Hackers behind the massive cyberattack that shut down the Colonial Pipeline in April 2011 might have gotten a small price-tag in the deal.
The attackers took 100 million gallons of gasoline off the Texas coast — a 1 percent profit — according to a court settlement to be announced Thursday between the Justice Department and an unnamed party.
That is one percent of the total estimated losses that would have occurred if the attack on the pipeline in April 2011 had not occurred, but more than three times what the oil giant Exxon Mobil paid out in its settlement. Exxon paid $114 million to the U.S. government in 2013 to avoid criminal charges.
The Justice Department declined to name the unidentified party, but a document and court records filed on Tuesday indicate that it is AT&T, a company whose cyber experts were working with federal prosecutors to investigate and try to make sense of the cyberattack during the week of April 24, 2011.
While AT&T learned about the criminal hack within days, officials say it had not filed its own report about the attack to the Department of Homeland Security until it was presented with the proposed settlement Tuesday.
“As an arm of the Department of Justice, we’re fortunate to have the resources to do our part to safeguard the nation’s critical infrastructure,” said Joseph Demarest, the assistant director in charge of the FBI’s Cyber Division. “Through our ongoing investigation, we’ve proven that illegal hacking and cyber threats continue to have a major impact on the energy infrastructure of the United States.”
The continuing identity of the unnamed party is crucial to what constitutes a hacking attack, which the government is required to investigate in these cases.
The Natural Gas Security Act, a 2000 law, stipulates that any cyber security threat to the U.S. energy sector must be considered an actual attack and be investigated. Homeland Security is responsible for investigating those cyber security threats.
It is not clear what specific information AT&T, which has declined to comment, has, nor whether their findings were shared with federal prosecutors. The Justice Department said the department settled because both of its agencies were vested with gathering and presenting the evidence and that the department and the energy companies did not seek and receive the court record.
The chief prosecutor on the case, Kimberly A. Mays, the head of the Justice Department’s criminal division, acknowledged on Tuesday that if there was a second party that had not been identified it could still determine whether a full accounting of damages needed to be made before moving forward.
“We’re interested in trying to determine whether a crime was committed,” she said.
The hackers — well known as “The Syrian Electronic Army” — gained control of a handful of computers and stole credits from the Akamai Internet domain name system. Those customers used Akamai to develop various internal applications that powered websites, including those of CNN, Wired and NBC News.
The hackers commanded Akamai to redirect traffic back to servers at the Barbados Broadcasting Corporation and INICIX, a company that repurposes content for the Turkish and North African markets.
The hackers stole lines of credit worth $23 million.
The crime is classified under the first section of the Digital Millennium Copyright Act, which criminalizes unauthorized control of private information over computer networks.
That section, which does not generally require proof of intent to damage, has been used to prosecute such high-profile crimes as a 2014 case in which Jared Richard Pearman was sentenced to 10 years in prison.
Pearman, a malware designer, was convicted of operating a botnet — a network of computers that can be used to operate an otherwise unnoticed cyberattack. Prosecutors determined that Pearman’s botnet was bigger than the Citadel botnet, which was under attack at the time and led to the hit on the information highway.
“The special relationship between the United States and the Kingdom of Bahrain over the Internet dates back to the very birth of the Internet and Bahrain represents a vital connection for many American companies as they strive to create jobs and enter emerging markets,” Information Minister Khalid bin Ahmed Al Khalifa said at the time of the attack.
The attacker in 2011 was unknown.
But earlier this year, federal prosecutors in Texas announced the first criminal convictions related to the Colonial attack, charging two men, Sallawat Lestarananont of Thailand and Chansaiphon Thanamarinich of the Netherlands, with wire fraud, economic espionage and computer hacking.
The men are alleged to have caused a loss of $149 million by ordering and ordering refineries to switch their pumping systems to alternate fuels.
The case is Eastern District of Louisiana v. Toth, Eastern District of Texas v. Lestarananont,