When Colonial Pipeline took its gasoline lines down following a successful cyberattack last week, it became the most high-profile victim of a hacking group called DarkSide.
But DarkSide isn’t a single entity. It’s a media-savvy, semiprofessional startup and software supplier for an illicit market of hackers looking for a quick easy way to breach and extort large businesses. In a ransomware game that, according to data from cryptocurrency tracker Chainalysis, has seen $370 million 2020 revenue for the criminals in the form of ransom payments, DarkSide and its partners represent a dangerous new breed of underground businesses that are working together to menace legitimate organizations, across public and private sectors.
The security industry calls DarkSide’s business model “ransomware-as-a-service,” as it mimics the software-as-a-service model. First, provide financially motivated cybercriminals with the best software for stealing data and encrypting victims’ files over the internet via an easily accessible dark website. Second, provide the services around that software, such as tools that allow digital extortionists to communicate directly with their victims or get IT support. Third, share the rewards if a target pays the ransom.
DarkSide takes most of the cut. According to FireEye, the security company whose Mandiant division is helping the Colonial Pipeline recover, DarkSide takes 25% of ransom fees less than $500,000 and 10% of ransom fees above $5 million. Though that’s a sizable cut of the proceeds, the DarkSide operators make ransomware attacks so simple, customers keep coming. “It’s a great way of making quick money,” says Peter Kruse, founder and CEO of CSIS Security Group, which says it has seen various cybercrime actors using the DarkSide ransomware service. In the case of the Colonial Pipeline, DarkSide says a client using its software mounted the attack that shut the pipeline down.
To stand out from the crowd, DarkSide has promised the best encryption speeds to lock up computers faster than anyone else. It also supports attacks on both Microsoft Windows and Linux operating systems. Its marketing is working. Since emerging in August 2020, it’s leaked the data of more than 80 organizations. The identities of those who paid may never be known, notes ransomware tracker Brett Callow. “They’ve hit at least 114 organizations and they’ve published data from 83, so these didn’t pay (the ransom).
Which means at least 31 did,” Callow says. Given DarkSide users’ ransom demands range between $200,000 to $2 million, according to security startup CyberReason, it’s possible they’ve collectively made more than $30 million in just half a year. And, with KrebsOnSecurity reporting that the group negotiated an $11 million ransom with one victim company, it’s likely higher than that estimate. (A message to the DarkSide crew didn’t receive a response.)
Lax security may be helping the hackers. Before DarkSide’s malware can be deployed, its customers first need to have broken into a network, and DarkSide doesn’t provide that service. Kruse says DarkSide’s partners look for vulnerable devices that can be found by scanning the web. Once those systems are found, they can be exploited and leverage gained on a target’s network. They then need to take control of other connected computers and install the DarkSide software, which wraps the victims’ data and locks it with keys targets must pay ransom to use.
Colonial Pipeline hasn’t yet revealed exactly how it was breached, though analyses of the company’s servers from security experts discovered a few avenues hackers could have used to poke holes in its defenses. There were, for instance, a large number of surveillance cameras attached to the company’s IT infrastructure, according to Derek Abdine from security company Censys.
And Bob Maley, a former PayPal security lead and now chief security officer at cyber defense startup Black Kite, says he saw open remote management and file sharing servers, which, if the hackers had somehow acquired logins, could have provided a path onto Colonial’s network.
“If I was going to hack that… I’d simply use a publicly available tool to connect to that port, run a little script and try all the credentials that I have, plus some of the common … default usernames and passwords,” Maley added. That “credential stuffing” attack could then provide enough network access to start finding a way to plant the ransomware.
There’s long been concern that critical infrastructure businesses aren’t well-prepared for the kinds of attack described by Maley, even if they’re far from the most sophisticated attacks the internet sees every day. “Legacy industrial control systems and other similar infrastructures were primarily designed to keep information in and execute their control tasks dependably and consistently. Unfortunately, there were little or no provisions built in to adequately secure the systems and keep people out,” says Chris Piehota, a former FBI technology director.
