DarkSide is behind Colonial Pipeline cyberattack, FBI says. What to know about group

Bailey Aldridge
·4 min read

The group DarkSide is behind the Colonial Pipeline cybersecurity attack that caused the company to temporarily halt operations, the FBI said Monday.

The company, which says it’s the “largest refined products pipeline” in the country, said in a statement Saturday that it was the “victim of a cybersecurity attack” involving ransomware and that it took some systems offline to mitigate the threat — temporarily shutting down all pipeline operations.

Some smaller lines are operating again, the company said Sunday, but the main lines remain closed.

Multiple media outlets had reported that federal officials believed DarkSide to be a culprit in the attack, and the FBI said Monday it confirmed “DarkSide ransomware is responsible for the compromise.”

What is DarkSide?

DarkSide is a “professional” and “organized” group of hackers that uses a “double extortion,” method, meaning the group encrypts its victims’ data and threatens to make it public if the victim doesn’t pay a ransom, according to cybersecurity technology company Cybereason.

Anne Neuberger, deputy national security adviser for cyber and emerging technology, told reporters Monday that the ransomware identified by the FBI is a “ransomware as a service” variant.

“Criminal affiliates conduct attacks and then share the proceeds with the ransomware developers,” she said.

DarkSide “cultivates a Robin Hood image of stealing from corporations and giving a cut to charity,” the Associated Press reports. It says that it does not attack hospitals, nursing homes, educational or government institutions and donates portions of what it takes to charity.

But, the AP reports, ransomware groups like DarkSide have collectively cost “Western nations” tens of billions of dollars over the past three years.

DarkSide’s ransom demands range from $200,000 to $2 million, Cybereason says. It’s reportedly published data from at least 40 victims.

The group said in a statement on its website that it is “apolitical”, CNBC reports.

“We do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” the statement said, according to CNBC. “Our goal is to make money and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

The FBI has been investigating DarkSide since October 2020, Neuberger said.

Experts who have been following it told Reuters that it “appears to be composed of veteran cybercriminals” with a goal of “squeezing out as much money as they can from their targets.”

“They’re very new, but they’re very organized,” Lior Div, the chief executive of Cybereason, told Reuters.

The Colonial Pipeline attack

Colonial Pipeline’s system runs more than 5,500 miles through the southern and eastern United States. The company says it transports more than 100 million gallons of fuel each day — or roughly 45% of “all fuel consumed on the East Coast.”

The shutdown has raised concerns about fuel shortages and increased gas prices in some areas of the country. But experts say the shutdown would need to continue for several days for consumers to feel effects.

The U.S. Department of Transportation’s Federal Motor Carrier Safety Administration on Sunday issued a regional emergency declaration for 17 states and Washington, D.C., in “support of relief efforts related to the shortages of gasoline, diesel, jet fuel and other refined petroleum products” because of the shutdown.

The declaration creates more flexibility for carriers and drivers, including an exemption from hours of service restrictions for those transporting fuel to the included areas.

Colonial said Monday its goal is to “substantially” restore operations by the end of the week.

“While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach,” it said. “This plan is based on a number of factors with safety and compliance driving our operational decisions.”

Neuberger did not answer questions about whether Colonial had decided to pay the ransom.

“Typically that is a private sector decision and the administration has not offered further advice at this time,” she said. “Given the rise in ransomware that is one area we’re definitely looking at now to say what should be the government’s approach to ransomware actors and to ransoms overall.”

Eric Goldstein, executive assistant director of cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, said in a statement that the agency is “engaged with the company and our interagency partners regarding the situation.”

“This underscores the threat the ransomware poses to organizations regardless of size or sector,” Goldstein said. “We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats.”