The DarkSide Hackers – TTG

“DarkSide is a relatively new ransomware strain that made its first appearance in August 2020. DarkSide follows the RaaS (ransomware-as-a-service) model, and, according to Hack Forums, the DarkSide team recently made an announcement that DarkSide 2.0 has been released. According to the group, it is equipped with the fastest encryption speed on the market, and even includes Windows and Linux versions. The team is very active on hack forums and keeps its customers updated with news related to the ransomware. In an effort to grow and expand their operations, the group has started an affiliates program for potential users.”

“Like many other ransomware variants, DarkSide follows the double extortion trend, which means the threat actors not only encrypt the user’s data, but first exfiltrate the data and threaten to make it public if the ransom demand is not paid. This technique effectively renders the strategy of backing up data as a precaution against a ransomware attack moot.”

“DarkSide is observed being used against targets in English-speaking countries, and appears to avoid targets in countries associated with former Soviet Bloc nations. The ransom demand ranges between US$200,000 to $2,000,000, and according to their website, the group has published stolen data from more than 40 victims, which is estimated to be just a fraction of the overall number of victims.”

“The DarkSide group is a relatively new player in the game of ransomware. Despite being a new group, though, the DarkSide team has already built itself quite a reputation for making their operations more professional and organized. The group has a phone number and even a help desk to facilitate negotiations with victims, and they are making a great effort at collecting information about their victims – not just technical information about their environment, but more general information about the company itself, like the organization’s size and estimated revenue.” 

Comment: IMO this is not a Russian government cyber operation. It is a Russian criminal enterprise, pure and simple. I spent years communicating with similar Russian hackers. They are talented often coders and criminally ingenious. Several of my “acquaintances” formed a group with the ostensible goal of striking at porn sites. They would appear to take over the target site’s web page and deface it with a rant about how perverted and dangerous they were. It was just a diversion. Their goal was to hack into the site’s payment system and steal the customer’s credit card data. The group’s leader explained this all to me. Not only would the porn site’s owner not realize their payment system was breached, but the customers would most likely not complain about the theft. 

The Russian authorities, the FSB and perhaps the GRU, may have kept tabs on the DarkSide group and the individual hackers involved. They do that a lot. So do the Chinese. The Russian government sees these hackers as a farm team system and often reach out to hackers of interest with an offer they can’t refuse. I’ve also known Russian hackers who have suffered this fate. They let me know of their new status in their own Russian hackspeak samizdat way.

Unfortunately for the DarkSide hackers, they are now most definitely under the unwanted burning glare of their government’s cyber officials. One of their affiliates made a mistake in targeting the Colonial Pipeline. Even if the hacker extortionists didn’t target the pipeline’s control system, they failed to anticipate Colonial’s shutting down that control system in response to the breach of their IT system.  Oops. Now they’ve attracted the gaze of the NSA and CYBERCOM as well. And all they wanted to do was make a little money. 

Such is the life of a pirate.

The linked article is from an Israeli cyber security company started in 2012 by several Israeli former military and intelligence cyber specialists. It does a fairly good job at describing the group and also has details about how the group’s ransomware code works. A lot of these companies are founded by former government security specialist. Some of the best also employ former dark hat and grey hat hackers. The Russians also successfully employ dark hat and grey hat hackers. I have always advocated that we do the same. Use these hackers as auxiliaries or controlled (semi-controlled) assets, something beyond our usual advertising for employees at the annual Defcon.

TTG

https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware

This entry was posted in Current Affairs, Russia, TTG. Bookmark the permalink.

39 Responses to The DarkSide Hackers – TTG

  1. Sam says:

    What demands did these guys make?

    Clearly all core infrastructure needs a crash program to secure their assets from cyber attack from state actors and quasi-private actors?

    Noticed that Secretary of Energy Jennifer Granholm state that pipelines are the most efficient means to transport fuel, yet the Biden administration canceled the Keystone pipeline. Hard being woke and delivering real infrastructural services for economic sustenance.

    • The Twisted Genius says:

      Sam, isn’t it obvious. They want money. The reason these systems are so vulnerable is the same reason. None of these companies are willing to spend money to secure and maintain their systems.

  2. A. Pols says:

    In Charlottesville, vehicles with “No Pipeline” bumper stickers have been spotted waiting in long lines for gas. The pipeline referenced by those stickers is the recently deep sixed natural gas pipeline intended to carry W. Va. and PA. natural gas to the Carolinas. Local luddites piled on the effort to stop that project, whose developers spent untold millions before giving up in the face of a Tsunami of lawsuits, all based on specious claims of environmental harm. After all, who needs pipelines? Everyone knows gas comes from gas stations, not pipelines.

