The U.S. Federal Investigation Bureau (FBI) was able to recover part of the ransom paid by Colonial Pipeline, the operator of the fuel distribution company that fell victim to a hack shutting down one of its key sites in the country in May.
63.7 bitcoin or approximately $2.3 million of the 75 bitcoin ($4.4 million) ransom were recouped by the investigators, with the hackers behind the attack identified as DarkSide, a Russian group that had been on the Department of Justice’s (DOJ) radar for over a year.
The hack of Colonial Pipeline’s East Coast pipeline caused widespread disruption on the regional oil market, with some stations in multiple states running out of fuel. Although not the recommended route in most cases, the firm’s CEO Joseph Blount complied with the hackers’ ransom demands and sent $4.4 million in return for decryption keys to relaunch the pipeline’s systems. As the Wall Street Journal reports, the decision to comply was made as Colonial Pipeline didn’t know the extent of the breach and how long it would have taking to restart operations otherwise.
“There is no place beyond the reach of the FBI to conceal illicit funds that will prevent us from imposing risk and consequences upon malicious cyber actors,” FBI Deputy Director Paul Abbate stated on the seizure.
The rather positive outcome for Colonial Pipeline is not “the norm,” although close coordination between victims and investigators can sometimes yield positive results, FBI Director Christopher Wray told CNN last week.
How Did the FBI Access the Funds?
The exact steps taken by the FBI to recover the funds have been left rather vague, although Deputy Attorney General Lisa Monaco said on Monday that “following the money remains one of the most basic, yet powerful tools we have.”
In its announcement, the DOJ emphasized its praise of Colonial Pipeline’s quick reporting to the FBI that it had been hacked by DarkSide, which allowed the Bureau to trace multiple bitcoin transactions via chain analysis. The 63.7 bitcoin that were later recovered “had been transferred to a specific address, for which the FBI has the ‘private key’,” according to the DOJ.
It was not disclosed how the FBI acquired that private key.
Hacking a private key based on a public Bitcoin address is practically impossible. The most likely path to obtaining the key would therefore have been to identify its owner.
The general level of difficulty in acquiring a private key can vary drastically based on the owner’s care in storing the key. If the hackers used a custodial wallet service, the key would have been in the possession of the wallet provider and could possibly have been obtained via a warrant. If the group used a non-custodial wallet, seizing the key would have been a lot harder, although online storage or storage on a computer would have presented a potential attack vector.
As CNN reports, investigators were previously “looking for any possible holes in the hackers’ operational or personal security in an effort to identify the actors responsible.”
A likely scenario therefore is that a hole in the group’s operational security gave the hackers away. CNN further reports that the hackers involved with the Colonial Pipeline incident “may have been inexperienced or novice hackers, rather than well-seasoned professionals,” referring to three anonymous sources.