U.S. Blames Criminal Group in Colonial Pipeline Hack

“The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks,” an Federal Bureau of Investigation spokesman said Monday. “We continue to work with the company and our government partners on the investigation.”

The hack of Colonial Pipeline Co., disclosed over the weekend, has prompted intense concern among senior U.S. officials within the Biden administration, many of whom have already viewed ransomware as a digital blight capable of jeopardizing national and economic security. Ransomware is a practice hackers use to lock up computer systems and demand a payment from victims for their release.

Speaking briefly Monday, Mr. Biden said ransomware was a growing problem in need of a global response and said more investment in critical infrastructure was necessary to safeguard critical systems from debilitating cyberattacks.

Mr. Biden and others said the Russian government didn’t appear to have a hand in the attack, but he criticized Moscow for tolerating criminal hackers within its borders.

“So far, there is no evidence from our intelligence people that Russia is involved,” Mr. Biden said. “Although there is some evidence that the actors’ ransomware is in Russia. They have some responsibility to deal with this.”

Anne Neuberger,

deputy national security adviser for cyber and emerging technology, said during a separate White House press briefing that officials believed that DarkSide was a criminal group and confirmed that Colonial shut down its networks before the ransomware infected any of its operational control systems.

Asked if there were possible ties to the Russian government or other groups, Ms. Neuberger said: “Our intelligence agencies are looking for any ties to nation-state actors.”

In Russia, China and elsewhere, the line between criminal hacking groups and state-backed cyber operations is often murky, security experts say, as governments often tolerate criminal activity as long as it is targeted overseas and sometimes recruit hackers from those groups to carry out their own objectives.

Earlier Monday, DarkSide posted a statement on the dark web claiming that its goal was solely to make money and denied it was connected to a foreign government. The DarkSide statement didn’t directly mention Colonial Pipeline, whose 5,500-mile line from the Gulf Coast to Linden, N.J., has been offline for four days following a ransomware attack on its information-technology systems, instead referring obliquely to “the latest news.”

“We are apolitical, we do not participate in geopolitics,” the group said in its post. It said it wasn’t tied to a “defined” government and added: “Our goal is to make money, and not creating problems for society.”

The group that posted the statement didn’t respond to a request for comment. The statement didn’t say how much money was being demanded.

U.S. officials and cybersecurity investigators involved in responding to the pipeline hack have viewed DarkSide as a leading suspect in the attack since its discovery last week, according to people familiar with the matter. They have come to that determination in part due to commonalities in the malicious code used in the attack that link it to previous attacks carried out by the group, one of the people said.

The FBI on Friday sent out an internal all-points bulletin asking for any information about the DarkSide group, according to two people familiar with the matter. The FBI didn’t immediately respond to a request for comment on the bulletin.

The FBI has been investigating the DarkSide ransomware code since last October, Ms. Neuberger said. It is a ransomware-as-a-service variant, meaning that other criminal groups can purchase it to carry out attacks and then share the proceeds with the hackers who developed it, Ms. Neuberger said.

Experts say such a business model has recently grown more popular as ransomware attacks—which can range from hundreds of dollars to tens of millions—have proliferated and increasingly been used to target critical systems at hospitals, schools and elsewhere.

“It’s a new and very troubling variant,” Ms. Neuberger said. “It’s something we are particularly troubled by.”

Ms. Neuberger declined to comment on whether Colonial has paid a ransom, and the company hasn’t said so publicly either. She also said the administration hadn’t made a recommendation to Colonial on whether it should pay.

Normally the FBI encourages victims to not pay the ransoms to avoid fueling a booming criminal industry, but Ms. Neuberger said the administration recognized that is often not a feasible option for some companies, especially those that don’t have backup files or other means of recovering data. She added that the administration wanted to work with international partners to review how governments assist victims and “ensure that we’re not encouraging the rise of ransomware.”

DarkSide, which says it has broken into networks on more than 80 companies dating back to August 2020, claims to be an experienced team of ransomware creators that had previously made millions of dollars infecting victims with ransomware.

DarkSide also claims to engage in extortion, threatening to publicly publish data belonging to its victims, if they don’t pay the ransom. The hackers say they are willing to sell inside information about publicly traded companies if these companies refuse to meet their ransom demands.

With no clear end in sight to the shutdown of the largest U.S. conduit for gasoline, energy traders braced Monday for rising fuel prices and pressure on drivers at the pump. Analysts said prices for gasoline, particularly spot prices in regions affected by the closure, could continue to rise if the pipeline isn’t back in service in a few more days.

Colonial on Monday said the situation continued to evolve but that it was working on a plan to return to service in a phased approach with a goal of “substantially restoring operational service by the end of the week.” More updates would be forthcoming, the company said.

—Robert McMillan contributed to this article.

Write to Dustin Volz at dustin.volz@wsj.com