What's happening with cyberattacks in the US

By Mike Hayes, Melissa Macaya, Melissa Mahtani, Veronica Rocha and Meg Wagner, CNN

Updated 7:36 p.m. ET, June 7, 2021
8 Posts
Sort byDropdown arrow
6:48 p.m. ET, June 7, 2021

NATO secretary general says he and Biden discussed cyber threats and Russia at Oval Office meeting

From CNN's Jason Hoffman

NATO Secretary General Jens Stoltenberg talks to reporters following a meeting with President Joe Biden at the White House on June 7 in Washington, DC.
NATO Secretary General Jens Stoltenberg talks to reporters following a meeting with President Joe Biden at the White House on June 7 in Washington, DC. Chip Somodevilla/Getty Images

NATO Secretary General Jens Stoltenberg outlined what he called a “very good conversation” with President Biden at the White House Monday, where the two leaders discussed a range of issues including cyber threats.

Stoltenberg said both he and Biden agree on taking a dual track approach to Russia, with deterrence and defense but also dialogue. 

“Dialogue with Russia is not a sign of weakness. We are strong, we are united, and then we can talk to Russia, and we need to talk to Russia, partly to strive for a better relationship, but even if we don't believe in a better relationship with Russia, we need to manage a difficult relationship with Russia,” the Secretary General said.

Stoltenberg said he is glad Biden is meeting with the NATO allies before his meeting with Russian President Vladimir Putin.

The White House said Biden will meet with Putin in Geneva, Switzerland next week. The long anticipated meeting will come at the conclusion of Biden's first international trip since taking office.

Stoltenberg said the biggest challenge faced right now is that the world is much more unpredictable with more global competition than it has been in the past, pointing to the increase in cyber attacks as an example of the unpredictable security environment.

5:29 p.m. ET, June 7, 2021

Colonial Pipeline CEO thanks FBI for their "swift work"

From CNN's Elise Hammond

Colonial Pipeline Company President and CEO Joseph Blount said he is grateful for the FBI's "swift work and professionalism" in responding to a ransomware hack on the pipeline last month.

This comes as US investigators said they have recovered millions of dollars in cryptocurrency paid in ransom to those hackers.

Blount said in a statement that when the pipeline was hacked on May 7, the company "quietly and quickly" contacted FBI field offices in Atlanta and San Francisco as well as prosecutors in California and Washington, DC.

"The Department of Justice and FBI were instrumental in helping us to understand the threat actor and their tactics. Their efforts to hold these criminals accountable and bring them to justice are commendable," Blount said in the statement.

He said the company will continue to be transparent with government agencies as the investigation into the hack continues.

"Our goal is to help our peers in the critical infrastructure space strengthen their cyber defenses and to collaborate across industry so that we can thwart these types of attacks before they happen," the statement said. "Together, through intelligence sharing and lessons learned, we can work to better protect our nation, its people, and our most critical assets.”

Some context: Most companies don't get their ransom recovered.

Blount told the Wall Street Journal in an interview published last month that the company complied with the $4.4 million ransom demand because officials didn't know the extent of the intrusion by hackers and how long it would take to restore operations.

3:43 p.m. ET, June 7, 2021

Department of Justice seizes more than $2 million in cryptocurrency paid to ransomware extortionists

From CNN's Christina Carrega

The Department of Justice announced on Monday the recovery of millions in cryptocurrency that investigators say Colonial Pipeline paid to ransomware hackers.

"Today we announced the seizure of millions of dollars in bitcoin paid by an innocent victim in ransom in a bid to regain control of computer systems. The extortionists will never see this money. New financial technologies that attempt to anonymous payments will not provide a curtain from behind which criminals will be permitted to pick the pockets of hard-working Americans," Acting US Attorney for the northern district of California, Stephanie Hinds, said.

Hinds said she is directing her office to "marshal the resources necessary not only to apprehend and bring to justice ransomware extortionists but also to deprive them of the profits that incentivize their crimes."

2:34 p.m. ET, June 7, 2021

US recovers millions in cryptocurrency paid to Colonial Pipeline ransomware hackers

From CNN's Evan Perez

Fuel holding tanks are seen at Colonial Pipeline's Linden Junction Tank Farm on May 10 in Woodbridge, New Jersey.
Fuel holding tanks are seen at Colonial Pipeline's Linden Junction Tank Farm on May 10 in Woodbridge, New Jersey. Michael M. Santiago/Getty Images

US investigators have recovered millions of dollars in cryptocurrency paid in ransom to hackers whose attack prompted the shutdown of the key East Coast pipeline last month, according to people briefed on the matter.  

