FBI Links DarkSide Ransomware to Colonial Pipeline Hack
FBI attributes the Colonial Pipeline breach to DarkSide, a new ransomware gang responsible for the attack. 🚨
Bloomberg News
3.1K views • May 10, 2021
About this video
The Federal Bureau of Investigation attributed the massive Colonial Pipeline breach to ransomware created by a relatively new gang called DarkSide on Monday as new details emerged about the group accused of carrying out the attack.
“The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks,” the agency wrote in a Monday statement.
In its own statement, the DarkSide group hinted that an affiliate may have been behind the attack and that it never intended to cause such upheaval. Like some other ransomware groups, DarkSide offers to sell its malware to others in what is known as “ransomware-as-a-service,” according to the cybersecurity firm Cybereason.
In a message posted on the dark web, where DarkSide maintains a site, the group suggested one of its customers was behind the attack and promised to do a better job vetting them going forward.
“We are apolitical. We do not participate in geopolitics,” the message says. “Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Rob Lee, chief executive officer of the industrial security firm Dragos Inc., said that the distinction between DarkSide and affiliates doesn’t shift blame. “Whether they passed off the keyboard or not I don’t know,” he said. “But they’re responsible either way.” He added that the group may avoid targets that draw federal law enforcement attention in the future, but that most ransomware targets have implications for society.
Colonial Pipeline halted all operations on its systems May 7 when it was hit with ransomware and is working to restore operations as investigators assess the damage. On Monday, Colonial pledged to restore deliveries of gasoline and other fuels to the eastern U.S. by the end of the week.
The group’s message came after the White House announced over the weekend that it had pulled together an inter-agency task force to tackle the problem. The task force worked through the weekend to address the breach, including exploring options for lessening its impact on the energy supply, according to a White House official.
While the inquiry remains in its early stages, some evidence has emerged linking DarkSide to Russia or elsewhere in Eastern Europe.
The attackers are known by cybersecurity experts as a “Russian-speaking group that popped up last summer,” according to Dmitri Alperovitch, the chairman of Silverado Policy Accelerator and former chief technology officer of the cybersecurity firm Crowdstrike Holdings Inc.
“Like many Russian cyber crime operations they specifically exclude Russian companies from being targeted by their malware,” he added in a statement.
Lee said his teams at Dragos have responded to a few incidents involving DarkSide ransomware in recent months, including a U.S. power company that he declined to name. In those cases -- which involve companies smaller than Colonial Pipeline -- DarkSide ransoms were typically in the single-digit millions of dollars, Lee said.
Dragos investigators didn’t pinpoint the group’s location. But Lee said that IP and email addresses found in the investigations were based in Russia. In addition, he said, DarkSide doesn’t typically work on systems operating in Russian and other Eastern European languages.
The Russian Embassy in Washington didn’t immediately respond to a request for comment. The Kremlin has previously denied responsibility for hacking attacks.
The hackers stole almost 100 gigabytes of data from Colonial Pipeline’s networks in just two hours on Thursday, before locking its computers with ransomware and demanding payment, according to two people familiar with the investigation.
DarkSide has been identified as the suspected hacking group by two people familiar with the investigation and by Allan Liska, a senior threat analyst at the cybersecurity firm Recorded Future. The group first surfaced in August 2020, according to a blog post by the cybersecurity firm Cybereason.
Subscribe to our YouTube channel: https://bit.ly/2TwO8Gm
Bloomberg Quicktake brings you live global news and original shows spanning business, technology, politics and culture. Make sense of the stories changing your business and your world.
To watch complete coverage on Bloomberg Quicktake 24/7, visit http://www.bloomberg.com/qt/live, or watch on Apple TV, Roku, Samsung Smart TV, Fire TV and Android TV on the Bloomberg app.
Have a story to tell? Fill out this survey for a chance to have it featured on Bloomberg Quicktake: https://cor.us/surveys/27AF30
Connect with us on…
YouTube: https://www.youtube.com/user/Bloomberg
Breaking News on YouTube: https://www.youtube.com/c/BloombergQuickTakeNews
Twitter: https://twitter.com/quicktake
Facebook: https://www.facebook.com/quicktake
Instagram: https://www.instagram.com/quicktake
“The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks,” the agency wrote in a Monday statement.
