Pipeline outage causes U.S. gasoline supply crunch, panic buying

By Laura Sanicola and Devika Krishna Kumar

(Reuters) -Gas stations from Florida to Virginia began running dry and prices at the pump rose on Tuesday, as the shutdown of the biggest U.S. fuel pipeline by hackers extended into a fifth day and sparked panic buying by motorists.

The administration of U.S. President Joe Biden projected that the Colonial Pipeline, source of nearly half the fuel supply on the U.S. East Coast, would restart in a few days and urged drivers not to top up their tanks.

“We are asking people not to hoard,” U.S. Energy Secretary Jennifer Granholm told reporters at the White House. “Things will be back to normal soon.”

Colonial was shut on Friday after hackers launched a ransomware attack – effectively locking up its computer systems and demanding payment to release them – and the company has said it is hoping to “substantially” restart by the end of this week.

But the outage, which has underscored the vulnerability of vital U.S. infrastructure to cyberattacks, has already started to hurt.

About 7.5% of gas stations in Virginia and 5% in North Carolina had no fuel on Tuesday as demand jumped 20%, tracking firm GasBuddy said. Unleaded gas prices, meanwhile, neared an average $2.99 a gallon, its highest price since November 2014, the American Automobile Association said.

In an effort to ease the strain on consumers, Georgia suspended sales tax on gas until Saturday, and North Carolina declared an emergency. The U.S. federal government, meanwhile, has loosened rules to make it easier for suppliers to refill storage, including lifting seasonal anti-smog requirements for gasoline and allowing fuel truckers to work longer hours.

Granholm said there is not a shortage but a gasoline supply “crunch” in North Carolina, South Carolina, Tennessee, Georgia and Southern Virginia, regions that typically rely on Colonial for fuel.

Driver Caroline Richardson said she was paying 15 cents more per gallon than a week ago as she refueled at a gas station in Sumter, South Carolina. “I know some friends who decided not to go out of town this weekend to save gas,” she said.

DARKSIDE HACK

The strike on Colonial “is potentially the most substantial and damaging attack on U.S. critical infrastructure ever,” Ohio Senator Rob Portman told a Senate hearing on cybersecurity threats on Tuesday.

The FBI has accused a shadowy criminal gang called DarkSide of the ransomware attack. DarkSide is believed to be based in Russia or Eastern Europe and avoids targeting computers that use languages from former Soviet republics, cyber experts say.

Russia’s embassy in the United States rejected speculation that Moscow was behind the attack. President Joe Biden a day earlier said there was no evidence so far that Russia was responsible.

A statement issued in DarkSide’s name on Monday said: “Our goal is to make money, and not creating problems for society.”

It is unknown how much money the hackers are seeking, and Colonial has not commented on whether it would pay.

“Cyber attacks on our nation’s infrastructure are growing more sophisticated, frequent and aggressive,” Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency (CISA), said on Tuesday at a Senate hearing on the SolarWinds hack that hit companies and government agencies.

GOVERNMENT STEPS IN

The Environmental Protection Agency issued a waiver on Tuesday that allows distributors to continue supplying winter fuel blends through May 18 in three Mid-Atlantic states to help ease supplies.

North Carolina and the U.S. Department of Transportation, meanwhile, relaxed fuel-driver rules, allowing truckers hauling gasoline to work longer hours. North Carolina and Virginia have both declared a state of emergency.

The U.S. has also started the work needed to enable temporary waivers of Jones Act vessels in response to the cyber attack – something that would allow foreign flagged fuel carriers to move from one U.S. port to another, the Transportation Department said.

There are growing concerns that the pipeline outage could lead to further price spikes ahead of the Memorial Day weekend at the end of this month. The weekend is the traditional start of the busy summer driving season.

Gulf Coast refiners that rely on Colonial’s pipeline to move their products have cut processing. Total SE trimmed gasoline production at its Port Arthur, Texas, refinery and Citgo Petroleum pared back at its Lake Charles, Louisiana, plant, sources told Reuters.

Marathon Petroleum is “making adjustments” to its operations due to the pipeline shutdown, a spokesman said without providing details.

While the pipeline outage is having big short-term consequences in some regions, some experts believe the longer term impact will be small.