Personnel is another issue. Kruse and Maley noted that Colonial didn’t appear to have anyone in charge of cybersecurity. Colonial said its chief information officer, hired in 2017, led cybersecurity efforts, undertaking a review of its defenses and increasing total spending on IT, including cybersecurity, by more than 50% in the past four years.
A spokesperson told Forbes it had “robust protocols and software in place to detect and address threats proactively and reactively,” and that its third-party incident response team determined it was following “best practices” before the breach. Any speculation about the root cause of the incident would be premature and not informed by the facts, they added. They declined to comment on whether or not a ransom had been paid, and wouldn’t say how much the hackers had demanded.
The hack itself is just the first part of a modern-day ransomware swindle. DarkSide and similar groups have realized that they need to control the story, play the press and apply as much pressure to victims as possible to extract a ransom.
The added threat on top of all that data loss is public shaming. DarkSide and other groups’ dark websites aren’t just spaces for them to expose victims’ data. They’re places where they can attract media attention to amplify successes and, possibly, increase the ransoms as companies pay up to avoid reputational damage. The first of this new breed of publicity-friendly ransomware extortionist came in late 2019, with the emergence of Maze, which became infamous for attacks on U.S. schools. According to Callow, from security company Emsisoft, there are now about 30 doing much the same.
Another group, Babuk, has shown in the past month how devastating public shaming can be, after it hacked into the Washington, D.C., Metropolitan Police Department. When the police didn’t pay the $4 million ransom, Babuk started releasing the personal information of officers. In a new batch of data on 22 police officers released this week, the leaked information included psychological assessments, social security numbers, financial data and marriage histories. Babuk even posted conversations between itself and the department, in which the latter apparently tried to lowball the crew with a $100,000 ransom offer. Babuk rejected the offer. The police department has previously acknowledged the attack but hadn’t responded to requests for comment at the time of publication.
DarkSide has used a different tactic to try to improve its public image, presenting itself as a kind of Robinhood hacking organization, giving a small portion of stolen funds to charity, offering short-sellers advance information so they can bet on a victim’s stock tanking, and promising not to attack certain industries: hospitals, funeral services, schools, universities, nonprofits and government organizations. It even claims to only permit attacks on companies it knows can afford to pay, saying, “We do not want to kill your business.”
As the group wrote on its dark web “press center” earlier this week: “Our goal is to make money, and not creating [sic] problems for society.” One victim, Dalton, Georgia-based carpet manufacturer Dixie Group Inc., disclosed a ransomware attempt affecting “portions of its information technology systems” earlier this year.
With the Colonial Pipeline, DarkSide apparently realized too late that one of its partners had targeted an industry that served a huge number of consumers with gasoline and subsequently promised to “introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” Now the world has its eyes on the hacking group. In a “flash notice” to the cybersecurity industry and government agencies this week, the FBI said it has been investigating DarkSide since October, just two months after it emerged.
Its investigators and global partners have had increasing success against malware operators in recent months, the most significant in January, in which the U.S. Justice Department said it had participated in a multinational operation to disrupt and take down infrastructure of the malware and botnet known as Emotet. Described by experts as the most dangerous malware in the world, Emotet offered criminals access to personal and company computers. As with DarkSide, many criminals paid Emotet’s operators to install ransomware. Authorities made arrests of alleged administrators, who face charges in Ukraine, though they’ve yet to go on trial.
Despite that case and the blueprint it laid down for future cyber investigations, the only authorities DarkSide appears to fear are Russian-speaking: Its malware won’t work if it detects its victim is Russian. This has led to accusations that the Kremlin either supports or harbors criminals that target Western businesses, something Putin’s government has staunchly denied.
