Come to the DarkSide: What We Know So Far

Josh Campbell|May 13, 2021
Blog

On 08 May 2021 yet another company announced that they had fallen victim to a ransomware attack. The victim — the Colonial Pipeline Company — manages the 5500mi long pipeline of the same name. It’s responsible for moving 3 million barrels of fuel between Texas and New York, every day. That is half of all the gas and diesel used on the east coast.

New call-to-action

The company announced that, in order to contain the threat, they had to shut down many of its systems. This has resulted in gas shortages making their way up the east coast of the United States, and long lineups at gas stations. It has also seen several states declare a state of emergency.

Darkside ransomware meme

The malware used in the attack has been identified as the DarkSide ransomware. The eponymous DarkSide malware uses a ransomware-as-a-service (RaaS) model. Cyborg Security first identified DarkSide when the author began to solicit partners in November 2020. The ransomware employs various MITRE ATT&CK tactics, techniques, and procedures (TTPs), including:

  • Windows and Linux compatibility
  • Code and Ransom Note Obfuscation (T1027)
  • Defense Evasion through Indicator Removal (T1070)
  • Create or Modify System Process (T1543)
  • System Service Discovery (T1007)
  • Process Discovery (T1057)
  • Data Encrypted for Impact (T1486)
  • C2 through Application Layer Protocol (T1071)
  • Inhibit System Recovery (T1490)
  • Data Destruction (T1485)
  • Execution Guardrails (T1480)

Their malware has previously been used to target two Brazilian state-run utility companies. Other firms have also linked the malware to attacks targeting American industrial operations. Still others have observed activity in Europe.

The actors responsible for the malware — the so-called ‘DarkSide” group — are not new to the ransomware scene. Indeed, they have been active as far back as at least August 2020, and probably much earlier. The group — which originates out of Eastern Europe — is also referred to by several pseudonyms, including:

  • Carbon Spider
  • Magecart Group 5
  • GOLD KINGSWOOD
  • Annual Carbanak

What is less apparent though is who is responsible for the attacks that crippled the Colonial Pipeline Company. While the Carbon Spider group operates the DarkSide ransomware, and may even use it, it is still uncertain if they are behind the attack, or merely facilitated it. Indeed, the group released a statement on 10 May 2021 that appears apologetic:

“… We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our [sic] motives. Our goal is to make money, and not creating problems for society. …” (emphasis theirs)\

This is not the first time Carbon Spider has appeared to act with a modicum of conscience. The group has previously stated that they do not attack hospitals, hospices, schools, universities, non-profit organizations, or government agencies. They’ve also claimed to donate a portion of their ill-gotten gains to charities like Children International and The Water Project. It is, however, unclear if that actually occurred.

So, if it wasn’t Carbon Spider that precipitated the attack, then who?

That may be harder to determine in the short term, and “who” may turn out to be a rather long list.

This is because there is a growing trend towards specialization in these attacks. It is no longer a single actor or group that is solely responsible. Instead, this has been replaced by groups and services that specialize in specific functions. Access brokers will perform the initial compromise, and then auction off access to the highest bidder. Credential stealing groups may harvest valid accounts that can be sold off in online auctions. So-called bulletproof hosting providers will host infrastructure while ensuring it remains highly accessible. Even the malware the actors use — as was the case with DarkSide — are delivered using a malware-as-a-service (MaaS) model. These service providers then act as a sort of proxy for dozens or hundreds of other actors. All of this means that tracking down the actor (or actors!) can be a difficult task.

We do know, though, that some previous DarkSide compromises have shared similarities in their TTPs, including:

  • Obtaining valid accounts (T1078) or conducting brute force attacks (T1110) against external services
  • Conducted malspam and phishing attacks (T1566) against desired targets
  • Exploiting critical vulnerabilities in remote access solutions (T1190)
  • Targeting exposed remote desktop systems (T1133)
  • Exfiltration of data using online services (T1567)
  • Using post-exploitation tools and frameworks, including Cobalt Strike (S0154) and Metasploit.

This means it may be possible, with time and evidence, to highlight a specific actor responsible. Carbon Spider has, though, also made a public statement that moving forward:

“… From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future …”

This may indicate that not only are they not responsible, but that they may in fact now moderate the activities of their affiliates. If true, this would be in keeping with their previous criminally philanthropic behaviours. However, it could also be that the group would simply like to avoid scrutiny of its activities by governments, globally. It remains to be seen, though, how effective this moderation will be.

The Colonial Pipeline attack serves as a clear warning for organizations. First, ransomware attacks continue to increase in volume and frequency. Adversaries no longer rely on their own knowledge and experience, but instead offload this to service providers. This lowers the bar to entry and allows adversaries to focus their efforts on the financial extraction process. Capitulating to these actors through ransom negotiations and payments will only serve to embolden them further.

Second, cyberattacks can have very real physical consequences. This has been proven time and again in inter-state conflicts, as well as in attacks like NotPetya and BadRabbit in 2017. Despite these warnings, though, much of world’s critical infrastructure remains either unguarded or underprepared. This attack should highlight that more needs to be done to protect critical infrastructure. Specifically, government and security teams need to introduce proactive defense into their security posture, and cannot rely wholly on reactive security solutions.

The DarkSide attack has highlighted that this critical infrastructure is not only at risk from state-sponsored espionage, but now common cybercrooks looking to make a buck.

New call-to-action

Blog

Josh Campbell

Threat Intelligence Lead
Follow Cyborg
  • Twitter
  • linked in

DISCOVER EVEN MORE

White Paper

September 2, 2021

Expectation vs Reality: Debunking 5 (More) Myths About Threat Hunting
Read more
White Paper

August 26, 2021

From a Global Man Hunt to a Cyber Threat Hunt
Read more
White Paper

August 19, 2021

Logs & You: Explaining Threat Hunting to Non-Threat Hunters
Read more

SUBSCRIBE TO OUR NEWSLETTER

Continue the Hunt
No thanks, maybe later.