What We Know About DarkSide, the Russian Hacker Group That Just Wreaked Havoc on the East Coast

COMMENTARY Cybersecurity

What We Know About DarkSide, the Russian Hacker Group That Just Wreaked Havoc on the East Coast

May 20th, 2021 4 min read
COMMENTARY BY
Dustin Carmack

Research Fellow in Technology Policy

Dustin is a Research Fellow in Technology Policy at The Heritage Foundation.
Cyber and ransomware attacks have become more frequent and more severe in recent years, targeting schools, hospitals, corporations, and government networks. Rapeepong Puttakumwong / Getty Images

Key Takeaways

The ransomware attack on the Colonial Pipeline further demonstrates what cyberattacks—perpetrated by nonstate actors—can do to disrupt U.S. markets.

Putin has created an environment that gives flexibility to malicious actors in Russia to undermine the United States and their allies without direct guidance.

Now is the time for the U.S. to take the threat of cybercriminals serious—and not turn a blind eye to the nation-states that harbor them.

It’s been less than two weeks since a criminal cybergang group known as DarkSide succeeding in shutting down a pipeline that transports 45% of the United State’s gas and fuel supply along the East Coast, causing severe outages from Georgia to Virginia. While Colonial Pipeline slowly resumed operation last week, service will likely be impacted in the near-term.

Cyber and ransomware attacks have become more frequent and more severe in recent years, targeting schools, hospitals, corporations, and government networks. The ransomware attack on the Colonial Pipeline further demonstrates what cyberattacks—perpetrated by nonstate actors—can do to disrupt U.S. markets.

It also hints at how devastating a large-scale cyberattack, launched by a hostile nation-state, could be.

DarkSide, which surfaced in August 2020, has openly acknowledged that their malware was used by associates in the case of the Colonial Pipeline attack. The group fashions itself as a modern-day cyber Robin Hood—making money off of the rich and even donating some to charity.

Ransomware platforms, like the one used in the Colonial Pipeline attack, usually operate through a routine of double or triple extortion, insisting on money for both the decryption key to unlock an organization’s files and servers while also requesting ransom for a commitment to destroy any data stolen.

The organization is part of a constellation of criminal actors—long-known in the cybersecurity world—that emanate from Russia and its former Soviet states, as well as North Korea, China, Syria, and Iran.

President Vladimir Putin provides safe harbor for these cyber criminals to operate in Russia as long as their malware and ransomware do not target domestic assets. As cyber expert Brian Krebs recently noted, many of these malwares refuse to install on Windows networks if they detect the capability of a Russian or Cyrillic keyboard.

“DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS)—former Soviet satellites that mostly have favorable relations with the Kremlin,” writes Krebs.

Although it is unknown if Putin knew about specific details of the Colonial Pipeline attack in advance, he has created an environment that gives flexibility to malicious actors in Russia to undermine the United States and their allies without direct guidance or authority from the Kremlin.

This arrangement allows for harm to occur to the Kremlin’s adversaries while allowing the Kremlin to maintain an arm’s length of distance from nonstate groups like DarkSide. It is also likely that many of these cyber criminals within Russia and the former Soviet states have military or intelligence backgrounds and previous cyber training.

The likelihood that Putin cracked down on those responsible is zero. If anything, Putin was likely pleased by the temporary chaos this created for the average American consumer and for the Biden administration.

Less than a week out from the pipeline coming back online, ransomware attacks are back up to the historical average, after dipping in the wake of the Colonial Pipeline attack. In fact, Ireland’s health care system is currently struggling with a brutal ransomware attack that has caused enormous problems as workers their continue to respond to the COVID-19 pandemic.

Back in the U.S., the damage done to Colonial Pipeline will be long-lasting. The company’s CEO, Joseph Blount, has acknowledged now that the company paid a $4.4 million ransom to DarkSide the day he was alerted to the attack, and that the companies decision to shut down the pipeline was to prevent the attack from moving over from their corporate systems to the pipeline’s operating systems.

After the decryption key was passed along, though, their systems couldn’t be adequately brought back online quickly, and Blount claims they’re still unable to properly bill customers. The long-term impact will likely cost the company “tens of millions of dollars,” he said.

As U.S. lawmakers, private sector leaders, and the Biden administration continue to respond to the ramifications of this attack, it is mind-boggling that President Joe Biden is reportedly handing Putin a win by waiving sanctions on the company in charge of completing the Nord Stream II pipeline.

The Nord Stream II pipeline project will allow Putin to extend his tentacles further into Europe and will cause economic harm to U.S. ally Ukraine—which is still reeling from Russia’s illegal annexation of Crimea.

Biden has boasted that nobody is tougher on Russia than himself. To help Putin complete his pipeline just days after Russians shutdown a U.S. pipeline proves that his actions do not match his rhetoric.

Now is the time for the U.S. to take the threat of cybercriminals serious—and not turn a blind eye to the nation-states that harbor them.

This piece originally appeared in The Daily Signal.