  3. Deap says:

    Who supplies weapons to Hamas? Country of origin as well as cash….or is this dark side stuff too?

    • The Twisted Genius says:

      They make a lot of their own rockets based on Iranian supplied plans. Much is smuggled in through the Sinai. Palestinian sympathizers, of which Iran is the most active, supply Hamas any way they can. Yes, all this smuggling is dark side stuff.

      • English Outsider says:

        TTG – related to that, it would be valuable to have another summary of who’s where and who’s doing what in Syria. All a bit murky there now. A while ago I came across an MOD release, that a UK SF casualty had been airlifted out via Al Tanf. Left a lot of questions unanswered. What was he doing out beyond Al Tanf in the first place? Why announce the rescue when that’d normally be kept under wraps? They must have flown him out to Cyprus via Israeli airspace – what does that imply?

        Lots of questions and no answers, even over that one incident. And the recent leaks over the amount of money we’ve been putting into various shady operations in Syria has altered the picture about the extent of UK covert involvement there. I wondered if there was any chance of another bird’s eye view?

        But that’s off the subject you write about above. I had thought anything important was air-gapped these days. Looks like I’d better think again. But if your services infrastructure is anything like ours in Europe we needn’t worry about hostile elements messing it up. Some of it’s quite capable of falling apart by itself.

        • The Twisted Genius says:

          Air-gapped? The trend has been going 180 degrees from that for some time now. Refrigerators are connected to the internet. Seems damned near everything can be accessed from ubiquitous smart phones. A decade ago I was even uncomfortable about the direction systems were going at DIA. The control systems in our service infrastructure are ancient and not designed to be subjected to all this connectivity.

          For your other question, I’m not at all surprised about continued coalition casualties in Syria. We’ve been wedded to regime change in Syria for three administrations now. Our arming of jihadis was always ugly, but I had hope when we and the Brits sent a few SF and SAS to help the Rojava Kurds. Now even that turned ugly. I’m just about done with the addition and new roof for my garden shed so I’ll start researching Syria again fairly soon.

  4. Fred says:

    “Such is the life of a pirate.”

    We used to hang pirates. Perhaps we need to return to that cure. “None of these companies are willing to spend money to secure and maintain their systems.”
    Is that actually the decision Colonial made regarding their IT systems?

    • The Twisted Genius says:

      Colonial doesn’t upgrade their controlling hardware and software from stuff that is often two decades or more old. They keep their critical control systems connected to the internet and phone system. Encryption is weak or nonexistent. Manual backup systems are not maintained or manned. This is what they did. No one was holding a gun to their heads other than maybe the shareholders. Yes, that is the decision Colonial made.

      • Fred says:

        How do you know these things to be facts? Manual backup systems are not maintained? That’s a violation of both basic engineering principles and emergency preparedness standards (and probably federal law and state laws in multiple jurisdictions).

        • The Twisted Genius says:

          Colonial just today managed to open only a spur line in North Carolina manually. If they had the plan and resources to switch to manual control of their pipeline, they wouldn’t have had to shut it down at all when their IT system was hit by the ransomware. Their use of Windows NT on their controllers was widely reported. The NTSB warned that Windows NT on various SCADA systems, including for pipelines was a problem as far back as 2006.

          • Fred says:

            TTG,

            That’s hardly an answer to my question. Where are the reports of the control systems being hacked? There is a difference between ‘had to’ shut it down and ‘decided to’? Recall the decision making in blackout of 2003 where the control room team at First Energy didn’t want to lose money by isolating part of their grid, thus causing a major blackout costing billions of dollars in losses in the NE and Canada.

            On a bright and related note oil spills from this event are zero. Related specificly to their IT:

            “Marie Mouchet is Colonial Pipeline’s Chief Information Officer” ….. she was formerly ” Vice President and Chief Information Officer of Southern Company Operations & Southern Nuclear. ”
            “Marie is recognized … for her technology leadership, cybersecurity expertise, and overall business executive experience. … ”

            I know that doesn’t sound like the bio of noted international pipeline expert Hunter Biden, but I would say she’s not a rube nor ignorant of IT system vulnerabilities. When they start investingating what was hacked I reccommend investigators make at least a glancing look for a disgruntled and perhaps woke insider who passed info along ‘for the cause’ ala Bradley Manning, or for money, or for both.

