DarkSide, a group of veteran cybercriminals, is believed to be behind the ransomware attack on Colonial Pipeline, the worst cyberattack on critical US infrastructure to date.
Colonial Pipeline operates a more than 5,500-mile (8,850 km) pipeline network stretching from Texas to New Jersey.
The hackers behind the ransomware attack on a vital US pipeline operator are suspected to be a professional cybercriminal group called DarkSide, the FBI confirmed on Monday.
The cyberattack forced Georgia-based Colonial Pipeline to shut a critical fuel network that serves populous states on the East Coast.
It supplies nearly 45% of the fuel consumed in those states, the company said.
Colonial said it was hit by a ransomware attack, wherein hackers typically lock up computer systems by encrypting data and then demand a large ransom to decrypt it.
DarkSide has been identified as one of the ransomware gangs that have "professionalized" a criminal industry that has cost Western nations tens of billions of dollars in such cyberattacks in the past three years.
The group claims that it does not steal from medical, educational, or government institutions, targeting only large corporations and donating a part of the ransom to charity.
Darkside, according to cybersecurity experts, is composed of veteran cybercriminals focused on squeezing out as much money as they can from their targets.
The group first surfaced in August last year and have unleashed a digital crimewave since.
As the group is known to avoid targeting organizations in former Soviet republics, some have suggested the group might have ties to Russia, but experts are skeptical.
"There is the assumption that this is an Eastern European based criminal gang. [...] But we don't know if there are any links with the Russian government," Matthias Schulze, a cybersecurity expert at the German Institute for International and Security Affairs, told DW.
Haya Shulman, a cybersecurity expert at the Fraunhofer Institute for Secure Information Technology in Germany said it was too soon to tell whether DarkSide has links to the Kremlin — but the group doesn't follow the typical state-sponsored hacking model.
"All other attacks that we saw against SolarWinds and so on ― they were not about disrupting functionality. They were about getting information. They were about the focus on distributing themselves as wide as possible and collecting intelligence," Shulman told DW.
She said that while Russian secret service groups do carry out cyberattacks, they are very different compared to what DarkSide did.
"[Russian secret service groups] are very stealthy. You cannot detect them. But none of these groups actually require ransomware to be paid," Shulman added.
US President Joe Biden also said on Monday that there were no indications at the moment that Russia is involved.
Colonial delivers more than 100 million gallons (380 million liters) of gasoline and other fuels per day from refiners on the Gulf Coast to consumers in the mid-Atlantic and southeastern United States.
It operates a more than 5,500-mile (8,850 km) pipeline network stretching from Texas to New Jersey, which serves major US airports, including Atlanta's Hartsfield Jackson Airport — the world's busiest by passenger traffic.
US gasoline futures jumped more than 3 percent to $2.217 a gallon, the highest since May 2018, as trading opened for the first time since the cyberattack.
The White House said it was working closely with Colonial as its main fuel lines remain offline for the fourth straight day.
The Biden administration said restoring operations was a top priority for Washington and an "all-hands-on-deck" effort was underway to avoid disruptions in the fuel supply.
Meanwhile, the company did not say whether it has paid or was negotiating a ransom.
Colonial Pipeline said it hopes that to have the pipeline running again later this week, but was unable to name an exact time.
In a statement released on Sunday, the company said although its main pipeline remained offline, some smaller lines were now operational.
"We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations," the company said.
DW's Natalia Smolentceva and Inna Zavgorodnya contributed reporting.
kbd, adi/rs (AP, Reuters)