Biden: FBI Says Ransomware Maker DarkSide Behind Colonial Pipeline Hack

About This Source - Bloomberg QuickTake: Now

Bloomberg L.P. is a privately held financial, software, data, and media company headquartered in Midtown Manhattan, New York City.

It was founded by Michael Bloomberg in 1981, with the help of Thomas Secunda, Duncan MacMillan, Charles Zegar, and a 12% ownership investment by Merrill Lynch.

Recent from Bloomberg QuickTake: Now:

  • U.S. Struggles to Stay Ahead of Virus as Delta Variant Surges
  • U.S. Struggles to Stay Ahead of Virus as Delta Variant Surges
  • Fight to Control Turkey’s Wildfires Burning Near Beaches Enters Sixth Day
  • Bloomberg Quicktake: Now published this video item, entitled “Biden: FBI Says Ransomware Maker DarkSide Behind Colonial Pipeline Hack” – below is their description.

    The Federal Bureau of Investigation attributed the massive Colonial Pipeline breach to ransomware created by a relatively new gang called DarkSide on Monday as new details emerged about the group accused of carrying out the attack.

    “The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks,” the agency wrote in a Monday statement.

    In its own statement, the DarkSide group hinted that an affiliate may have been behind the attack and that it never intended to cause such upheaval. Like some other ransomware groups, DarkSide offers to sell its malware to others in what is known as “ransomware-as-a-service,” according to the cybersecurity firm Cybereason.

    In a message posted on the dark web, where DarkSide maintains a site, the group suggested one of its customers was behind the attack and promised to do a better job vetting them going forward.

    “We are apolitical. We do not participate in geopolitics,” the message says. “Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

    Rob Lee, chief executive officer of the industrial security firm Dragos Inc., said that the distinction between DarkSide and affiliates doesn’t shift blame. “Whether they passed off the keyboard or not I don’t know,” he said. “But they’re responsible either way.” He added that the group may avoid targets that draw federal law enforcement attention in the future, but that most ransomware targets have implications for society.

    Colonial Pipeline halted all operations on its systems May 7 when it was hit with ransomware and is working to restore operations as investigators assess the damage. On Monday, Colonial pledged to restore deliveries of gasoline and other fuels to the eastern U.S. by the end of the week.

    The group’s message came after the White House announced over the weekend that it had pulled together an inter-agency task force to tackle the problem. The task force worked through the weekend to address the breach, including exploring options for lessening its impact on the energy supply, according to a White House official.

    While the inquiry remains in its early stages, some evidence has emerged linking DarkSide to Russia or elsewhere in Eastern Europe.

    The attackers are known by cybersecurity experts as a “Russian-speaking group that popped up last summer,” according to Dmitri Alperovitch, the chairman of Silverado Policy Accelerator and former chief technology officer of the cybersecurity firm Crowdstrike Holdings Inc.

    “Like many Russian cyber crime operations they specifically exclude Russian companies from being targeted by their malware,” he added in a statement.

    Lee said his teams at Dragos have responded to a few incidents involving DarkSide ransomware in recent months, including a U.S. power company that he declined to name. In those cases — which involve companies smaller than Colonial Pipeline — DarkSide ransoms were typically in the single-digit millions of dollars, Lee said.

    Dragos investigators didn’t pinpoint the group’s location. But Lee said that IP and email addresses found in the investigations were based in Russia. In addition, he said, DarkSide doesn’t typically work on systems operating in Russian and other Eastern European languages.

    The Russian Embassy in Washington didn’t immediately respond to a request for comment. The Kremlin has previously denied responsibility for hacking attacks.

    The hackers stole almost 100 gigabytes of data from Colonial Pipeline’s networks in just two hours on Thursday, before locking its computers with ransomware and demanding payment, according to two people familiar with the investigation.

    DarkSide has been identified as the suspected hacking group by two people familiar with the investigation and by Allan Liska, a senior threat analyst at the cybersecurity firm Recorded Future. The group first surfaced in August 2020, according to a blog post by the cybersecurity firm Cybereason.

    Bloomberg Quicktake: Now YouTube Channel

    Got a comment? Leave your thoughts in the comments section, below. Please note comments are moderated before publication.

    Leave a Comment