Lies from the DarkSide: Ransomware Gang Lied About Pipeline Attack
In May 2021, DarkSide, a Russian criminal gang, hacked Colonial Pipeline, the organization responsible for the largest Gas pipeline spanning the east coast of the United States. However, the gang soon backtracked, claiming they did not intentionally hack the organization. Instead they claimed it was an accidental infection caused by the gang’s partner affiliate, who assisted in the attack for a share of the ransom profit.
“From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” -DarkSide Ransomware Gang.
However, their statement is not valid. DarkSide predetermines and selects every target before an attack and creates individual ransomware payloads for each. The payload infects and encrypts victim data and generates the ransom note. Each ransom note is tailored to the specific victim and includes a unique key and URL as seen in Figure 1:
Figure1: Ransom note with unique victim key and website URL
With the key, URL and payload compiled before the attack, DarkSide had to be aware of who they were attacking prior to attack execution. This is also a major attack locking down an entire network of operational systems and not some accidental infection of a few computers. Even without the evidence presented, it’s hard to fathom an attack of this magnitude could be conducted accidentally.
Without the unique key and URL, negotiations cannot begin. Using a key prevents researchers or the media from establishing communications or pretending to be the victim in an attempt to extract information from the attacker. Pre-populating a key into each ransom note and payload indicates the attacker has to select the victim intentionally. Therefore, the DarkSide group itself, not the affiliates, are responsible for the ransomware payload. DarkSide had to create the payload for the Pipeline victim specifically.
Figure 2 below shows the key authentication window presented after the victim clicks on the unique URL included in their ransom note.
Figure2: DarkSide victim key authentication window
Pre-Populated Data Posts
Another unique tactic used by DarkSide is how they populate victim data and messages to their data leak site. According to the ransom note, “The data is preloaded and will be automatically published if you do not pay.” DarkSide pre-loads victim data after theft to populate their data leak site once a predetermined time passes. If the victim pays, DarkSide halts the process. If not, it automatically releases a post leaking victim data. This, however, did not happen with the Colonial Pipeline attack. The attacker likely decided not to post data due to the backlash from the US government after the attack took place. The attacker may want to leave themselves plausible deniability due to the amount of attention the attack generated.
Activity Decline
The volume of victim data leak posts significantly reduced in May 2021. It’s worth noting at the time of this writing: there have only been twelve days in May to compare against other months. However, the DarkSide attacker has only made one post to their data leak site in May. In comparison, within the first twelve days of April, DarkSide made eight posts, releasing small amounts of victim data. Similarly, DarkSide made a much higher volume of posts from January through March, as seen in Figure 3 below.
The DarkSide gang also “pinned” two older victim posts to the top of their victim list in May after the Pipeline attack took place. Yet, Darkside has still not posted any of the Pipeline data. The discrepancy may be an attempt to give the appearance operations are continuing as usual.
Additionally, due to the post DarkSide made to their website about the attack, many media outlets and researchers question whether DarkSide and the Russian government are affiliated with one another. The DarkSide gang insinuates they have no Russian government affiliation in a post they made to their website’s press section on May 10th. The message is displayed in Figure 4 below.
Figure 4: DarkSide post regarding the pipeline attack
On 13 May, fuel once again began to flow through the pipeline delivering gas across the east coast. As Colonial reinstated pipeline operations, President Biden released an executive order addressing new cybersecurity requirements and standards intended to improve the security posture of federal government computer networks and systems. While all of this took place, DarkSide’s infrastructure mysteriously went down. Sometimes adversaries move their infrastructure; however, this does not appear to be the case. Instead, DarkSide’s data leak site no longer resolves. It’s unclear what happened, but a US government takedown operation is certainly plausible.
Closing
Despite the attempt to distance themselves from the Russian government, it’s worth noting the aftereffect of the Pipeline disruption fits nicely with Russian tactics used in the past (e.g., attacks against Ukraine, Georgia, Estonia, etc.). This type of attack causes major gas outages resulting in panic and doubt regarding the victim government’s ability to protect critical infrastructure. All of this fits the Russian government’s playbook of cyber operations. For now, we must treat this as a criminal attack as more evidence is needed to make any government-affiliated attribution. However, even if criminals are the only perpetrator, the claim the attack is accidental, is laughable and simply not true.
*You can find the related indicators of compromise here.