The Justice Department is expected to announce details on Monday of the operation led by the FBI with the cooperation of the Colonial Pipeline operator, the people briefed on the matter said.

The ransom recovery is a rare outcome for a company that has fallen victim to a debilitating cyberattack in the booming criminal business of ransomware. 

Colonial Pipeline Co. CEO Joseph Blount told the Wall Street Journal In an interview published last month that the company complied with the $4.4 million ransom demand because officials didn't know the extent of the intrusion by hackers and how long it would take to restore operations.

But behind the scenes, the company had taken early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia. US officials have linked the Colonial attack to a criminal hacking group known as Darkside that is said to share its malware tools with other criminal hackers. 

A spokesman for the Justice Department declined to comment.

1:47 p.m. ET, June 7, 2021

Ransomware will be addressed at every stop of Biden's foreign trip, White House official says

From CNN's Jason Hoffman

National Security Advisor Jake Sullivan talks to reporters during the daily news conference in the Brady Press Briefing Room at the White House on June 7 in Washington, DC.
National Security Advisor Jake Sullivan talks to reporters during the daily news conference in the Brady Press Briefing Room at the White House on June 7 in Washington, DC. Chip Somodevilla/Getty Images

National security adviser Jake Sullivan said the administration will address ransomware, which he called a “national security priority” at every stop of President Biden’s first foreign trip as President, saying the US hopes to see commitments from its allies on how to address cyber threats.

“Ransomware is a national security priority, particularly as it relates to ransomware attacks on critical infrastructure in the United States, and we will treat it as such in the G7, we will treat it as such at every stop along the way on this trip,” Sullivan said at Monday’s White House press briefing.

Pressed by CNN’s Phil Mattingly on what specific commitments the US would like to see on ransomware coming out of the G7 and NATO summits, Sullivan said he hopes there is the start of an “action plan” between the US and its allies across a number of critical areas in regards to continued ransomware threats.

“First, how to deal with the increasing the robustness and resilience of our defenses against ransomware attacks collectively. Second how to share information about the nature of the threat among our democracies. Third, how to deal with the cryptocurrency challenge which is lies at the core of how these ransom transactions are played out,” Sullivan said.

Sullivan added he wants to address how the countries at the G7 can “collectively speak with one voice to those countries, including Russia, that are harboring or permitting cyber criminals to operate from their territory.”

Some more context: In an interview with Axios, Secretary of State Antony Blinken said Biden’s meeting with Russian President Vladimir Putin is happening “not in spite of” the cyberattacks, but “because of them,” and Biden will warn Putin “directly and clearly what he can expect from the United States if aggressive, reckless actions toward us continue.”

“We will also speak in the NATO context about cyber threats, particularly as they relate to critical infrastructure, as being of a different order of magnitude of security threat that the alliance has to concern itself with a way that it hasn't historically, but it's got to become a priority going forward,” Sullivan said.

CNN reported Friday that Biden and White House officials are increasingly worried about a major attack on various sectors.

 

12:22 p.m. ET, June 7, 2021

Why hackers are targeting physical infrastructure

From CNN's  Rishi Iyengar and Clare Duffy

Fuel holding tanks are seen at Colonial Pipeline's Dorsey Junction Station on May 13 in Woodbine, Maryland.
Fuel holding tanks are seen at Colonial Pipeline's Dorsey Junction Station on May 13 in Woodbine, Maryland. Drew Angerer/Getty Images

Many people think of cyberattacks as just that: an attempt by hackers to steal sensitive data or money online. But now hackers have found a significant moneymaker in targeting physical infrastructure.

These attacks have the potential to spark mayhem in people's lives, leading to product shortages, higher prices and more. The greater the disruption, the greater the likelihood that companies will pay to alleviate it.

"If you're a ransomware actor, your goal is to inflict as much pain as possible to compel these companies to pay you," said Katell Thielemann, Gartner's vice president analyst for security and risk management. "This is beyond cybersecurity only, this is now a cyber-physical event where actual, physical-world processes get halted. When you can target companies in those environments, clearly that's where the most pain is felt because that's where they make money."