Dmitri Alperovitch, cofounder of cybersecurity company CrowdStrike and now executive chairman at the Silverado Policy Accelerator nonprofit, says there’s no evidence DarkSide has obvious links to Russian intelligence, adding, “Given their long past history of willful harboring of cybercrime, I don’t think it matters.”
I’m associate editor for Forbes, covering security, surveillance and privacy. I’m also the editor of The Wiretap newsletter, which has exclusive stories on real-world surveillance and all the biggest cybersecurity stories of the week. It goes out every Monday and you can sign up here: https://www.forbes.com/newsletter/thewiretap
I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice, Wired and the BBC, amongst many others.
Tip me on Signal / WhatsApp / whatever you like to use at +447782376697. If you use Threema, you can reach me at my ID: S2XY9B9U.
If you want to tip me with something sensitive? Get in contact on Signal or Threema, and we can use OnionShare. It’s a great way to share documents privately. See here: https://onionshare.org/
- Jordan Robertson and William Turton (May 8, 2021). “Colonial Hackers Stole Data Thursday Ahead of Shutdown”. Bloomberg News. Archived from the original on May 9, 2021. Retrieved May 9, 2021.
- GLORIA GONZALEZ, BEN LEFEBVRE and ERIC GELLER (May 8, 2021). “‘Jugular’ of the U.S. fuel pipeline system shuts down after cyberattack”. Politico. Archived from the original on May 9, 2021. Retrieved May 9, 2021.
The infiltration of a major fuel pipeline is “the most significant, successful attack on energy infrastructure we know of.”
- Helmore, Edward (May 10, 2021). “FBI confirms DarkSide hacking group behind US pipeline shutdown”. The Guardian. Archived from the original on May 12, 2021. Retrieved May 10, 2021.
- Bing, Christopher; Kelly, Stephanie (May 8, 2021). “Cyber attack shuts down top U.S. fuel pipeline network”. Reuters. Archived from the original on May 8, 2021. Retrieved May 8, 2021.
- Segers, Grace (May 8, 2021). “Cyberattack prompts major pipeline operator to halt operations”. CBS News. Archived from the original on May 8, 2021. Retrieved May 8, 2021.
- Peñaloza, Marisa (May 8, 2021). “Cybersecurity Attack Shuts Down A Top U.S. Gasoline Pipeline”. NPR. Archived from the original on May 8, 2021. Retrieved May 8, 2021.
- Sanger, David; Krauss, Clifford; Perlroth, Nicole (May 8, 2021). “Cyberattack Forces a Shutdown of a Top U.S. Pipeline”. New York Times. Archived from the original on May 8, 2021. Retrieved May 8, 2021.
- Eaton, Collin; Volz, Dustin (May 8, 2021). “U.S. Pipeline Cyberattack Forces Closure”. Wall Street Journal. Archived from the original on May 8, 2021. Retrieved May 8, 2021.
- Stracqualursi, Veronica (May 8, 2021). “Cyberattack forces major US fuel pipeline to shut down”. CNN. Archived from the original on May 8, 2021. Retrieved May 8, 2021.
- “Colonial Pipeline blames ransomware for pipeline shutdown”. NBC News. May 8, 2021. Archived from the original on May 8, 2021. Retrieved May 8, 2021.
- William Turton, Michael Riley, and Jennifer Jacobs (May 12, 2021). “Colonial Pipeline Paid Hackers nearly $5 Million in Ransom”. Bloomberg.
- Suderman, Alan; Tucker, Eric (May 8, 2021). “Major US pipeline halts operations after ransomware attack”. AP News. Archived from the original on May 8, 2021. Retrieved May 8, 2021.
- “Top US pipeline operator shuts major fuel line after cyber attack”. The Jerusalem Post. May 8, 2021. Archived from the original on May 8, 2021. Retrieved May 8, 2021.
- Javers, Eamon (May 10, 2021). “Here’s the hacking group responsible for the Colonial Pipeline shutdown”. CNBC. Archived from the original on May 10, 2021. Retrieved May 11, 2021.
