Cyber recoveries – Multi-million dollars recovered from Colonial Pipeline ransomware attackers

On 7 June 2021, US Authorities led by the Justice Department announced the recovery of USD 2.3 million of the USD 4.4 million ransom paid in Bitcoin to the hackers who caused the shutdown of the Colonial Oil Pipeline in May 2021.

Whilst it was initially reported that the FBI had ‘hijacked’ the hacker’s Bitcoin, a warrant filed by the Department of Justice on 7 June 2021 discloses a more traditional legal method of recovery was used to great effect. The Colonial Pipeline incident highlights the often overlooked role of recoveries in the cyber claims landscape.

How do you ‘hack’ a Pipeline?

The Colonial Pipeline, like many others, is largely controlled by computers with manual operation becoming increasingly obsolete. Where there are computers and connectivity, there is cyber vulnerability.

In early May 2021, Colonial discovered that hackers gained a foothold in its corporate IT network. Whilst Colonial reports that the operational network that controls the pipeline is separate from its corporate network, Colonial said it temporarily shut down the pipelines as a precaution to prevent the infection from spreading to the operational network.

Ransom paid

Ransom payments continue to be the subject of public debate, with many calling for a blanket ban on such payments to dis-incentivise ransomware attacks.

In the case of Colonial, the ransom was paid to mitigate the downtime of the pipeline which supplies 2.5 million barrels a day of fuel oils day across its 5,500-mile length spanning the east coast of the US, and minimise the impact of the energy crises that followed.

Ransom recovered

Whilst it was initially suggested that the FBI had ‘hijacked’ the hacker’s Bitcoin wallet, a warrant filed by the Department of Justice discloses a more traditional route to the recovery.

In an approach not dissimilar to the tracing of ordinary funds, the FBI ‘followed the money’ tracking the movements of the Bitcoin following payment.

The blockchain on which Bitcoin is built provides a decentralised public ledger of all transactions. Whilst this is a key feature of Bitcoin’s efficiency and security, it also provides a highly traceable public ledger of all transactions.

The FBI was able to deploy software which examined the public ledger to the destination of the Bitcoins paid in ransom. Whilst the coins are reported to have been moved through serval accounts, a significant portion of the ransom was eventually traced to third-party Bitcoin exchange situated in the US, where it was being held.

The Department of Justice was then able to obtain a seizure warrant to gain access to the hacker’s private encryption key for Bitcoins and in turn retrieve the cryptocurrency.

Recoveries often overlooked

The Colonial Pipeline case highlights that traditional legal methods of recovery, which are often overlooked in cyber claims, are capable of being used to great effect by cyber claims professionals.

Tracing services such as that deployed by the FBI are available in the private sphere and can be deployed by cyber insurers where appropriate. Whilst there are steps that hackers can take to mask the ultimate location of the cryptocurrency that render recoveries of this nature very rare, hackers should not be the only focus of cyber insurers’ recovery efforts.

As the complexity of systems security has increased, so too has the prevalence of third-party system security service providers. When a cyber incident occurs, the roles and obligations of third party system security providers should be a key consideration for cyber claims professionals. Subject to the extent of those obligations, third party providers including developers and system security providers may be viable recovery targets where they have failed to fulfil contractual and tortious obligations.

With our global footprint of 66 offices, associate offices and co-operations across 24 countries, Kennedys are well placed so assist you with cyber recovery needs, wherever they might arise.