In the seemingly never-ending cascade of news headlines about hacks, data breaches and ransomware attacks like the one from this weekend executed by a Russian criminal gang against a major US fuel pipeline, the bad guys often appear as a kind of faceless, nearly-anonymous menace. Compared to almost any other time when reporters write about crime, actual flesh-and-blood characters usually emerge – whether in the form of mug shots, arrest details, or through eyewitness accounts and the like. The hackers on the other end of a computer crime, however, enjoy a certain degree of freedom to operate without being seen. If anything, the only thing we end up beholding is their handiwork, while we’re told by Very Serious Government Experts that the attack came from Iran, China, Russia or some other far-flung nation-state where hackers thrive.
When it comes to the Colonial Pipeline ransomware attack from this weekend, however, almost from the get-go a series of fascinating details have been trickling out about the DarkSide ransomware gang from Russia that US experts pointed the finger at — and the DarkSide hackers, themselves, have even taken responsibility for the attack. In fact, the cybercriminals actually posted a kind of “oops” statement on their website, suggesting that what they were mostly after was money here, not a significant attack on a major piece of US infrastructure.
And make no mistake, “major” is a pretty good descriptor for the implications of this attack on a pipeline network that carriers some 45% of the fuel consumed by the US East Coast. As we noted previously, major installations like the Hartsfield-Jackson Atlanta International Airport, which until this year was ranked as the world’s busiest airport, also receive fuel from Colonial Pipeline, as do military bases across the pipeline’s footprint. Ultimately, Colonial’s network encompasses some 5,550 miles of pipeline, and by shutting it down because of the hackers’ actions, it initially stranded a significant amount of gasoline, jet fuel and diesel along the Gulf Coast.
Colonial said it decided to take its operational network down out of an abundance of caution, even though it was the company’s IT network that the Russian hackers hit — they stole almost 100GB before locking the network and demanding their ransomware payment. Colonial’s entire website is actually down as of the time of this writing, though the company says it’s aiming to restore service to the pipeline by the end of the week. Meantime, as noted above, the DarkSide gang has taken the extraordinary step of coming reasonably close to an apology for the attack, stressing in the statement you can read below that “Our goal is to make money, and not creating problems for society.”
DarkSide ransomware gang, which shut down the largest oil pipeline in the U.S., posted a notice that their only goal was money. pic.twitter.com/uZUkWz6rpi
— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) May 10, 2021
And boy, does this gang have a pretty sophisticated setup that, notwithstanding this latest attack, keeps the money rolling in nicely with a minimum of mainstream press scrutiny. That’s the opinion of experts like Lesley Carhart, a principal industrial incident responder with Dragos Inc., who tweeted that: “They were doing a really good job of decimating businesses, including infrastructure — and everyone has been really quiet.”
Some key facts about DarkSide:
- The gang operates like a quasi-normal business, believe it or not. Danny Jenkins, CEO of ThreatLocker, told the IT and business security news site ThreatPost that DarkSide has “employees, costs, profits, and customer support.”
- DarkSide is actually a ransomware-as-a-service platform, according to cybersecurity-focused investigative reporter Brian Krebs. As such, approved cybercriminals are allowed to use the platform to infect companies with ransomware and to negotiate payment with victims. But those criminals have to follow the DarkSide rules — no hacking whatsoever of enterprises like funeral homes, non-profits, and hospitals.
- That seems to harken back to the DarkSide statement above. These guys want to get paid, so their aim is to attack targets that are actually able to pay up, as well as targets that won’t make them look, you know, evil. As of Tuesday afternoon, it hasn’t yet emerged whether Colonial Pipeline has paid a ransom yet or how much money the DarkSide gang demanded, but the group tends to require that victims pay anywhere from $200,000 to $2 million.
Along these lines, there’s a kind of FAQ on the DarkSide website that explains: “We only attack companies that can pay the requested amount, we do not want to kill your business.” At the top of that page, by the way, is verbiage of a sort that you’d find on the About page of something like a tech startup, where DarkSide explains a bit about the platform they built for follow ransomware attackers. “We created DarkSide because we didn’t find the perfect product for us. Now we have it.”
Cybersecurity journalist Kim Zetter, who’s been covering all this in her Substack newsletter Zero Day, notes that DarkSide’s money-making practices also extend to selling information about upcoming victims of its ransomware attacks so that other bad actors can short the victim company’s stock. Krebs has also found that back in March, DarkSide introduced a sort of call service that’s integrated into the affiliate hackers DarkSide management web portal, “which enabled the affiliates to arrange calls pressuring victims into paying ransoms directly from the management panel.”
The real-world side to all this, meanwhile, encompasses the actual, tangible consequences that the Colonial attack is having, which go beyond events that played out on computer screens. The White House on Tuesday, for example, urged Americans not to engage in a run on gasoline stations, as the Colonial shutdown extended for yet another day. Nevertheless, as of the time of this writing, gas stations in at least six states are reporting fuel outages, while the price and fuel tracker GasBuddy says that fuel demand in the Eastern US is up more than 30% this week compared to last week.