FBI says Darkside hacking group responsible for pipeline cyberattack

The attack shut down Colonial Pipeline service on the East Coast.

Edward Moyer Senior Editor
Ed is a many-year veteran of the writing and editing world who enjoys taking sentences apart and putting them back together. He also likes making them from scratch. For nearly a quarter of a century, he's edited and written stories about various aspects of the technology world, from the US National Security Agency's controversial spying techniques to historic NASA space missions to 3D-printed works of fine art. Before that, he wrote about movies, musicians, artists and subcultures.
  • Ed was a member of the CNET crew that won a National Magazine Award from the American Society of Magazine Editors for general excellence online. He's also edited pieces that've nabbed prizes from the Society of Professional Journalists and others.
Sean Keane Former Senior Writer
Sean knows far too much about Marvel, DC and Star Wars, and poured this knowledge into recaps and explainers on CNET. He also worked on breaking news, with a passion for tech, video game and culture.
Expertise Culture | Video Games | Breaking News
Andrew Morse Former executive editor
Andrew Morse is a veteran reporter and editor. Before joining CNET, he worked at The Wall Street Journal, Reuters and Bloomberg, among other publications.
Edward Moyer
Sean Keane
Andrew Morse
2 min read

The FBI on Monday blamed a hacking group for a cyberattack that took down the main pipeline carrying gas to the densely populated East Coast, provoking worries about the vulnerability of critical systems. The law enforcement agency, which is investigating the May 7 hack, pinned responsibility on Darkside, a group that reportedly develops ransomware and sells it to other outfits.  

"The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks," the agency said in a statement. "We continue to work with the company and our government partners on the investigation."

Colonial Pipeline, which operates pipes that carry refined petroleum products like gas and diesel for cars and trucks, jet fuel, heating oil for homes and fuel for the military, halted all pipeline operations after the hack. It also took "certain systems offline to contain the threat." 

The pipeline remained closed on Monday, but the company said in a statement that it's aiming for "substantially restoring operational service by the end of the week."

The shutdown increases alarm about cyberattacks on key infrastructure systems amid the use of ransomware in criminal activities. In ransomware schemes, attackers use code to seize control of a computer system and then demand money to unlock it. The worldwide WannaCry ransomware attacks in 2017, for instance, locked up computer systems at hospitals, banks and phone companies. And city governments in the US, including Baltimore's, have been hobbled by ransomware assaults as well.

Attacks like the one on Colonial also worry observers concerned about cyberwarfare tactics such as Russia's shutdown of part of Ukraine's power grid in 2015, and reports that a Russian government-sponsored group called Dragonfly or Energetic Bear gained access to control rooms of US electric utilities in 2017. The US military has also reportedly aimed cyberattacks at Russia's electrical grid and Iran's missile systems.

More recently, fears about Russian cyber-espionage were stoked by the massive SolarWinds hack, which used tainted software from the IT management company to penetrate multiple US federal agencies and at least 100 private companies. In April, US President Joe Biden signed an executive order imposing a range of retaliatory measures against Russia in the SolarWinds exploits.

Colonial connects refineries in the Gulf Coast and elsewhere with customers in the Southern and Eastern United States. Its pipeline system covers more than 5,500 miles and carries more than 100 million gallons of fuel per day, making it the biggest refined products pipeline in the US, according to the company.