Darkside and the Pipeline Hack

[Jacob]

So I just saw this;













Has anyone here seen more reporting on this? As someone who's been on the business end of this kind of attack, the possibility of these hackers getting fucked up a bit fills my heart with glee. Though personally, I would also like to see some serious cyber attacks on Russian infrastructure, to give them a bit of a taste of their own medicine.

I did think it was an interesting "oh shit" moment when Darkside, apparently, released a statement saying they were "apolitical" and didn't want to "attack infrastructure"... which is a bit rich coming from a group that frequently attacks hospitals and public transportation systems and the like.

[Jacob]

Here's the BBC article where they said they "didn't mean to create problems": https://www.bbc.com/news/business-57050690 

[Sheilbh]

Yeah - as someone who's also worked on this sort of attack I would be happy to see them fucked up

I think the threat of ransomware is one of the biggest low key risks we live with (and it's enabled by crypto-currencies) because it is not taken as seriously as it should be and there's not enough investment on good security, especially if someone gets in to your systems. We've seen the impact in the UK where an accidental ransomware attack literally shut down huge chunks of the NHS's systems for several days - and just today there's been a similar thing hit Ireland's healthcare system.

Having said that - and obviously I'll trust US intelligence - but I can believe these guys are just apolitical criminals. My limited understanding is that there are some nation state backed groups that do this type of attack, but that most nation state groupd tend not to be focused on shutting systems down (or extracting financial information). Again I've got limited knowledge and there's lots of different state sponsored groups, but from my understanding their aim is more typically to establish a permanent presence within your network that may be dormant most of the time - just occasionally communicating out of the network to keep the connection - and to extract other possibly more benign (so less protected) seeming information than, say, credit card details.

Edit: And actually from what I understand - the low-key stuff hitting normal non-key infrastructure companies is huge. There's a lot of money being paid to these groups. On the one hand this might deter them from infrastructure which is good, but I imagine they'd just try and hit more less essential companies to make up their income that way.

[viper37]

appartently, this group does not attack hospitals and other public civil services like schools.  I do not know if they attack police stations, or even if their claims are true.

[celedhring]

We've had a few ransomware attacks on utilities and transport companies over the years. By all accounts most of them seem largely apolitical, hackers saw a way in and wanted money, and given those are key companies they are most likely to buckle.

So, it indeed is a serious threat and I'm happy Uncle Sam is fucking them over.

[chipwich]

https://www.youtube.com/watch?v=G56VgsLfKY4&ab_channel=RaminDjawadi-TopicRaminDjawadi-Topic

[Sheilbh]

Great piece on this whole situation:

Welcome to DarkSide – and the inexorable rise of ransomware
John Naughton
The hacking of a US gas pipeline is proof that cybercrime is now a major industry – with its own trading markets and even CSR
Sat 15 May 2021 16.00 BST

On Friday 7 May, Colonial, the quaintly named operator of the pipeline that brings 45% of the US east coast's gasoline and jet fuel from Texas to New York, announced that it had been hacked. My initial assumption was that this was Russian retaliation for the Biden administration's punitive cyber-attacks on Russia in response to the SolarWinds hack. After all, if a pipeline like this isn't "critical infrastructure", what is? If so, were we not witnessing a significant escalation in information warfare between two nuclear-armed powers?

Fortunately, my overheated imagination turned out to be wrong, but the reality – in a way – is almost as interesting. On 10 May, the FBI announced that the attack on Colonial was caused by an outfit called DarkSide, which specialises in ransomware, and that the bureau had forced the company to halt its pipeline's operations so that it could carry out a full investigation into the breach.

So who or what is DarkSide? According to Intel 471, a security company that surveys the teeming cybercriminal ecosystem of the internet, DarkSide was first spotted in November 2020 on a Russian-language hacker forum, advertising for partners for a ransomware service. What it was pitching was a platform that "approved" cybercriminals could use to infect companies with ransomware and carry out negotiations and payments with victims. "We are a new product on the market," it burbled, "but that does not mean that we have no experience and came from nowhere. We received millions of dollars profit by partnering with other well-known cryptolockers. We created DarkSide because we didn't find the perfect product for us. Now we have it." Not long afterwards, its software was found to be behind several ransomware attacks on manufacturers and legal firms in Europe and the US.

