Who’s Really Behind the Colonial Pipeline Cyberattack?

When news of a ransomware attack on a national asset such as an oil pipeline makes the rounds — as it has in the case of the Colonial Pipeline cyberattack — the first conclusion is usually that this was the result of a nation-state attack. To be sure, countries such as Russia and China are continuously seeking ways to disrupt their geopolitical adversaries; however, the Colonial Pipeline case involving the DarkSide group is both unique and the sign of an important trend in what I like to call “gangsomware.”

The Story of DarkSide

It’s been widely reported that Colonial Pipeline was compromised by a Russian group named DarkSide. Their affiliate programs have been present in the cybercriminal underground since at least November 2020:

DarkNet Colonial Gas Pipeline Cyberattack


In February 2021 they went for a little hiatus to update their product and after a month they rolled out the new version in a separate forum thread:

Blog_Colonial Pipeline_02

Without directly claiming responsibility, DarkSide has responded to the news stories naming them by saying they are “apolitical” and are just in business to “make money.”

Here is the DarkSide-issued statement:

DarkSide Colonial Gas Pipeline_03 Information


What’s interesting in the above statement is that the group does not want to be associated with the Russian (or any) government, nor does it want to be seen as a “bad guy.” It’s my opinion that they got a bit overwhelmed by the media coverage and all the attention it brings to Russian cyber-offensive. I did not see any direct statements that “DarkSide equals Kremlin,” but there has recently been a lot of news related to Russian state-sponsored attacks (SolarWinds, for example) so I think the DarkSide statement was a preventive measure, to differentiate from the Russian government in the beginning.

Gangsomware and DarkSide

DarkSide wants to be utilized as a service organization — ransomware-as-a-service, to be exact. In fact, they have taken the 'service' part of their affiliate program to a new level of standard. They have service phone numbers, a ticketing system, and they actively ask press and recovery companies to engage with them. It also seems like they polished surrounding aspects of their production chain.

Blog_Colonial Pipeline_04
Blog_Colonial Pipeline_04

For example, a technically exceptional ransomware strain would miss out on potential payments if they lack the support systems mentioned above. DarkSide boasts to be one of the fastest in terms of encrypting the victim's files (they tested their ransomware against a competing program and also received praises from threat actors that tested). So, in short, not only is DarkSide’s malware sophisticated and constantly updated, but the organization itself also fine-tunes the extortion part with comfortable and easy-to-use interfaces and solutions.

The End Game

While DarkSide and other gangsomware groups may not intend to cause harm to society in their endeavors, the impacts of their actions are increasingly devastating at a local, national, and even global level. The Colonial Pipeline attack has severely crippled the US fuel supply chain by taking Colonial’s main pipelines offline for what will be days, and perhaps could become weeks.

The service organization model employed by groups such as DarkSide is an important trend in ransomware activities that are meant to maintain at least some level of decency making as much money as possible. For example, they do not target certain industries and services such as healthcare. While not specifically targeted toward bringing down critical infrastructure, these attacks are a wake-up call for organizations with related supply chains.


Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.