          • The Twisted Genius says:

            Fred, who said the control system was hacked? I certainly didn’t. I and every report I’ve read said the IT system was hacked and Colonial shut down their pipeline out of an abundance of caution. I applaud them for that decision. They obviously knew their pipeline control system was vulnerable. An tech audit of their systems in 2017 revealed major problems.

            “An outside audit… found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press. “We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”

            I’m sure Colonial didn’t want to risk another pipeline spill like last year’s gasoline spill in North Carolina. That was the largest spill ever in the Carolinas. Like I said, I applaud their decision to acknowledge that their pipeline control system was shit and totally shut the system down to avoid a disaster.

            I wish Marie Mouchet the best of luck in fixing the Colonial systems. It’s a tall order especially considering there are no national cyber standards for pipeline cyber security like there are for electrical grids. She’s got a clean slate to work with.

          • Fred says:

            TTG,

            Mr. Smallwood sounds like a man of impecable integrity and not someone with multiple books and a podcast to sell. Unlike an 8th grader he took six months to write up his conclusions and far, far less time to make sure his name was mentioned world-wide.

            “I’m sure Colonial didn’t want to risk another pipeline spill …”

            You imply that was due to an IT issue.
            “I applaud their decision to acknowledge that their pipeline control system was shit ….”
            Where was that public statement by Colonial made, or is that just your conclusion?

            “There are no national cyber standards for pipeline cyber security like there are for electrical grids”

            That’s a great idea! More Federal Government Regulations! Which of Biden’s best will be writing those up for us?

            On a brighter not at least there is some idea of just which ‘private owners’ actually own the pipeline:
            “Originally founded by nine oil companies in 1962, Colonial is privately held. Its owners include a pair of private equity firms, a Canadian fund manager, a Koch Industries subsidiary and a subsidiary of Shell Midstream Partners. The company does not release earnings or revenue figures.:
            https://www.nbcsandiego.com/news/national-international/tech-audit-of-colonial-pipeline-found-glaring-problems/2603183/

          • The Twisted Genius says:

            I made no implication about the cause of that North Carolina spill. But now, after thinking about it, Colonial’s control system failed to detect the spill. It was discovered by two teenagers on their ATVs who happened to come across the spill.

            That was my opinion that Colonial shutdown their pipelines out of an abundance of caution knowing their control systems were not up to par. However, they may not have had any altruistic thoughts at all. The IT system that was hit shut down their ability to charge customers for products flowing through the pipelines. It might be that they were just afraid of missing out on some profit.

  5. scott s. says:

    My brother runs network security for a good-sized company. It is a constant battle. Their AP people are under constant attack. He can’t just worry about his own systems, but also their vendors.

    • Deap says:

      Is the answer going back to quill pen and foolscap?

      Better hurry while some of us are still alive who can remember life before the digital revolution, before TV and before credit cards.

      Funny. Went to my bank today which formerly had the wide open floor plan with desks, unlike the caged-in rows of locked teller windows that I recall from my childhood. A recent remodel had re-created those closed in spaces …but this time for “covid”. What was old is now new. One should live so long.

      • different clue says:

        I don’t think we have to go all the way back to quill pen and foolscap. But it there any technological reason why we can’t go back to whatever we had in the 1940s when the Colonial Pipeline was first built? Or back to whatever we had in the 1950s and 1960s when it operated just fine without all this computerization?

        If it just means higher prices and less convenience, and more jobs for people again doing what computers now do instead of the people who were computerised out of their pipeline control jobs, is that a price worth paying in order to have hacker-immune analog pipeline infrastructure?

        • Leith says:

          1960s I thought, NOT 1940s. Or are you saying that Colonial’s pipeline uses pipage from the Big- and Little-Inch lines? Those are now owned by the Texas Eastern and are listed on the national register of historic places.

          • different clue says:

            Big-inch and Little-inch pipelines were historical details I did not know.

            So your reply leads me to change my question to basically . . . why can’t we go back to the 60s level of analog controls for these pipelines . . . which worked quite well so far as I know? If there is a reason we can’t, I will read the reason and consider.

            But otherwise, I wonder why we can’t re-analogify and de-digitize as many things as feasible to put them beyond reach of digital hackers? ( I don’t mean inherently digital things like computers. I realize we can’t de-digitize a computer. Or an Internet. I mean things like pipelines, reservoirs, railroads or at least of of them, cars, etc. And keep our houses dumm. I wouldn’t trust a house which is smarter than I am.)

  6. Keith Harbaugh says:

    “The Russian authorities, the FSB and perhaps the GRU, may have kept tabs on the DarkSide group and the individual hackers involved.”

