FBI pins Colonial Pipeline cyberattack on DarkSide hacker group

‘We continue to work with the company and our government partners on the investigation’, FBI says

Cyberattack shuts down major US pipeline

Leer en Español

A shadowy hacker group called DarkSide has been accused by the FBI of being behind a ransomware attack on a key pipeline in the US.

“The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation,” the law enforcement agency said in a statement on Monday.

Colonial Pipeline operates one of the United States’ most crucial pieces of infrastructure: a 5,500-mile-long pipeline system that runs between Texas and New York.

Early reports on the ransomware attack pinned it on the DarkSide hacker group, which apparently took 100GB of data from the company in just a couple of hours and locked up much of its computer system before threatening to leak the stolen data unless a ransom was paid.

The FBI has been investigating DarkSide since October, according to Deputy National Security Adviser for Cyber & Emerging Technologies Anne Neuberger.

Ms Neuberger would not say whether Colonial had paid a ransom to the group, telling reporters on Monday: Colonial is a private company and we’ll defer information regarding their decision on paying a ransom to them.”

Colonial Pipeline has not specifically said how much damage the attack did, but in a statement on Sunday it explained that once it established a ransomware attack was underway, it “proactively took certain systems offline to contain the threat”, a move that “temporarily halted all pipeline operations and affected some of our IT systems”.

This is far from the first attack launched by the DarkSide group, a relatively new cybercrime group that has established a name for itself in the last year.

According to the cybersecurity firm Varonis, since August 2020, DarkSide has become well known for the stealth and professionalism with which it carries out its “highly targeted” ransomware campaigns, as well as for its “deep knowledge of their victims’ infrastructure, security technologies, and weaknesses.”

The firm says that knowledge suggests, but does not prove, that among the group’s hackers are former IT security professionals.

Also notable, says Varonis, is the group’s Russian bent. “Our reverse engineering,” it says, “revealed that Darkside’s malware will check device language settings to ensure they don’t attack Russia-based organisations. They have also answered questions on Q&A forums in Russian and are actively recruiting Russian-speaking partners.”

If the statements the group has issued indirectly are to be taken at face value, this affinity for the Russosphere does not imply political motive. In a statement passed to CNBC by another cybersecurity firm after the Colonial attack, it claimed to have no particular agenda on that front.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” the group said in a new statement. “Our goal is to make money, and not creating problems for society. From today we intoduce (sic) moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

Who these “partners” are is not clear, but DarkSide is not unique in providing ransomware attacks on demand. When the group “launched” itself last year, Wired reported that “ransomware has gone corporate” – that while the group isn’t doing anything new in technical or tactical terms, it stands out with its carrot-and-stick approach of simultaneously locking up systems and seizing data to hold hostage with the threat of exposure

Since the beginning, DarkSide has managed its reputation with level-headed, almost friendly statements disseminated via its site on the dark web. Along with explaining its rationale, motives and method, the group publicly draws lines about who it will and will not target, with medical, educational, non-profit organisations all supposedly spared.

Yet in its initial press release, first reported by Bleeping Computer, it also said it would not go after the “government sector” – raising the question of exactly why it has attacked Colonial Pipeline now. While clearly a private sector company, Colonial operates infrastructure vital to the energy needs of a huge chunk of the eastern US, and DarkSide’s attack forced it to shut down some of those systems.

The impact of that shutdown is not expected to hit everyday Americans, as long as operations can resume within a few days. That may indicate a degree of risk calculation on DarkSide’s part, something that would be of a piece with its previous operations. The real impact of the attack, however, may be to remind the US government and private sector just how vulnerable the nation’s infrastructure really is on the cyber front.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments