DarkSide was singled out by the FBI on Monday as being responsible for the cyberattack on Colonial Pipeline that shut down a major oil network over the weekend.
Here is what we know about the hacking group:
What is DarkSide?
DarkSide is a group of organized hackers selling ransomware hacking tools to other criminals to carry out attacks, according to Boston-based cybersecurity technology company Cybereason. The ransomware was first detected in August of 2020.
The geographical origin of the hacking group has not been confirmed, though Cybereason noted it does not target entities based in former Soviet countries. In a statement posted to the dark web that appears to address the Colonial cyberattack, DarkSide denied being connected to a foreign government, according to the Wall Street Journal.
On Monday, President Joe Biden said “so far,” there has been no evidence of involvement by Russian intelligence in the cyberattack but suggested the country “might have some responsibility” to deal with ransomware attacks, noting “there is evidence the actor’s ransomware is in Russia.”
Cybereason chief security officer Sam Curry told the Washington Examiner there is a “system of Russian-aligned languages” such as “Russian, Georgian, Turkmen, and Azerbaijani” that DarkSide hackers appear to avoid.
DarkSide has an “ethos” to appear ethical in its illicit practices, telling its customers who and what targets are acceptable to attack, Curry said.
The hacking group tells customers using its malware to avoid targeting organizations include hospitals, hospices, schools, universities, nonprofit organizations, and government agencies. Prime targets for the hackers include for-profit companies in English-speaking countries, Cybereason said in a blog post published on Monday.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” DarkSide said, according to a statement obtained by Cybereason from the hacking group.
The hacking group also claims it has donated a portion of the stolen proceeds to charities, though Curry said, “Those charities are not accepting it, they can’t take things like that.”
“It’s like Robin Hood stole 100 pounds of gold and gave what, a shilling to a kid somewhere, and that kid couldn’t take it,” Curry added.
What is DarkSide seeking?
The intruders took nearly 100 gigabytes of data out of the Colonial’s network based in Alpharetta, Georgia, in just two hours, according to two people involved in Colonial Pipeline’s investigation, Bloomberg reported Saturday.
Cybereason said the hacking groups exercise a technique called “double extortion” in their cyberattacks, meaning they not only encrypt the victim’s data, but the group also steals data and threatens to make the information public on a website called “DarkSide Leaks” if a ransom is not paid.
“This means the target is still faced with the prospect of having to pay the ransom regardless of whether or not they employed data backups as a precautionary measure,” Cybereason posted in a statement.
Typical ransom demands range from $200,000 to $2 million, according to Cybereason. The cybersecurity firm saidhackers learn the size and scope of the companies they target in order to find out who the central decision-makers are within a firm.
Curry said the biggest takeaway from the attack is that hackers are exercising an illicit “business model,” adding that the practice poses a “real risk to critical infrastructure.”
What does DarkSide do?
Cybereason said the hackers used a new version of its malware called DarkSide 2.0, adding that, “So far DarkSide tried breaching 10 of our customers, but we stopped it. Eight were in the U.S. and two in Europe.”
Peter Phillip, a Texas-based information technology expert who has over 20 years of experience leading organizations in technology solutions, said the “double attack” is a common practice among hacking groups.
“They’re building hacking toolkits that then they’re distributing, and people can hobble these together to do concerted, organized attacks against particular organizations or infrastructure, and this is what we saw here,” Phillip told the Washington Examiner.
Curry said two possible ways hackers enter a secured network are through phishing strategies or using an existing vulnerability in the network.
Investigations will likely reveal the root cause of the breach at a later date. “We continue to work with the company and our government partners on the investigation,” the FBI said on Monday.
Cybereason said DarkSide has a reputation for being “organized” and “professional,” offering a help desk and phone number dial for data breach victims.
What does the cyberattack mean for national security?
The hack is likely “the most significant, successful attack on energy infrastructure we know of in the United States,” energy analyst Amy Myers Jaffe told Politico.
Phillip agreed with Jaffe’s assessment, saying the cyberattack was significant in part because “This was done remotely by an organization not even based in the United States.”
Colonial is the largest refined fuel pipeline network in the United States and transports more than 100 million gallons per day, providing around 45% of fuel utilized along the East Coast. Operations at the refinery have been suspended since Friday, though the firm has said it plans to resume operations sometime this week.
Curry said the source country for the recent Colonial attack is hard to pinpoint because hackers can use “false flag operations that can pose as someone else.”
He added that “Russia has policies that make hacking easier,” noting that the country has “fostered an environment that encourages … irresponsible cyber behavior.”
Click this link for the original source of this article.
Author: Editor @Investigator_51
This content is courtesy of, and owned and copyrighted by, https://conservativechoicecampaign.com and its author. This content is made available by use of the public RSS feed offered by the host site and is used for educational purposes only. If you are the author or represent the host site and would like this content removed now and in the future, please contact USSANews.com using the email address in the Contact page found in the website menu.