    Can’t NSA do the same?
    You know, we’ve all read the stories of how NSA’s predecessors kept track of, indeed vacuumed up, all cable traffic entering America, based on its assumed relevance to national security.

    That ransomware attack on Colonial presumably involved certain packets flowing across the Internet from overseas to CONUS.
    Does not NSA have the ability to trace that data flow back to its source?

    Perhaps the answer to that question is classified.
    If so, I hope it is OK for you to say “The answer to that question is classified,”
    But maybe not: “Never Say Anything” 🙂

    Whatever tapdancing you can do on this subject would be appreciated 🙂

    • The Twisted Genius says:

      I left government service in 2011. At that time NSA either couldn’t capture and store every packet produced and surely couldn’t process everything they could capture. It’s my informed opinion that the idea that NSA sees and knows everything is a myth. There is a lot more traffic out there now than when it was just cable traffic, much more. They and the rest of the government couldn’t catch all the intrusions in their own networks. They were pretty good at studying traffic in hindsight if it was captured and much better at watching traffic they are specifically targeting. Surely they’ve made strides since 2011, but they are still far from omnipotent.

  7. akaPatience says:

    Thanks for the info TTG. But how do we know for certain the US IC doesn’t already employ “dark hat and grey hat” hackers?

    • The Twisted Genius says:

      As of 2011, the IC didn’t employ dark and grey hat hackers beyond a very few recruited sources and LE informants.

  8. prneost says:

    TTG, please enlighten us what systems did Colonial Pipeline used?
    especially, remote access/login and control/management software!… 😉

  9. Yeah, Right says:

    I’m curious: the Cybereason article you have based this on presents no evidence that DarkSide is a Russian operation.

    It could be based in any one of the 17 countries that the malware checks for, or, indeed, that list of excluded countries could be a crude attempt at misdirection on their part.

    What evidence have you seen that DarkSide is a Russian organization?

    • The Twisted Genius says:

      Several of the hackers associated with DarkSide have a long history with other Russian cybercriminal groups. They talk among themselves.

      • Yeah, Right says:

        OK, so that’s essentially guilt by association.

        Hmmm, dunno. Everyone accepts that DarkSide are a commercial venture, albeit a criminal one.

        Well, if you are in business then you have to spruik your wares and you have to build a customer base.

        Advertise, essentially.

        That hackers “associated with” Darkside (and what does that mean?) are big-noting themselves amongst the usual suspects seems pretty circumstantial evidence to me.

        Look, you may well be right, I don’t know.

        But if that’s your reasoning then I’d have “low confidence” in that conclusion.

        • The Twisted Genius says:

          By “associated with” I mean founded and runs the group. I don’t understand why there is so much reluctance to admit there are Russian cybercriminals. There are a lot of them and they are very good at what they do.

          Cisco put out a report of a series of interviews with a Russian ransomware hacker last December. It’s quite informative about the Russian “hacker scene.” It reminds me of the Sarah Gordon interviews with the Bulgarian virus writer known as Dark Avenger in the early 90s. That’s when the virus scene took off in Eastern Europe. The Bulgarian virus researcher, Vesselin Bontchev , appeared to be the Avenger’s arch nemesis. Some think the two may have been one and the same. I talked with Vesselin in Hamburg about that time. I tend to believe that theory.

          https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf

          There is also the case of the Russian hacker, Aleksei Burkov who was extradited to the US from Israel after Russia did everything except take him back to Russia, which was offered, to delay the extradition for four years. Aleksei was a big wheel among Russian cybercriminals as far back as the early 2000s. He plead guilty and is serving a 9 year sentence.

          https://krebsonsecurity.com/2019/11/why-were-the-russians-so-set-against-this-hacker-being-extradited/

          • Yeah, Right says:

            Oh, sure, I accept the notion that there are Russian cybercriminals. That is not something that I would ever dispute.

            But, then again, there are US cybercriminals, there are Ukrainian cybercriminals and – as you note – there are even notorious Bulgarian cybercriminals. Again, as you note, Eastern Europe is something of a cybercriminal hotspot.

            The question is this: is DARKSIDE a Russian cybercriminal enterprise, or is it associated with some other Eastern European country?

            Maybe it is. Maybe it isn’t.

            But from what you have written you haven’t really substantiated your claim that it is.

            Look, don’t get me wrong: I am keeping an open mind about this. But it would be nice to see something a bit more substantial than Russians Have Done This Sort Of Thing Before.

