]

Responses

U.S. President Joe Biden declared a state of emergency on May 9, 2021. During regular times there were limits on the amount of petroleum products that could be transported by road, rail, etc., domestically within the U.S. mainland. However, with the declaration in place, these were temporarily suspended. [34]

On May 10, Georgia Governor Brian Kemp declared a state of emergency, [35] and temporarily waived collection of the state's taxes on motor fuels (diesel and gasoline). [36] In response to panic buying in the Southeast, U.S. Transportation Secretary Pete Buttigieg and U.S. Energy Secretary Jennifer Granholm on May 12 both cautioned against gasoline hoarding, reiterating that the United States was undergoing a "supply crunch" rather than a gas shortage. [37] [38]

On May 12, the U.S. Consumer Product Safety Commission advised people to "not fill plastic bags with gasoline" or to use any containers not meant for fuel. [38]

Biden signed Executive Order 14028 [39] on May 12, increasing software security standards for sales to the government, tighten detection and security on existing systems, improve information sharing and training, establish a Cyber Safety Review Board, and improve incident response. The United States Department of Justice also convened a cybersecurity task force to increase prosecutions. [40]

The Department of State issued a statement that a $10,000,000 reward would be given out in case of information leading to the arrest of DarkSide members. [41]

Perpetrators

DarkSide released a statement on May 9 that did not directly mention the attack, but claimed that "our goal is to make money, and not creating problems for society." [42] [34]

Pipeline restart

The restart of pipeline operations began at 5 p.m. on May 12, [43] [44] ending a six-day shutdown, although Colonial Pipeline Company warned that it could take several more days for service to return to normal. The pipeline company stated that several markets that are served by the pipeline may experience, or continue to experience, intermittent service interruptions during the restart. The company also stated that they would move as much gasoline, diesel and jet fuel as safely possible until markets return to normal. [45] [46] All Colonial Pipeline systems and operations had returned to normal by May 15. [43] After the shutdown, the average national price of gasoline rose to the highest it had been in over six years, to about an average of US$3.04 a gallon on May 18. The price increase was more pronounced in the southern states, with prices rising between 9 and 16 cents in the Carolinas, Tennessee, Virginia, and Georgia. Around 10,600 gas stations were still without gas as of May 18. [47] [48] [49]

In a May 19, 2021, interview with The Wall Street Journal , Joseph Blount said why he ultimately decided to pay a $4.4 million ransom to hackers who breached the company's systems; "It was the right thing to do for the country." He also said, "I know that's a highly controversial decision". [50]

Investigations

Biden said on May 10 that though there was no evidence that the Russian government was responsible for the attack, there was evidence that the DarkSide group is in Russia, and that thus, Russian authorities "have some responsibility to deal with this". [51] [34] Independent cybersecurity researchers have also stated the hacking group is Russian as their malware avoids encrypting files in a system where the language is set to Russian. [34] [52]

In the aftermath of the attack, it was revealed at a Senate Armed Services cyber subcommittee hearing that the Department of Homeland Security was not alerted to the ransomware attack and that the Justice Department was not alerted to the ransom type or amount, prompting discussion about the numerous information silos in the government and difficulties of sharing. [53]

Blockchain analytics firm Elliptic published a bitcoin wallet report showing $90 million in bitcoin ransom payments were made to DarkSide or DarkSide affiliates over the last year, originating from 47 distinct wallets. According to a DarkTracer release of 2226 victim organizations since May 2019, 99 organizations have been infected with the DarkSide malware – suggesting that approximately 47% of victims paid a ransom and that the average payment was $1.9 million. The DarkSide developer had received bitcoins worth $15.5 million (17%), with the remaining $74.7 million (83%) going to the various affiliates. [54] [55]

Partial ransom recovery

Warrant authorizing the seizure of 63.7 BTC by the FBI. DarkSide Bitcoin Seizure Warrant June 7 2021 N.D. Ca.pdf
Warrant authorizing the seizure of 63.7  BTC by the FBI.

The U.S. Department of Justice issued a press release on June 7, 2021, stating that it had seized 63.7 Bitcoins from the original ransom payment. [15] The value of the recovered Bitcoins was only $2.3 million, because the trading price of Bitcoin had fallen since the date of the ransom payment. Through possession of the private key of the ransom account, the FBI was able to retrieve the Bitcoin, though it did not disclose how it obtained the private key. [56] [57]

See also

Related Research Articles

Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Colonial Pipeline</span> Pipeline network in the United States

The Colonial Pipeline is the largest pipeline system for refined oil products in the U.S. The pipeline – consisting of three tubes – is 5,500 miles (8,850 km) long and can carry 3 million barrels of fuel per day between Texas and New York.