According to Intel 471, in March 2021, DarkSide "rolled out a number of new features in an effort to attract new affiliates. These included versions for targeting Microsoft Windows- and Linux-based systems, enhanced encryption settings, a fully fledged and integrated feature built directly into the management panel that enabled affiliates to arrange calls meant to pressure victims into paying ransoms and a way to launch a distributed denial of service (DDoS)."

Note the reference to a "management panel". In conventional software packages, this would be called a "dashboard", a visual tool to enable non-technical managers to run a complex program without knowing anything about the code. The panel also seems to provide scripts for conducting negotiations with victims. Intel 471 monitored one of these conversations. "This is a lot of money," the victim writes. "My management needs a better understanding of what data you may have taken. Can you provide proof that you have our data?" Answer: "Yes will provide a sample for you." The victim continues: "When you receive payment you will not publish the attack or sell exfiltrated data?" Answer: "Of course not, you will get access to a server with data and will delete it yourself. Also we can provide you with a pentest [penetration test] report how you have been breached and what [you] need to improve."

You get the picture. This is awfully like the kind of dialogue you would see in a conventional business negotiation. What it shows is what the security expert Ross Anderson has been pointing out for years: that cybercrime has been industrialised and that one can analyse it using the methods and economic concepts that one would use if studying any burgeoning line of business.

In that sense, public discourse about cybercrime and its practitioners is way behind the curve. As Ross and his colleagues have shown, criminals are rational actors, not lone hackers with poor hygiene and a penchant for pizza. They see what they do as a low-risk activity with very high profit margins. And they operate in a networked world in which even large and wealthy companies are still failing to take computer security seriously. The significance of the Colonial hack is its confirmation of cybercrime as a major new industry.

Many years ago, I got my first insight into this underworld when a senior police officer took me on a virtual tour of this netherworld. We looked at the online markets in which stolen personal details were traded and the different prices at which various "products" were bought and sold. (PayPal logins attracted premium prices at the time; maybe they still do.) What it looked like was eBay for crooks. And the most striking thing was that in these marketplaces the traders seemed as anxious as you or I would be to establish reputations for reliability and quality. In some cases, there were even star rating systems like you'd see on Uber or, for that matter, on eBay. There may be honour among thieves, as the saying goes, but they still fretted about their online reputations. And DarkSide's claim that it has occasionally donated some of its profits to charity suggests an interesting new interpretation of "corporate responsibility". It's time we wised up to this new reality.

On the last point I've seen stats from cyber-security experts on the reliability of different groups, so whether you get your data back if you pay the ransom - and, in general, most of them are pretty reliable. It is weird because these are criminals, but they rely on building a market reputation to get the money.

[Oexmelin]

Quite similar to the beginnings of feudalism.

[dane]

Quite similar to the beginnings of feudalism.

I'm not well versed on the beginnings of feudalism. Could you elaborate on that?

[Jacob]

Quite similar to the beginnings of feudalism.

I'm not well versed on the beginnings of feudalism. Could you elaborate on that?

Uh... who are you?

[Syt]

Says right there: a dane.

[dane]

I'm actually an American, but my name is Dane.

I've lurked here for a while but never really have anything to contribute.

[Crazy_Ivan80]

And DarkSide's claim that it has occasionally donated some of its profits to charity suggests an interesting new interpretation of "corporate responsibility".

that's hardly new: criminal organisations have been doing that for quite a while. Even terrorist organisations engage in charity

[Jacob]

I'm actually an American, but my name is Dane.

I've lurked here for a while but never really have anything to contribute.

Twelve years, according to your profile info. But now's the time. Welcome aboard. What brought you out of your bubble? Who are the five biggest jerks on languish?

[The Brain]

It's not a competition.