A senior Biden administration official on Friday said one of the Russian hackers arrested earlier in the day by that country’s security service is responsible for the ransomware attack that temporarily crippled the Colonial Pipeline last year.
“We understand that one of the individuals who was arrested today was responsible for the attack against Colonial Pipeline last spring,” the official told reporters during a conference call, referring to the arrests carried out by Russia’s Federal Security Service of members of the REvil ransomware gang.
TASS, the country’s state news agency, said 14 members of the notorious digital gang had been detained. The FSB claimed that it seized more than 426 million rubles, or $600,000 in cash, as well as cryptocurrency wallets, computers and 20 cars.
Last year, a separate Russian hacker group known as DarkSide claimed responsibility for the Colonial attack. The FBI later confirmed the group was behind the incident, which caused panic buying of gasoline along the East Coast.
However, it is possible that the individual — who the official did not name — worked for one organization before leaving for another or worked for both simultaneously.
REvil was responsible for the supply-chain attack on the software firm Kaseya last year — which impacted more than 1,000 businesses and organizations worldwide — and the digital attack on food processing giant JBS. The group shuttered its operations last July, making a brief comeback later before some of their dark web servers were seized by authorities, seemingly wiping out the criminal group.
Friday’s arrests come amid tensions between Washington and Moscow, as Russia has amassed thousands of troops on the Ukrainian border. The U.S. has publicly accused the Kremling of preparing an invasion of Ukraine and creating a pretext to take such action.
The Biden official, who briefed reporters on condition of anonymity, said the administration believes the activity by Russia’s internal intelligence agency is “not related to what’s happening with Russia and Ukraine,” adding that the White House has been clear it will impose “severe costs” on the Kremlin in coordination with Western allies.
The official noted that following last year’s in-person meeting between President Joe Biden and Russian leader Vladimir Putin, the two countries established an experts group on cybersecurity where administration officials have provided the Kremlin with information about certain cyber criminals operating within its borders and conveyed what actions Washington expects the government to take against them.
“We’re committed to seeing those conducting ransomware attacks against Americans brought to justice,” according to the official, who said the administration was pleased by Friday’s arrests and that expectation is that Russia “would be pursuing legal action within its own system.”
The official also said that the administration has not reached an attribution for the digital campaign that defaced a number of Ukrainian government websites on Friday.
“While we continue to assess the impact with Ukrainians, it seems limited so far, with multiple websites coming back online,” the official told reporters.
Martin is a cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.