- Perlroth, Nicole (May 13, 2021). “Colonial Pipeline paid 75 Bitcoin, or roughly $5 million, to hackers”. NYTimes.com. The New York Times. Retrieved May 13, 2021.
Bomey, Nathan. “Colonial Pipeline looking to ‘substantially restore operations by end of week”. USA TODAY. Archived from the original on May 10, 2021. Retrieved May 10, 2021.
- “American Airlines adds fuel stops to two flights after pipeline outage”. Reuters. Reuters. May 11, 2021. Archived from the original on May 12, 2021. Retrieved May 11, 2021.
- Josephs, Leslie (May 11, 2021). “Pipeline outage forces American Airlines to add stops to some long-haul flights”. CNBC. Archived from the original on May 12, 2021. Retrieved May 11, 2021.
- “Gas Stations Run Dry as Pipeline Races to Recover From Hacking”. Bloomberg.com. May 9, 2021. Archived from the original on May 10, 2021. Retrieved May 11, 2021.
- “Petrol shortages sweep US as Colonial Pipeline remains down”. http://www.aljazeera.com. Archived from the original on May 11, 2021. Retrieved May 11, 2021.
- Lee, Ron (May 11, 2021). “GasBuddy reports 71% of gas stations without fuel in Charlotte metro amid Colonial Pipeline shutdown”. WBTV News Channel 3. Charlotte, NC. Archived from the original on May 12, 2021. Retrieved May 12, 2021.
- Shah, Jill R. (May 15, 2021). “Gasoline pinch to continue with truck shortage”. The Charlotte Observer. p. A4 – via Bloomberg News.
- Englund, Will; Nakashima, Ellen (May 12, 2021). “Panic buying strikes Southeastern United States as shuttered pipeline resumes operations”. WashingtonPost.com. The Washington Post. Retrieved May 13, 2021.
- “US fuel pipeline hackers ‘didn’t mean to create problems‘“. BBC News. May 10, 2021. Archived from the original on May 10, 2021. Retrieved May 10, 2021.
- “Biden Says Russia Has ‘Some Responsibility’ In Pipeline Ransomware Attack”. Radio Free Europe. May 10, 2021. Archived from the original on May 12, 2021. Retrieved May 11, 2021.
- “US fuel pipeline hackers ‘didn’t mean to create problems‘“. BBC News. May 10, 2021. Archived from the original on May 10, 2021. Retrieved May 12, 2021.
- Rivero, Nicolás. “Hacking collective DarkSide are state-sanctioned pirates”. Quartz. Archived from the original on May 12, 2021. Retrieved May 12, 2021.
- “DarkSide hackers behind Colonial Pipeline attack say they wanted cash, not chaos”. http://www.abc.net.au. May 10, 2021. Archived from the original on May 12, 2021. Retrieved May 10, 2021.
- Mahtani, Melissa; Macaya, Melissa; Hayes, Mike; Rocha, Veronica (May 11, 2021). “Latest on the US gas demand spikes”. CNN. Archived from the original on May 12, 2021. Retrieved May 12, 2021.
- Wagner, Meg; Macay, Melissa; Hayes, Mike; Mahtani, Melissa; Rocha, Veronica. “Gas shortages at some US stations: Live updates”. CNN. Archived from the original on May 12, 2021. Retrieved May 12, 2021.
- Brito, Christopher (May 12, 2021). “Officials warn people not to fill plastic bags with gasoline amid panic over gas shortage”. CBS News. Retrieved May 13, 2021.
- Egan, Matt; Duffy, Clare. “Colonial Pipeline launches restart after six-day shutdown”. CNN Business. Archived from the original on May 12, 2021. Retrieved May 12, 2021.
- Krauss, Clifford. “Colonial Pipeline Begins to Restart Flow of Fuel”. The New York Times. Archived from the original on May 12, 2021. Retrieved May 12, 2021.