‘DarkSide’ Is Probably Responsible for the Ransomware Attack Against Colonial Pipeline

• The Colonial Pipeline company appears to have been breached by the ‘DarkSide’ ransomware gang.
• The group hasn’t posted any announcements on their extortion portal, so they could be hesitant.
• The operations of the company are still severely disrupted, although the restoration process has begun.

On Saturday, ‘Colonial Pipeline’ announced that they fell victim to a cyberattack involving a ransomware strain. The company responded immediately by taking down its most critical systems in an effort to stop the malware from spreading. Considering that it's the largest pipeline operator in the U.S., responsible for carrying 3 million barrels (100 million gallons per day) of gasoline, diesel, and jet fuel between the U.S. Gulf Coast and the New York Harbor area, a range of entities is set for a massive economic disruption.

Yesterday, and following a preliminary investigation conducted with the help of a third-party expert, Colonial Pipeline has published an update. The company states that its four main lines are still offline, while some of its smaller lateral lines are slowly returning to normal operational status. The company's engineers are developing a system restart plan, but the restoration may take a while as safety and preventing the malware from getting out of control cannot be jeopardized.

Now, a report on Reuters claims that there is evidence pointing to the ‘DarkSide’ ransomware group of actors as responsible for the attack. DarkSide first appeared as a high-level RaaS in September 2020, inviting experienced and talented hackers to join the program and benefit from a lucrative deal. Some early 2021 hiccups weren’t enough to affect the group, which grew stronger by recruiting ransomware veterans looking to make a lot of money through prominent compromises.

The attack on Colonial Pipeline is the best example of that, as we’re talking about a critical energy provider in the country. U.S. President Joe Biden was almost immediately briefed on the incident, and the federal government has been working since the first moment to assess the implications and help the company minimize the fuel supply disruption as much as possible.

Interestingly, we see no relevant announcements on the DarkSide data leak and extortion portal, so maybe the actors feel that they bit more than they could chew this time. For sure, having the direct involvement of the FBI while trying to receive a massive ransom payment isn’t the ideal scenario for these crooks.

Another regrettable aspect of the story is that there have been multiple warnings to companies engaging in the sector, and in 2018, CISA launched the “Pipeline Cybersecurity Initiative.” In February 2021, the agency published a special online library aiming to provide companies like the Colonial Pipeline with useful resources (assessments, tools, services, guides, standards) on how to strengthen their cybersecurity posture.