In its own statement, the DarkSide group hinted that an affiliate may have been behind the attack and that it never intended to cause such upheaval. Like some other ransomware groups, DarkSide offers to sell its malware to others in what is known as “ransomware-as-a-service,” according to the cybersecurity firm Cybereason.
In a message posted on the dark web, where DarkSide maintains a site, the group suggested one of its customers was behind the attack and promised to do a better job vetting them going forward.
“We are apolitical. We do not participate in geopolitics,” the message says. “Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Rob Lee, chief executive officer of the industrial security firm Dragos Inc., said that the distinction between DarkSide and affiliates doesn’t shift blame. “Whether they passed off the keyboard or not I don’t know,” he said. “But they’re responsible either way.” He added that the group may avoid targets that draw federal law enforcement attention in the future, but that most ransomware targets have implications for society.
Colonial Pipeline halted all operations on its systems May 7 when it was hit with ransomware and is working to restore operations as investigators assess the damage. On Monday, Colonial pledged to restore deliveries of gasoline and other fuels to the eastern U.S. by the end of the week.
The group’s message came after the White House announced over the weekend that it had pulled together an inter-agency task force to tackle the problem. The task force worked through the weekend to address the breach, including exploring options for lessening its impact on the energy supply, according to a White House official.
While the inquiry remains in its early stages, some evidence has emerged linking DarkSide to Russia or elsewhere in Eastern Europe.
The attackers are known by cybersecurity experts as a “Russian-speaking group that popped up last summer,” according to Dmitri Alperovitch, the chairman of Silverado Policy Accelerator and former chief technology officer of the cybersecurity firm Crowdstrike Holdings Inc.
“Like many Russian cyber crime operations they specifically exclude Russian companies from being targeted by their malware,” he added in a statement.
Lee said his teams at Dragos have responded to a few incidents involving DarkSide ransomware in recent months, including a U.S. power company that he declined to name. In those cases -- which involve companies smaller than Colonial Pipeline -- DarkSide ransoms were typically in the single-digit millions of dollars, Lee said.
Dragos investigators didn’t pinpoint the group’s location. But Lee said that IP and email addresses found in the investigations were based in Russia. In addition, he said, DarkSide doesn’t typically work on systems operating in Russian and other Eastern European languages.
The Russian Embassy in Washington didn’t immediately respond to a request for comment. The Kremlin has previously denied responsibility for hacking attacks.
The hackers stole almost 100 gigabytes of data from Colonial Pipeline’s networks in just two hours on Thursday, before locking its computers with ransomware and demanding payment, according to two people familiar with the investigation.
DarkSide has been identified as the suspected hacking group by two people familiar with the investigation and by Allan Liska, a senior threat analyst at the cybersecurity firm Recorded Future. The group first surfaced in August 2020, according to a blog post by the cybersecurity firm Cybereason.
Subscribe to our YouTube channel: https://bit.ly/2TwO8Gm
Bloomberg Quicktake brings you live global news and original shows spanning business, technology, politics and culture. Make sense of the stories changing your business and your world.
To watch complete coverage on Bloomberg Quicktake 24/7, visit http://www.bloomberg.com/qt/live, or watch on Apple TV, Roku, Samsung Smart TV, Fire TV and Android TV on the Bloomberg app.
Have a story to tell? Fill out this survey for a chance to have it featured on Bloomberg Quicktake: https://cor.us/surveys/27AF30
Connect with us on…
YouTube: https://www.youtube.com/user/Bloomberg
Breaking News on YouTube: https://www.youtube.com/c/BloombergQuickTakeNews
Twitter: https://twitter.com/quicktake
Facebook: https://www.facebook.com/quicktake
Instagram: https://www.instagram.com/quicktake
Video Information
Views
3.1K
Likes
28
Duration
2:57
Published
May 10, 2021
User Reviews
4.2
(3)