Colonial Pipeline Hack Was Not Intended To ‘Create Problems’

Russian criminal gang that hit major US fuel pipeline with ransomware attack, claim they are just seeking money, not creating ‘problems’

The highly damaging ransomware attack on a major US fuel pipeline has highlighted the dangers posed to critical infrastructure by cybercrime.

The United States has been forced to shut down the Colonial Pipeline following a ransomware attack carried out by the Russian criminal gang called DarkSide.

The hack of the pipeline took place on Thursday of last week, and on Friday evening the pipeline had to be shut down to stop the ransomware spreading.

Pipeline attack

This is a major attack on a critical piece of US infrastructure.

The Colonial Pipeline runs between Texas and New Jersey and is 5,500 mile long.

It carries 2.5 million barrels a day, which translates to 45 percent of the fuel supply for the US East Coast. It includes diesel, petrol and jet fuel.

And there are media reports that petrol stations along the east have already run short of fuel, and because the pipeline also serves Atlanta airport, a busy regional airhub for America, the Biden administration has had to invoke emergency powers to ensure no fuel shortages or transport chaos takes place.

During a speech about the economy at the White House on Monday, US President Joe Biden said that he was being “personally briefed” on the situation with the pipeline each day.

“The agencies across the government have acted quickly to mitigate any impact on our fuel supply,” he reportedly said. “We’re prepared to take additional steps depending on how quickly the company is able to bring its pipeline back up to capacity.”

The pipeline also serves 90 US military installations and 26 oil refineries.

Services for the Colonial Pipeline are still being restored as of Monday it is reported, although the operator’s website remains offline as of Tuesday morning.

The FBI has issued a statement in which it confirmed that a Russian group was responsible for the attack.

“The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks,” it said.

“We continue to work with the company and our government partners on the investigation.”

DarkSide response

The ransomware attack on this critical piece of US infrastructure has resulted in the criminal gang behind the attack, issuing an apology (of sorts).

DarkSide insisted they were not carrying out the attack for political purposes, but rather were just seeking to make money.

DarkSide reportedly targets English-speaking countries and is believed to operate out of one of the former Soviet republics.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” the DarkSide statement reportedly says.

“Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

DarkSide also said it would donate a portion of its profits to charities, although some of the charities have turned down the contributions.

“No matter how bad you think our work is, we are pleased to know that we helped change someone’s life,” the hackers wrote. “Today we sended [sic] the first donations.”

Typical ransom demands range from $200,000 to $20 million, CNBC reported.

Preventive measure

One security expert said the DarkSide statement shows that the criminals were concerned about the impact of their attack, and were keen to stress it is was not sanctioned by the Russian government.

“What’s interesting in the above statement is that the group does not want to be associated with the Russian (or any) government, nor does it want to be seen as a ‘bad guy’,” noted Andrey Yakovlev, security researcher at threat intelligence company, IntSights.

“It’s my opinion that they got a bit overwhelmed by the media coverage and all the attention it brings to Russian cyber-offensive,” said Yakovlev. “I did not see any direct statements that ‘DarkSide equals Kremlin,’ but there has recently been a lot of news related to Russian state-sponsored attacks (SolarWinds, for example) so I think the DarkSide statement was a preventive measure, to differentiate from the Russian government in the beginning.”

“While DarkSide and other gangsomware groups may not intend to cause harm to society in their endeavors, the impacts of their actions are increasingly devastating at a local, national, and even global level,” said Yakovlev. “The Colonial Pipeline attack has severely crippled the US fuel supply chain by taking Colonial’s main pipelines offline for what will be days, and perhaps could become weeks.”

“The service organisation model employed by groups such as DarkSide is an important trend in ransomware activities that are meant to maintain at least some level of decency making as much money as possible,” Yakovlev concluded. “For example, they do not target certain industries and services such as healthcare. While not specifically targeted toward bringing down critical infrastructure, these attacks are a wake-up call for organisations with related supply chains.”