A blended threat is a software exploit that involves a combination of attacks against different vulnerabilities. Blended threats can be any software that exploits techniques to attack and propagate threats, for example worms, trojan horses, and computer viruses.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

<span class="mw-page-title-main">Bitdefender</span> Romanian cybersecurity technology company

Bitdefender is a multinational cybersecurity technology company dual-headquartered in Bucharest, Romania and Santa Clara, California, with offices in the United States, Europe, Australia and the Middle East.

Mandiant, Inc. is an American cybersecurity firm and a subsidiary of Google. Mandiant received attention in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 billion, who eventually sold the FireEye product line, name, and its employees to Symphony Technology Group for $1.2 billion in June 2021.

Monero is a cryptocurrency which uses a blockchain with privacy-enhancing technologies to obfuscate transactions to achieve anonymity and fungibility. Observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It was propagated using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end of life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the users make a payment in Bitcoin in order to regain access to the system.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. The group provides ransomware as a service.

<span class="mw-page-title-main">Health Service Executive ransomware attack</span> 2021 cyber attack on the Health Service Executive in Ireland

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

In mid-May 2021 hospital computer systems and phone lines run by the Waikato District Health Board (DHB) in New Zealand were affected by a ransomware attack. On 25 May, an unidentified group claimed responsibility for the hack and issued an ultimatum to the Waikato DHB, having obtained sensitive data about patients, staff and finances. The Waikato DHB and New Zealand Government ruled out paying the ransom.

On May 30, 2021, JBS S.A., a Brazil-based meat processing company, suffered a cyberattack, disabling its beef and pork slaughterhouses. The attack impacted facilities in the United States, Canada, and Australia.

On 2 July 2021, a number of managed service providers (MSPs) and their customers became victims of a ransomware attack perpetrated by the REvil group, causing widespread downtime for over 1,000 companies. The attack was carried out by exploiting a vulnerability in VSA, a remote monitoring and management software package developed by Kaseya. Two suspects were identified and one sentenced.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

<span class="mw-page-title-main">LockBit</span> Criminal hacking organization

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

References

  1. 1 2 3 Robertson, Jordan; Turton, William (May 8, 2021). "Colonial Hackers Stole Data Thursday Ahead of Shutdown". Bloomberg News . Archived from the original on May 9, 2021. Retrieved May 9, 2021.
  2. 1 2 Gonzalez, Gloria; Lefebvre, Ben; Geller, Eric (May 8, 2021). "'Jugular' of the U.S. fuel pipeline system shuts down after cyberattack". Politico . Archived from the original on May 9, 2021. Retrieved May 9, 2021. The infiltration of a major fuel pipeline is "the most significant, successful attack on energy infrastructure we know of."
  3. Helmore, Edward (May 10, 2021). "FBI confirms DarkSide hacking group behind US pipeline shutdown". The Guardian . Archived from the original on May 12, 2021. Retrieved May 10, 2021.
  4. Bing, Christopher; Kelly, Stephanie (May 8, 2021). "Cyber attack shuts down top U.S. fuel pipeline network". Reuters . Archived from the original on May 8, 2021. Retrieved May 8, 2021.
  5. Segers, Grace (May 8, 2021). "Cyberattack prompts major pipeline operator to halt operations". CBS News . Archived from the original on May 8, 2021. Retrieved May 8, 2021.
  6. 1 2 Peñaloza, Marisa (May 8, 2021). "Cybersecurity Attack Shuts Down A Top U.S. Gasoline Pipeline". NPR . Archived from the original on May 8, 2021. Retrieved May 8, 2021.
  7. 1 2 Sanger, David; Krauss, Clifford; Perlroth, Nicole (May 8, 2021). "Cyberattack Forces a Shutdown of a Top U.S. Pipeline" . New York Times . Archived from the original on May 8, 2021. Retrieved May 8, 2021.
  8. Eaton, Collin; Volz, Dustin (May 8, 2021). "U.S. Pipeline Cyberattack Forces Closure". Wall Street Journal . Archived from the original on May 8, 2021. Retrieved May 8, 2021.
  9. Stracqualursi, Veronica; Saenz, Arlette; Sands, Geneva (May 8, 2021). "Cyberattack forces major US fuel pipeline to shut down". CNN . Archived from the original on May 8, 2021. Retrieved May 8, 2021.
  10. Romero, Dennis (May 8, 2021). "Colonial Pipeline blames ransomware for pipeline shutdown". NBC News . Archived from the original on May 8, 2021. Retrieved May 8, 2021.
  11. Marquardt, Alex; Perez, Evan; Cohen, Zachary (June 7, 2021). "First on CNN: US recovers millions in cryptocurrency paid to Colonial Pipeline ransomware hackers | CNN Politics". CNN. Retrieved July 16, 2023.
  12. 1 2 Turton, William; Riley, Michael; Jacobs, Jennifer (May 12, 2021). "Colonial Pipeline Paid Hackers nearly $5 Million in Ransom". Bloomberg.
  13. Falconer, Rebecca (May 10, 2021). "Emergency declaration issued in 17 states and D.C. over fuel pipeline cyberattack". Axios. Retrieved May 10, 2021.
  14. Javers, Eamon (May 10, 2021). "Here's the hacking group responsible for the Colonial Pipeline shutdown". CNBC . Archived from the original on May 10, 2021. Retrieved May 11, 2021.
  15. 1 2 3 Mallin, Alexander; Barr, Luke (June 8, 2021). "DOJ seizes millions in ransom paid by Colonial Pipeline". ABC News. Retrieved July 16, 2023.
  16. Morrow, Allison (May 22, 2021). "A crypto crash wiped out $1 trillion this week. Here's what happened | CNN Business". CNN. Retrieved November 29, 2023.
  17. Turton, William; Mehrotra, Kartikay (June 4, 2021). "Hackers Breached Colonial Pipeline Using Compromised Password". Bloomberg.com. Retrieved August 25, 2022.
  18. Walsh, Joe. "Ransomware Attack Shuts Down Massive East Coast Gasoline Pipeline". Forbes. Retrieved February 6, 2022.
  19. Walton, Robert (May 11, 2021). "Colonial Pipeline hack highlights grid disruption risks even with IT-focused cyberattack, analysts say". UtilityDive.
  20. 1 2 Jack Beerman; David Berent; Zach Falter; Suman Bhunia (May 1–4, 2023). A Review of Colonial Pipeline Ransomware Attack. 2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW). Bangalore, India: IEEE. doi:10.1109/CCGridW59191.2023.00017 . Retrieved November 27, 2024.{{cite conference}}: CS1 maint: multiple names: authors list (link)
  21. Sands, Brian Fung,Geneva (June 5, 2021). "Ransomware attackers used compromised password to access Colonial Pipeline network | CNN Politics". CNN. Retrieved November 27, 2024.{{cite web}}: CS1 maint: multiple names: authors list (link)
  22. Bertrand, Natasha; Perez, Evan; Cohen, Zachary; Sands, Geneva; Campbell, Josh. "Colonial Pipeline did pay ransom to hackers, sources now say". CNN. Retrieved May 23, 2021.
  23. Perlroth, Nicole (May 13, 2021). "Colonial Pipeline paid 75 Bitcoin, or roughly $5 million, to hackers" . The New York Times . Archived from the original on January 15, 2022. Retrieved May 13, 2021.
  24. Turton, William; Riley, Michael; Jacobs, Jennifer (May 13, 2021). "Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom". Bloomberg News. Retrieved June 8, 2021. Once [Colonial] received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company's efforts said.
  25. Bomey, Nathan; Shesgreen, Deirdre (May 10, 2021). "Colonial Pipeline looking to 'substantially restore operations by end of week". USA TODAY . Archived from the original on May 10, 2021. Retrieved May 10, 2021.
  26. Rucinski, Tracy (May 11, 2021). Schmollinger, Christian (ed.). "American Airlines adds fuel stops to two flights after pipeline outage". Reuters . Archived from the original on June 17, 2021. Retrieved May 11, 2021.