Multiple recent ransomware attacks have originated from Russia, according to US officials. Last Wednesday, the FBI attributed the attack on meat producer JBS to Russia-based cybercriminal group called REvil, which also tried to extort Apple supplier Quanta Computer earlier this year. REvil is similar to DarkSide, the group US officials said was behind the ransomware attack that shut down the Colonial Pipeline last month.

Experts say both REvil and DarkSide operate what are essentially "ransomware-as-a-service" businesses, often employing large staffs to create tools to help others execute ransomware attacks, and taking a cut of the profits. In some cases, they also carry out their own attacks. Russian law enforcement typically leaves such groups operating within the country alone if their targets are elsewhere because they bring money into the country, cybersecurity experts say.

The list of potential targets is long. The US government's Cybersecurity and Infrastructure Agency (CISA) lists 16 different industries as "critical infrastructure sectors," including energy, healthcare, financial services, water, transportation, food and agriculture, the compromise of which could have a "debilitating effect" on the US economy and security. But experts say much of this infrastructure is aging, and its cyber defenses haven't kept up with the evolution of bad actors.

Read more here.

11:50 a.m. ET, June 7, 2021

What should I do if I'm targeted in a ransomware attack?

From CNN's Samantha Murphy Kelly

While American companies have been targeted in recent high-profile cyberattacks, individual people — anyone who uses the internet — can also be at risk.

Criminal organizations behind ransomware attacks don't care if the victim is an individual or a business, they just want to get paid. Ransomware is often obtained through social engineering — an act of someone stealing personal data by using information gleaned from their social media account — phishing emails or getting someone to click on a link on a website. It's especially prevalent on pornography and pirate websites that promise free viewing. Ransomware kits are also sold on the dark web, a part of the internet not detected by search engines where cybercriminals often sell and buy illicit materials.

So what should you do if you've fallen victim? The FBI's general guidance is that victims should not pay a ransom.

"The FBI does not support paying a ransom in response to a ransomware attack," according to the FBI website. "Paying a ransom doesn't guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity."

If a hacker gets a credit card number and goes on a shopping spree, a bank can often reverse the charges, but the use of cryptocurrency makes funds nearly impossible to get back. Some common malware infections can be reversed with existing cybersecurity tools but many cannot.

"Ransomware groups evolve their tactics generally when they see that cybersecurity tools can counter them," said Michela Menting, research director at ABI Research. Some security researchers have tools to decrypt ransomware, but they're not always reliable because many ransomware versions exist.

People who are hit with ransomware should treat their computer as though it's compromised even after it's been unlocked. "This is because you do not know what changes the ransomware made to the system when it was infected," Randall Magiera, cybersecurity expert and professor of information technology at Tulane University, said.

He suggested erasing the computer's hard drive and reinstalling the entire operating system rather than selecting the option that restores files.

Even though it's hard to track down the criminals and prosecute them, anyone targeted should report the crime to police officials, according to Menting. "The greater the number of incidents reported, the more visibility this provides to law enforcement, which eventually leads to bigger budget allocation for fighting it," she said.

12:18 p.m. ET, June 7, 2021

Why the FBI director compared the challenge posed by ransomware attacks to 9/11

From CNN's Brian Fung, Geneva Sands, Rachel Janfaza and Zachary Cohen

Christopher Wray, director of the Federal Bureau of Investigation, listens during a House Intelligence Committee hearing on April 15 in Washington, D.C.
Christopher Wray, director of the Federal Bureau of Investigation, listens during a House Intelligence Committee hearing on April 15 in Washington, D.C. Al Drago/Pool/Getty Images

FBI Director Christopher Wray sounded the alarm on ransomware in stark terms by likening the challenge posed by the recent spate of damaging cyber attacks on the US to the September 11 terrorist attacks, calling for a similar response. His remarks come as officials across government have tried to step up the urgency of the response to the problem after back-to-back ransomware incidents exposed the vulnerability of critical industries in the United States.

"There are a lot of parallels, there's a lot of importance, and a lot of focus by us on disruption and prevention," Mr. Wray said in an interview with the Wall Street Journal on Thursday. "There's a shared responsibility, not just across government agencies but across the private sector and even the average American."

"The scale of this problem is one that I think the country has to come to terms with," he added.

Wray's remarks reflect a developing consensus within the Biden administration that ransomware ranks among the gravest threats to national security the United States has ever faced. And it is part of a broader, all-hands effort by the White House to convince the public it has control of the situation — even as some cybersecurity experts say the executive branch is limited in what it can do unilaterally to stop the attacks.