“Markets will go crazy, but two weeks later no one knows it happened,” said Chuck Watson, director of research at ENKI, which studies the economic effects of natural and other disasters.

(Reporting by Laura Sanicola, Stephanie Kelly and Devika Krishna Kumar; Additional reporting by Nandita Bose; Editing by Paul Simao, Cynthia Osterman and Grant McCool)

Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike

By Raphael Satter, Jack Stubbs and Christopher Bing

WASHINGTON/LONDON (Reuters) – Elite hackers tried to break into the World Health Organization earlier this month, sources told Reuters, part of what a senior agency official said was a more than two-fold increase in cyberattacks.

WHO Chief Information Security Officer Flavio Aggio said the identity of the hackers was unclear, but the effort was unsuccessful. He warned that hacking attempts against the agency and its partners have soared as they battle to contain the coronavirus, which has killed more than 15,000 worldwide.

The attempted break-in at the WHO was first flagged to Reuters by Alexander Urbelis, a cybersecurity expert and attorney with the New York-based Blackstone Law Group, which tracks suspicious internet domain registration activity.

Urbelis said he picked up on the activity around March 13, when a group of hackers he’d been following activated a malicious site mimicking the WHO’s internal email system.

“I realized quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic,” he said.

Urbelis said he didn’t know who was responsible, but two other sources briefed on the matter said they suspected an advanced group of hackers known as DarkHotel, which has been conducting cyber-espionage operations since at least 2007.

Messages sent to email addresses maintained by the hackers went unreturned.

When asked by Reuters about the incident, the WHO’s Aggio confirmed that the site spotted by Urbelis had been used in an attempt to steal passwords from multiple agency staffers.

“There has been a big increase in targeting of the WHO and other cybersecurity incidents,” Aggio said in a telephone interview. “There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled.”

The WHO published an alert last month – available here warning that hackers are posing as the agency to steal money and sensitive information from the public.

The motives in the case identified by Reuters aren’t clear. United Nations agencies, the WHO among them, are regularly targeted by digital espionage campaigns and Aggio declined to say who precisely at the organization the hackers had in their sights.

Cybersecurity firms including Romania’s Bitdefender and Moscow-based Kaspersky said they have traced many of DarkHotel’s operations to East Asia – an area that has been particularly affected by the coronavirus. Specific targets have included government employees and business executives in places such as China, North Korea, Japan, and the United States.

Costin Raiu, head of global research and analysis at Kaspersky, could not confirm that DarkHotel was responsible for the WHO attack but said the same malicious web infrastructure had also been used to target other healthcare and humanitarian organizations in recent weeks.

“At times like this, any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country,” he said.

Officials and cybersecurity experts have warned that hackers of all stripes are seeking to capitalize on international concern over the spread of the coronavirus.

Urbelis said he has tracked thousands of coronavirus-themed web sites being set up daily, many of them obviously malicious.

“It’s still around 2,000 a day,” he said. “I have never seen anything like this.”

(Additional reporting by Hyonhee Shin in Seoul; Editing by Chris Sanders and Edward Tobin)

North Korea took $2 billion in cyber attacks to fund weapons program: U.N. report

FILE PHOTO: A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

By Michelle Nichols

UNITED NATIONS (Reuters) – North Korea has generated an estimated $2 billion for its weapons of mass destruction programs using “widespread and increasingly sophisticated” cyberattacks to steal from banks and cryptocurrency exchanges, according to a confidential U.N. report seen by Reuters on Monday.

Pyongyang also “continued to enhance its nuclear and missile programs although it did not conduct a nuclear test or ICBM (Intercontinental Ballistic Missile) launch,” said the report to the U.N. Security Council North Korea sanctions committee by independent experts monitoring compliance over six months.

The North Korean mission to the United Nations did not respond to a request for comment on the report, which was submitted to the Security Council committee last week.

The experts said North Korea “used cyberspace to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income.” They also used cyberspace to launder the stolen money, the report said.

“Democratic People’s Republic of Korea cyber actors, many operating under the direction of the Reconnaissance General Bureau, raise money for its WMD (weapons of mass destruction) programs, with total proceeds to date estimated at up to two billion US dollars,” the report said.

North Korea is formally known as the Democratic People’s Republic of Korea (DPRK). The Reconnaissance General Bureau is a top North Korean military intelligence agency.

