The DarkSide hackers behind the Colonial Pipeline attack are manifesting themselves as robin hoods, claiming to give some of the ransom money to charity. It is not that different from the greenwashing corporations engage in to build a more appealing image for their employees.
Colonial Pipeline halted operations on thousands of miles of pipeline Friday after the DarkSide hackers forced a shutdown by taking the company’s data hostage. Stel Valavanis of Chicago-based onShore Security guesses that many organizations like this are not adequately prepared for cyberattacks not because cybersecurity is expensive but because it is time-consuming.
“Every organization is different, but from my experience, generally, organizations are not adequately prepared. When I say adequate, I mean as prepared as they could be with really well-known methods and, frankly, not necessarily terribly expensive methods,” he told CyberNews during an interview.
Organizations tend to be deficient in things, such as policy adherence, collecting data, and auditing.
“I believe anybody in the cybersecurity community would agree very strongly that it is that governance risk compliance stuff where they tend to be weak. It is harder to do because it takes time and time from the leadership team rather than just buy something and stick it in there,” Valavanis said.
After gaining initial access to the pipeline company’s network, DarkSide actors deployed DarkSide ransomware against the company’s IT network. In response to the cyberattack, the company has reported that they proactively disconnected certain OT systems to ensure the systems’ safety. At this time, there are no indications that the threat actor moved laterally to OT systems.
DarkSide is ransomware-as-a-service (RaaS) — the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.”
According to the Cybersecurity and Infrastructure Security Agency’s (CISA) and the Federal Bureau of Investigation’s (FBI) recently published report, since August 2020, DarkSide actors have been targeting multiple large, high-revenue organizations, resulting in the encryption and theft of sensitive data. The DarkSide group has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.
After the Colonial pipeline attack, the ransomware group released a public note claiming they are after money, not the chaos. They also claimed they are apolitical. Valavanis was surprised to hear from the criminals. He believes they want to be apolitical, but this statement does not carry much weight.
“For the most part, I do accept that they are not political, but it is not a fully valid claim anyways. They do get cover from Russia. It is fairly obvious that they do because that organization has not targeted Russian companies before. Maybe they intend to be apolitical, but it becomes a political issue,” he said.
Even though they might not be taking orders from the Russian government, they are, according to Valavanis, satisfying what the Russian government would want them to do either way. The claim to be apolitical might have been made to calm down the other cyber-criminal groups that want to stay out of the radar of the US government.
“Nobody wants the sleeping giant – the US government – to get really serious about attacking cybercriminals. Not that they have not done anything, but to increase that would be problematic. That might be more the intention of that message rather than to sound like good guys,” he said.
The DarkSide gang is also claiming that they are donating some of the ransom money to charity.
“It’s almost out of a movie, isn’t it?” Valavanis asked. It might be a message to young people that cybercriminal groups are trying to employ. Some criminals outside the developed Western countries have claimed they felt they were doing something significant and admirable, like countering the power of the West.
“It carries weight, particularly with young people who they are very likely hiring to do some of this work. It is possible the messaging is meant for their employees. Just like big corporations here do a lot of greenwashing and whatnot. I bet there is also some posturing to governments that are covering for them,” Valavanis said.
The attack itself was not enough to impact the US or the world economy, he believes. But it should serve as a wake-up call because the attack could have been more widespread and have more severe consequences.
It is unclear whether the Colonial pipeline has paid the ransom or not. CISA and the FBI do not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.
However, some experts reckon that cybercriminals usually keep their end of the promise to send a message to future victims that paying the ransom is worth it. Also, insurance companies employ a common approach of paying the ransom as quickly (and as quietly) as possible to minimize disruption. It still remains a big point of controversy in the cybersec industry.