[BreachExchange] What We Know About DarkSide, the Russian Hacker Group That Just Wreaked Havoc on the East Coast

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 20 15:28:10 EDT 2021


https://www.dailysignal.com/2021/05/20/what-we-know-about-darkside-the-russian-hacker-group-that-just-wrecked-havoc-on-the-east-coast/

It’s been less than two weeks since a criminal cybergang group known as
DarkSide succeeding in shutting down a pipeline that transports 45% of the
United State’s gas and fuel supply along the East Coast, causing severe
outages from Georgia to Virginia. While Colonial Pipeline slowly resumed
operation last week, service will likely be impacted in the near-term.

Cyber and ransomware attacks have become more frequent and more severe in
recent years, targeting schools, hospitals, corporations, and government
networks. The ransomware attack on the Colonial Pipeline further
demonstrates what cyberattacks—perpetrated by nonstate actors—can do to
disrupt U.S. markets.

It also hints at how devastating a large-scale cyberattack, launched by a
hostile nation-state, could be.

DarkSide, which surfaced in August 2020, has openly acknowledged that their
malware was used by associates in the case of the Colonial Pipeline attack.
The group fashions itself as a modern-day cyber Robin Hood—making money off
of the rich and even donating some to charity.

Ransomware platforms, like the one used in the Colonial Pipeline attack,
usually operate through a routine of double or triple extortion, insisting
on money for both the decryption key to unlock an organization’s files and
servers while also requesting ransom for a commitment to destroy any data
stolen.

The organization is part of a constellation of criminal actors—long-known
in the cybersecurity world—that emanate from Russia and its former Soviet
states, as well as North Korea, China, Syria, and Iran.

President Vladimir Putin provides safe harbor for these cyber criminals to
operate in Russia as long as their malware and ransomware do not target
domestic assets. As cyber expert Brian Krebs recently noted, many of these
malwares refuse to install on Windows networks if they detect the
capability of a Russian or Cyrillic keyboard.

“DarkSide, like a great many other malware strains, has a hard-coded
do-not-install list of countries which are the principal members of the
Commonwealth of Independent States (CIS)—former Soviet satellites that
mostly have favorable relations with the Kremlin,” writes Krebs.

Although it is unknown if Putin knew about specific details of the Colonial
Pipeline attack in advance, he has created an environment that gives
flexibility to malicious actors in Russia to undermine the United States
and their allies without direct guidance or authority from the Kremlin.

This arrangement allows for harm to occur to the Kremlin’s adversaries
while allowing the Kremlin to maintain an arm’s length of distance from
nonstate groups like DarkSide. It is also likely that many of these cyber
criminals within Russia and the former Soviet states have military or
intelligence backgrounds and previous cyber training.

The likelihood that Putin cracked down on those responsible is zero. If
anything, Putin was likely pleased by the temporary chaos this created for
the average American consumer and for the Biden administration.

Less than a week out from the pipeline coming back online, ransomware
attacks are back up to the historical average, after dipping in the wake of
the Colonial Pipeline attack. In fact, Ireland’s health care system is
currently struggling with a brutal ransomware attack that has caused
enormous problems as workers their continue to respond to the COVID-19
pandemic.

Back in the U.S., the damage done to Colonial Pipeline will be
long-lasting. The company’s CEO, Joseph Blount, has acknowledged now that
the company paid a $4.4 million ransom to DarkSide the day he was alerted
to the attack, and that the companies decision to shut down the pipeline
was to prevent the attack from moving over from their corporate systems to
the pipeline’s operating systems.

After the decryption key was passed along, though, their systems couldn’t
be adequately brought back online quickly, and Blount claims they’re still
unable to properly bill customers. The long-term impact will likely cost
the company “tens of millions of dollars,” he said.

As U.S. lawmakers, private sector leaders, and the Biden administration
continue to respond to the ramifications of this attack, it is
mind-boggling that President Joe Biden is reportedly handing Putin a win by
waiving sanctions on the company in charge of completing the Nord Stream II
pipeline.

The Nord Stream II pipeline project will allow Putin to extend his
tentacles further into Europe and will cause economic harm to U.S. ally
Ukraine—which is still reeling from Russia’s illegal annexation of Crimea.

Biden has boasted that nobody is tougher on Russia than himself. To help
Putin complete his pipeline just days after Russians shutdown a U.S.
pipeline proves that his actions do not match his rhetoric.

Now is the time for the U.S. to take the threat of cybercriminals
serious—and not turn a blind eye to the nation-states that harbor them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210520/380d59ad/attachment.html>


More information about the BreachExchange mailing list