  27. Josephs, Leslie (May 11, 2021). "Pipeline outage forces American Airlines to add stops to some long-haul flights". CNBC . Archived from the original on May 12, 2021. Retrieved May 11, 2021.
  28. 1 2 Carroll, Joe; Luz, Andres Guerra; Shah, Jill R. (May 9, 2021). "Gas Stations Run Dry as Pipeline Races to Recover From Hacking". Bloomberg News . Archived from the original on May 10, 2021. Retrieved May 11, 2021.
  29. Bair, Jeffrey; Blas, Javier (May 11, 2021). "Petrol shortages sweep US as Colonial Pipeline remains down". Al Jazeera . Archived from the original on May 11, 2021. Retrieved May 11, 2021.
  30. Lee, Ron (May 11, 2021). "GasBuddy reports 71% of gas stations without fuel in Charlotte metro amid Colonial Pipeline shutdown". WBTV . Charlotte, NC. Archived from the original on May 12, 2021. Retrieved May 12, 2021.
  31. Shah, Jill R.; Bair, Jeffrey (May 13, 2021). "Gasoline Pinch to Grind on for Weeks With Truck Shortage". Bloomberg.com. Retrieved July 16, 2023.
  32. Englund, Will; Nakashima, Ellen (May 12, 2021). "Panic buying strikes Southeastern United States as shuttered pipeline resumes operations" . Washington Post . Archived from the original on May 14, 2021. Retrieved May 13, 2021.
  33. Beerman, Jack; Berent, David; Falter, Zach; Bhunia, Suman (May 2023). "A Review of Colonial Pipeline Ransomware Attack". 2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW). IEEE. pp. 8–15. doi:10.1109/CCGridW59191.2023.00017. ISBN   979-8-3503-0208-0.
  34. 1 2 3 4 Russon, Mary-Ann (May 10, 2021). "US fuel pipeline hackers 'didn't mean to create problems'". BBC News . Archived from the original on May 10, 2021. Retrieved May 10, 2021.
  35. Mahtani, Melissa; Macaya, Melissa; Hayes, Mike; Rocha, Veronica (May 11, 2021). "Latest on the US gas demand spikes". CNN. Archived from the original on May 12, 2021. Retrieved May 12, 2021.
  36. "Kemp extends Georgia gas tax waiver due to pipeline outage". Associated Press . May 14, 2021.
  37. Wagner, Meg; Macay, Melissa; Hayes, Mike; Mahtani, Melissa; Rocha, Veronica. "Gas shortages at some US stations: Live updates". CNN . Archived from the original on May 12, 2021. Retrieved May 12, 2021.
  38. 1 2 Brito, Christopher (May 12, 2021). "Officials warn people not to fill plastic bags with gasoline amid panic over gas shortage". CBS News . Archived from the original on May 12, 2021. Retrieved May 13, 2021.
  39. Executive Order on Improving the Nation’s Cybersecurity (full text)
  40. Kelly, Mary Louise; Donevan, Connor; O'Connor, Gabe (May 13, 2021). "Biden Adviser On Cyber Threats And The New Executive Order To Combat Them". NPR. Retrieved July 16, 2023.
  41. "Reward Offers for Information to Bring DarkSide Ransomware Variant Co-Conspirators to Justice". United States Department of State. Retrieved December 31, 2021.
  42. "DarkSide hackers behind Colonial Pipeline attack say they wanted cash, not chaos". Australian Broadcasting Corporation . May 10, 2021. Archived from the original on May 12, 2021. Retrieved May 10, 2021.
  43. 1 2 Lyons, Kim (May 15, 2021). "Colonial Pipeline says operations back to normal following ransomware attack". The Verge .
  44. "Media Statement Updated May 8, 2021: Colonial Pipeline System Disruption". Colonial Pipeline Company. Retrieved April 2, 2024.
  45. Egan, Matt; Duffy, Clare (May 12, 2021). "Colonial Pipeline launches restart after six-day shutdown". CNN Business . Archived from the original on May 12, 2021. Retrieved May 12, 2021.
  46. Krauss, Clifford; Sanger, David E. (May 12, 2021). "Colonial Pipeline Begins to Restart Flow of Fuel" . The New York Times . Archived from the original on May 13, 2021. Retrieved May 12, 2021.
  47. Eaton, Collin (May 18, 2021). "Colonial Pipeline Still Moving Fuel Despite Disruptions to Orders System". Wall Street Journal. ISSN   0099-9660 . Retrieved May 19, 2021.
  48. Thorbecke, Catherine (May 17, 2021). "Gas hits highest price in 6 years, fuel outages persist despite Colonial Pipeline restart". ABC News. Retrieved May 19, 2021.
  49. Tobben, Sheela; Shah, Jill R. (May 18, 2021). "Colonial Pipeline's Computer Network Temporarily Goes Dark". Bloomberg. Archived from the original on May 18, 2021. Retrieved May 19, 2021.
  50. Eaton, Collin; Volz, Dustin (May 19, 2021). "Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom". The Wall Street Journal . Retrieved May 20, 2021.
  51. "Biden Says Russia Has 'Some Responsibility' In Pipeline Ransomware Attack". Radio Free Europe . May 10, 2021. Archived from the original on May 12, 2021. Retrieved May 11, 2021.
  52. Rivero, Nicolás (May 10, 2021). "Hacking collective DarkSide are state-sanctioned pirates". Quartz . Archived from the original on May 12, 2021. Retrieved May 12, 2021.
  53. Grady, John (May 18, 2021). "Lawmakers Grill Pentagon Officials on How to Prevent Another Colonial Pipeline-Style Attack". USNI News.
  54. Robinson, Tom (May 18, 2021). "DarkSide Ransomware has Netted Over $90 million in Bitcoin". Elliptic.co.
  55. Manfredi, Lucas (May 18, 2021). "Colonial Pipeline hacker Darkside reaped $90M from 47 victims". FOX Business.
  56. @dnvolz (June 7, 2021). "The FBI seized $2.3 million, roughly 64 bitcoin, from a bitcoin wallet said to contain proceeds from the ransom pay…" (Tweet) via Twitter.
  57. Bing, Christopher; Menn, Joseph; Lynch, Sarah N. (June 7, 2021). "U.S. seizes $2.3 mln in bitcoin paid to Colonial Pipeline hackers" . Reuters . Archived from the original on July 3, 2021. Retrieved June 7, 2021.