The U.N. experts said North Korea’s attacks against cryptocurrency exchanges allowed it “to generate income in ways that are harder to trace and subject to less government oversight and regulation than the traditional banking sector.”

The Security Council has unanimously imposed sanctions on North Korea since 2006 in a bid to choke off funding for Pyongyang’s nuclear and ballistic missile programs. The Council has banned exports including coal, iron, lead, textiles and seafood, and capped imports of crude oil and refined petroleum products.

U.S. President Donald Trump has met with North Korea leader Kim Jong Un three times, most recently in June when he became the first sitting U.S. president to set foot in North Korea at the Demilitarized Zone (DMZ) between the two Koreas.

They agreed to resume stalled talks aimed at getting Pyongyang to give up its nuclear weapons program. The talks have yet to resume and in July and early August, North Korea carried out three short-range missiles tests in eight days.

The U.N. report was completed before last week’s missile launches by North Korea, but noted that “missile launches in May and July enhanced its overall ballistic missile capabilities.”

The U.N. experts said that despite the diplomatic efforts, their “investigations show continued violations” of U.N. sanctions.

“For example, the DPRK continued to violate sanctions through ongoing illicit ship-to-ship transfers and procurement of WMD-related items and luxury goods,” the U.N. report said.

(Reporting by Michelle Nichols; editing by Grant McCool)

“Anonymous” Hackers Declare War on ISIS

The hacker collective known as “Anonymous” declared war on ISIS in a video posted on YouTube in response to the horrendous attacks that took place in Paris on Friday.

According to NBC News, the video has yet to be verified by officials, but in the video a spokesman wears the group’s signature Guy Fawkes mask and says in French that the group will use their expertise in a “war” against the Islamic terrorist group.

“Expect massive cyber attacks. War is declared. Get prepared,” the announcer says in French.

“Anonymous from all over the world will hunt you down. You should know that we will find you and we will not let you go. We will launch the biggest operation ever against you,” the spokesperson continued, according to translated transcripts of the video.

The spokesman continued to call the members of ISIS “vermin,” and that their actions would not go “unpunished.”

As of Monday at 8:30 a.m. Central Time, the video had accumulated 1.1 million views on YouTube, according to the Jerusalem Post.

The Huffington Post reports that the hacktivist group also posted on Twitter: “Make no mistake: Anonymous is at war with Daesh.” Daesh is another name for ISIS.

Anonymous is a group of international network of activist computer hackers who have claimed responsibility for numerous cyberattacks against corporate, religious, and government websites over the past 12 years. Since the Charlie Hebdo attack in January that led to the death of 17 people, Anonymous has been targeting and shutting down Twitter profiles believed to be used by ISIS and their supporters. The Jerusalem Post reports that the hacktivist group has reported more than 39,000 ISIS accounts to Twitter. Out of those, more than 25,000 have been suspended, but almost 14,000 are still active.

China Still Trying to Hack U.S. Firms, Despite Denials

Despite a recent pact between Chinese President Xi Jinping and President Obama to stop cyber war, security services provider, CrowdStrike, has reported that several Chinese state-backed hackers have been carrying out cyberattacks on several U.S. companies, according to NBC.

CrowdStrike claims that they have blocked every attack that they have come across so far and that the hackers seem to be targeting the networks of U.S. technology and pharmaceutical companies.

Just a few weeks ago, Xi visited the United States, promising leaders of American technology companies that the cyber attacks would stop. He also signed an agreement with President Obama that China and the United States would refrain from continued hacks that were aimed at obtaining company trade secrets for commercial advantage.

But two days after the agreement there were two attacks on technology companies, and more hacking attempts have happened since then.

“Seven of the companies are firms in the technology or pharmaceuticals sectors, where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the Cyber agreement does not prohibit,” CrowdStrike wrote in a blog post Monday.

If the cyberattacks continue it could lead to sanctions being placed against Chinese companies according to the agreement made between Xi and Obama.

The U.S. has also been accused of attempting to hack the networks of Chinese companies. Edward Snowden, former NSA contractor, came forward with information on how the U.S. hacked Chinese company, Huawei last year. Government officials continue to state that the reason for the hack was for national security purposes, not economic advantages.

The Chinese government has not made any comments regarding these attacks at this time.