          • The Twisted Genius says:

            Your skepticism is perfectly reasonable. Years ago there was a series of penetrations that both JTF-CNO and NSA first attributed to China until they discovered the perpetrators were a couple of kids in California and Israel. Attribution has come a long way since then. But also remember that Russians are now the capi di tutti capi of the region’s cybercriminals and Russian is the lingua franca among them all.

      • nardami says:

        But so do the Ukrainians…remember the Emotet group? They were initially “identified” Russians until the Ukrainian police busted the ring: “Ukraine’s National Police said two citizens of Ukraine face up to 12 years in prison for their role in maintaining and operating Emotet, and other suspects have been identified.”
        https://searchsecurity.techtarget.com/news/252495463/Emotet-taken-down-in-global-law-enforcement-operation

        Furthermore, Saudi Arabia is one of the countries excluded by language in the protected group as is Azerbijan…Ukraine also. Hmmm.

        • The Twisted Genius says:

          The Emotet botnet was used by many ransomware groups, Russian and otherwise. These cybercriminal groups can best to considered international in scope with a strong Russian focus. Perhaps that why that list of DarkSide excluded languages covers FSU and Syrian Arabic of all places.

      • tim s says:

        The wording in their “principles” sure doesn’t sound too Russian to me, unless the Ruskies have become as effeminate as our western “elites” in academia. Won’t attack non-profits, or the medical industry particularly wrt the covid “vaccine”, or their precious universities? Unless they’re trolling with these statements, they sound like our typical western-flavored commies.

  10. Leith says:

    So as I understand it we get CYBERCOM focusing on protecting DOD networks and CISA focusing on dot gov networks. Isn’t there another one for non-goverment networks? Where is the cyber NORAD type structure that would protect civilian critical infrastructure? Or at least public utilities, of which I had thought pipeline transport is considered.

    Regarding akaPatience question — Kim Zetter’s book Zero Day claims that back in the early days in addition to mathematicians and computer science graduates the government indirectly hired hackers who were wanted by law enforcement or who had criminal records. Not hired openly by NSA or the predecessors of CYBERCOM, but instead hired by defense contractors such as Booz Allen Hamilton, Northrop Grumman, etc. The recruitment was not only at DefCon in Vegas but also at HOPE in NY and other hacker conferences. No bibliography in her book and not many footnotes attributing her sources, so take it with a grain of salt. Do those people qualify as dark hat or gray hat?

    • The Twisted Genius says:

      CISA is supposed to be the lead agency for liaison and assistance to the entire US private sector as well as protecting the federal civilian computer networks. They’re far too small to handle all that right now and focus on critical infrastructure. I just found a good article last night on the history of CISA up to the end of 2019. The entire cyber defense and intelligence community has been in a constant state of flux for as long as I’ve been involved in it.

      https://www.politico.com/news/magazine/2019/12/18/america-cybersecurity-homeland-security-trump-nielsen-070149

      There was a small FBI office in Pittsburgh that had a successful info sharing program with the private sector by establishing a non-profit information sharing alliance funded by financial firms, internet companies and the federal government. I thought the FBI agent in charge was uniquely fit to run this and gain the trust of his private sector partners. He was very much unlike the typical FBI cop. I also knew Keith Mularski, another unique FBI agent who masqueraded as Master Splinter for several years to eventually take down a worldwide carding network. I still have the challenge coin they gave me with the acronym NCFTA-CIRFU. I have no idea if they’re still in operation.

      https://www.wired.com/2008/10/darkmarket-post/

      Concerning the dark/gray hats working for the government, I can think of Kevin Mitnick who actually did consult for the FBI. But this was only after his arrest, conviction and imprisonment. I’m sure some Beltway bandits hired some sketchy, but brilliant, techno-geeks. I’m certain they still do, but they are probably insulated/isolated from their government customers by the security clearance regime.

  11. Leith says:

    TTG –

    Thanks for those links. Best line from the Politico was: “the size of CISA’s total workforce nationwide was smaller than the average cybersecurity staff of a single Wall Street bank.”

    Liaison and assistance to the private sector seems not to be working. CISA needs an enforcement division and/or subpoena power, at least for public utilities. But they need to clean up their own house first. Unfortunately they could not even protect federal systems last year when multiple federal agencies (including DHS itself) were breached.

    IMO Colonial dodged a bullet. This attack could have been much worse if the darkside group had infected Colonial’s SCADA systems and PLC controllers to sabotage the pipeline itself. Son-of-STUXNET style?

Comments are closed.