US Government responds to the Colonial Pipeline ransomware attack. Aveddon ransomware warning.

Summary

By the CyberWire staff

At a glance.

US Government responds to the Colonial Pipeline ransomware attack.
Australia, US, warn of Aveddon ransomware.

Update: US Federal response to the Colonial Pipeline ransomware attack.

Bloomberg reports US President Biden’s comments that Russia bears “some responsibility” for addressing the Colonial Pipeline attack, and he’ll be “pursuing a global effort” against ransomware. The Treasury Department is working to develop international standards for cryptocurrency, and if necessary in the short-term, President Biden could pause Jones Act limitations on which ships can transfer goods domestically.

On Monday the FBI officially attributed the attack to DarkSide, according to FCW, which Deputy National Security Advisor for Cyber Anne Neuberger described in a press briefing as a “criminal actor” and “ransomware as a service” provider not currently known to have nation-state ties. The group has been under Federal investigation since last October, and styles itself as principled and “apolitical,” CNBC notes, although it avoids Russian-speaking targets, per Radio Free Europe.

The Cybersecurity and Infrastructure Security Agency is prepping an advisory for critical infrastructure operators, and the FBI has already distributed “indicators of compromise and mitigation measures,” FCW says. The Department of Energy also shared information and advice with oil, gas, and electric utilities.

Last Friday, the Departments of Energy, Defense, Treasury, Transportation, and Homeland Security held an emergency meeting. While Colonial hasn’t requested “cyber support” from the Government at this point, Neuberger said, Federal partners are “standing by” and launching a “whole-of-government” response, according to MeriTalk. This response involves a four point plan to communicate with Colonial, investigate the attack, share information, and combat ransomware.

Congress isn’t sitting this one out, either. Representative Katko (Republican, New York 24th) warned that “substantial Congressional oversight” is on the way. Senator Sasse (Republican of Nebraska) suggested that any infrastructure bill should focus on “hardening of these critical sectors, rather than progressive wish lists masquerading as infrastructure,” and Senator Warner (Democrat of Virginia) observed that “our nation’s cybersecurity hasn’t kept pace with our ever-increasing reliance on digital systems.” Representative Langevin (Democrat, Rhode Island 2nd) is “monitoring [the situation] closely.”

US FBI and Australian Cyber Security Centre flag Avaddon ransomware.

BleepingComputer summarizes the FBI and Australian Cyber Security Centre’s alerts about Avaddon ransomware. Active targets include Government, law enforcement, energy, healthcare, education, transportation, manufacturing, IT, and finance organizations in the US, Australia, UK, Germany, France, Spain, India, UAE, Brazil, China, and other countries. The perpetrators threaten DDoS attacks in the event of non-payment, but haven’t been seen to follow through. First observed in early 2019, Avaddon now runs a ransomware-as-a-service operation that avoids Commonwealth of Independent States (that is, former Soviet Republics that remain in the Russian sphere of influence) targets.

Selected Reading

Press Briefing by Press Secretary Jen Psaki, Homeland Security Advisor and Deputy National Security Advisor Dr. Elizabeth Sherwood-Randall, and Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger, May 10, 2021 | The White House (The White House) James S. Brady Press Briefing Room 12:38 P.M. EDT MS. PSAKI: Hi everyone. Happy Monday. Today, we are joined by Homeland Security

Russia-linked Cyberattack on US Fuel Pipeline is 'Criminal Act,' Biden Says   (Voice of America) A Russia-linked cyberattack targeting the largest U.S. fuel pipeline system is a “criminal act, obviously,” President Joe Biden said Monday. “The agencies across the government have acted quickly to mitigate any impact on our fuel supply,” the president said at the White House at the start of remarks about his economic agenda. Biden, responding to a reporter’s question after he concluded his prepared statement about whether there is any evidence of involvement of Russia’s government, replied: “I’m going to be meeting with President (Vladimir) Putin.

The Cybersecurity 202: An attack on a critical pipeline highlights the need for stronger ransomware policies (Washington Post) Government officials say they have been working around-the-clock to help mitigate the ramifications of a cyber attack on a major U.S. pipeline, which has sparked concerns about a potential fuel shortage.

North Carolina declares state of emergency over Colonial Pipeline outage (Fox Business) North Carolina Governor Roy Cooper on Monday declared a state of emergency over the temporary outage of the Colonial Pipeline caused by a cybersecurity attack.

Biden: No evidence Russian government is involved in Colonial ransomware attack (The Record by Recorded Future) At a press conference today, President Joe Biden said the US intelligence community has no evidence that the Russian government had any kind of involvement in the ransomware attack that crippled one of the US' largest fuel supply pipelines last week.

White House, CISA react to pipeline ransomware attack -- FCW (FCW) Senior administration officials say multiple government agencies are working to distribute information to industry about the ransomware attack that led to the shutdown of a key natural gas pipeline for the East Coast.

White House, Feds Spring to Action Following Colonial Pipeline Ransomware Attack (Meritalk) Numerous Federal agencies are springing into action in response to the ransomware attack on Colonial Pipeline Company, a major supplier of fuel to the northeastern U.S. that temporarily shut down pipeline operations after disclosing the attack on May 7.

Colonial Hack Sets Stage For Pipeline Cybersecurity Push (Law360) A major ransomware attack that has shuttered the largest refined petroleum products pipeline system in the country has the industry on alert over potential liability from future hacks and bracing for new requirements from federal regulators and lawmakers.

Pipeline attack will be 'turning point' for countries including NZ, expert believes (Stuff) Cyber-security expert believes ransomware attack on US will prompt global action.

Wave of Avaddon ransomware attacks triggers ACSC, FBI warning (The Record by Recorded Future) Cyber-security agencies from Australia and the United States are warning about a wave of attacks carried out with the Avaddon ransomware strain.

NSA, ODNI and CISA Release 5G Analysis Paper (National Security Agency Central Security Service) The National Security Agency (NSA), in partnership with the Office of the Director of National Intelligence (ODNI), and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure

Virtual terror: Ransomware attack in the US foregrounds the need to better protect key infrastructure (Times of India Blog) An unauthorised software code has crippled a key channel of oil supply in the east coast of the US. Colonial Pipeline, an energy company, was forced to shut down a 5,500-mile pipeline after the discovery...

Biden Looks for Defense Hotline With China (Foreign Policy) The United States says it’s ready to call China in a crisis. Will Beijing pick up?

Feds Say a Lack of Reporting Poses Barrier to Cyber Defense (GovTech) Federal ransomware-fighting efforts are held back when corporate victims don’t report or accept their help. A U.S. Chamber of Commerce-convened panel examined the concerns that keep SMBs from reaching out.

Though the worst is over, CISA wants agencies on guard after SolarWinds breach (Federal News Network) The Cybersecurity and Infrastructure Security Agency wants to make sure agencies don’t let down their guard on Russian cyber threats.

Biden’s Supply Chain Intentions Depend on Cybersecurity (Supply Chain) President Biden’s supply chain executive order is heavily dependent on the lessons learned by cyber security leaders in recent years but will he take note?

The New EU Approach to the Regulation of Artificial Intelligence (JD Supra) The European Commission (the "Commission") recently published its highly-anticipated communication and proposal for a "Regulation laying down...

Senior cyber official leaves Biden's NSC (POLITICO) Michael Sulmeyer, a senior White House cybersecurity official, has left his position, two people familiar with the matter told POLITICO.

DHS is gathering intelligence on security threats from social media (NBC News) The goal is to detect the sort of posts that seemed to predict the Jan. 6 Capitol attack but were missed by law enforcement.