

Who’s Really Behind the Colonial Pipeline Cyberattack?

Andrey Yakovlev
May 10th, 2021
Subscribe to our blog and stay up to date
When news of a ransomware attack on a national asset such as an oil pipeline makes the rounds — as it has in the case of the Colonial Pipeline cyberattack — the first conclusion is usually that this was the result of a nation-state attack. To be sure, countries such as Russia and China are continuously seeking ways to disrupt their geopolitical adversaries; however, the Colonial Pipeline case involving the DarkSide group is both unique and the sign of an important trend in what I like to call “gangsomware.”
The Story of DarkSide
It’s been widely reported that Colonial Pipeline was compromised by a Russian group named DarkSide. Their affiliate programs have been present in the cybercriminal underground since at least November 2020:

In February 2021 they went for a little hiatus to update their product and after a month they rolled out the new version in a separate forum thread:

Without directly claiming responsibility, DarkSide has responded to the news stories naming them by saying they are “apolitical” and are just in business to “make money.”
Here is the DarkSide-issued statement:

What’s interesting in the above statement is that the group does not want to be associated with the Russian (or any) government, nor does it want to be seen as a “bad guy.” It’s my opinion that they got a bit overwhelmed by the media coverage and all the attention it brings to Russian cyber-offensive. I did not see any direct statements that “DarkSide equals Kremlin,” but there has recently been a lot of news related to Russian state-sponsored attacks (SolarWinds, for example) so I think the DarkSide statement was a preventive measure, to differentiate from the Russian government in the beginning.
Gangsomware and DarkSide
DarkSide wants to be utilized as a service organization — ransomware-as-a-service, to be exact. In fact, they have taken the 'service' part of their affiliate program to a new level of standard. They have service phone numbers, a ticketing system, and they actively ask press and recovery companies to engage with them. It also seems like they polished surrounding aspects of their production chain.


For example, a technically exceptional ransomware strain would miss out on potential payments if they lack the support systems mentioned above. DarkSide boasts to be one of the fastest in terms of encrypting the victim's files (they tested their ransomware against a competing program and also received praises from threat actors that tested). So, in short, not only is DarkSide’s malware sophisticated and constantly updated, but the organization itself also fine-tunes the extortion part with comfortable and easy-to-use interfaces and solutions.
The End Game
While DarkSide and other gangsomware groups may not intend to cause harm to society in their endeavors, the impacts of their actions are increasingly devastating at a local, national, and even global level. The Colonial Pipeline attack has severely crippled the US fuel supply chain by taking Colonial’s main pipelines offline for what will be days, and perhaps could become weeks.
The service organization model employed by groups such as DarkSide is an important trend in ransomware activities that are meant to maintain at least some level of decency making as much money as possible. For example, they do not target certain industries and services such as healthcare. While not specifically targeted toward bringing down critical infrastructure, these attacks are a wake-up call for organizations with related supply chains.

Andrey Yakovlev
Andrey Yakovlev is Lead Security Researcher - Threat Intelligence at Rapid7, focused on intelligence hunting from the Russian Dark Web. He is an experienced professional with nearly 10 years of experience in the cybersecurity field. Andrey specializes in threat discovery, computer forensics and behavioral analysis of Trojans.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.