After a brief disruption caused by an IT problem, Colonial Pipeline tweeted that it had quickly resumed full service, and that the brief interruption was not the result of a cyberattack. "Our internal server that runs our nomination system experienced intermittent disruptions this morning due to some of the hardening efforts that are ongoing and part of our restoration process. These issues were not related to the ransomware or any type of reinfection," the company said.
Colonial's CEO Joseph Blount confirmed to the Wall Street Journal that he did authorize payment of $4.1 million in ransom to the company's extortionists. The urgency of restoring service, combined with the company's uncertainty about how extensively its systems had been compromised, drove the decision. He acknowledged that deciding to pay the ransom was difficult, and that he knew the decision would be controversial, but he judged the situation analogous to the challenge of restoring service after a natural disaster, like a Gulf hurricane.
Attribution of cyberattacks to specific criminal groups is the last refuge of metaphysics in security, if only because identity conditions for gangs are notoriously slippery and protean. How do you recognize the same gang when it shows up again? Defense One points this out in the case of DarkSide, the group generally regarded as the one behind the Colonial Pipeline attack. The authors, both from RAND, note that, among other things, it would be unwise to accept "DarkSide's" self-presentation as "apolitical." Cyberspace is no stranger to fronts, false flags, cut-outs, and other forms of misdirection.
KrebsOnSecurity notes some evidence of, at the very least, a desire on the part of DarkSide to avoid getting on the wrong side of the Russian organs: "DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) — former Soviet satellites that mostly have favorable relations with the Kremlin." More to the point than friendly relations with Moscow, which a number of the former Soviet republics decidedly do not enjoy (consider the case of Ukraine, geographically and culturally hugger-mugger with Russia, but whose relations with its larger neighbor are unfriendly to the point of lethal skirmishing), is the kind of linguistic slop that could facilitate collateral damage to Russian organizations. Better to avoid anyone using Cyrillic characters. And such damage is something a gang operating at the sufferance of the Kremlin, even if not working under state direction, would in all cases want to avoid.
Cybereason, whose work KrebsOnSecurity cites, and which has published an account of DarkSide's methods, finds DarkSide's claims to follow a high-minded, RobinHoodesque code of ethics, implausible. The gang's communiqués suggest that they didn't mean to impose any hardship on individuals, regular Janes and Joes in the line at the gas station:
"If they are to be believed, all they saw was another slow-moving, wealthy target. They were pirates, they tell us, not privateers, and certainly not a nation-state navy. And they are honest pirates who follow a code, and thus deserve some sympathy for this huge, but honest mistake.
"Hornigold, and Every before him, DarkSide wouldn’t be the first criminal organization to appeal to the sympathies of their victims by claiming that they follow a strict code of ethics. It remains to be seen if it will work, or if it’s true. Semi-state sanctioned crime may not repeat itself through the ages, but it often rhymes."