In this blog, we will not delve into Colonial Pipelines, though we will
mention some details about them. Instead, our spotlight will be the
self-appointed criminal gang called DarkSide, which was behind the
attack. How they operate, who they are, and, more importantly, how can
your company avoid becoming a victim of such an attack?

What happened?

The FBI confirmed that on May 7th, the Colonial Pipeline networks were
attacked by the DarkSide
ransomware
gang. After that, the company closed its complete
network
for some days. In fact, until the date this post is published, the main
pipeline is still
shut.
However, it was
known
that the company already paid $5 million in cryptocurrency to decrypt
locked
systems.
(Which seems insignificant compared to the $15 million coverage that
their cyber-security insurance can
cover).

Who are involved?

The Colonial Pipeline network transports almost
half of the East Coast’s
fuel supply. This is why prices at the pumps
increased
after the long-lasted cut. In total, the pipeline network is 5,500
miles
long,
which makes it the longest in the country (see Figure 1).

The pipeline’s primary source is in Texas, the state where, by far,
stands the most significant number of refineries. While Texas has more
than 20 refineries with a total capacity less than a million barrels a
day, the whole East Coast has only
seven.
Therefore, a disruption in the flow from that state has paralyzed
operations in several sectors (including seven of the largest airports
in the country and five military
bases;
see Figure 2).

Let’s talk about DarkSide. It looks like they became public in
August
of 2020,
and they were discovered by
MalwareHunterTeam
(see Figure 3). DarkSide is perhaps one of the most important exponents
of the rising
Ransomware-as-a-Corporation
(RaaC) trend. They differ from other ransomware criminal groups in their
victims’ search method. An ordinary criminal uses spoofing,
smishing, or phishing, waiting for a
victim to take the bait. Instead, DarkSide studies its potential victims
carefully by determining its economic activity, income, and expenses.
After that, they analyze the attack difficulty, its success probability
and inquire about the company’s most vulnerable point to start their
attack from there. Unlike well-known criminal groups such as
DoppelPaymer, Sodinokibi,
Maze,
and NetWalker, DarkSide is structured around a “business
model.”
In addition, it is noticeable that they have a code of
ethics
that prohibits them from attacking hospitals, schools, and government
agencies. It is also reported
that they look to obtain
the most significant profit by attacking big companies. At the same
time, they make donations using some of the money received through
ransomware. For example,
they gave 10 thousand dollars to Children International and another 10
thousand dollars to the Water Project Receipt in October 2020. Both of
them were rejected by the NGO’s.

How did it happen?

DarkSide infiltrated the Colonial Pipeline network by blocking data from
their computers and servers. To unblock their data, the company must pay
the money criminals asked for. Specifically, they stole 100 gigabytes
of data threatening to share it on the
web.
Besides, though details are not precise, their modus operandi
starts
with (but is not limited to) a phishing email that
tricked an employee. Likewise, by using penetration
testing tools, they can perform lateral
movements.
In addition, it can be assumed
that
the attack was directed to the commercial area and not the operational
one. Apparently, their goal was not to crash down the pipeline but to
extort the company to make money (as has been done in previous
cases).
In this sense, their main attack is not so different from the typical
ransomware attack.

DarkSide gets data from their victims’ servers, encrypts them, uploads
them to their leak-website (which can only be accessed by search engines
that allow you to enter the deep web as Tor), and then
asks for the money to decrypt them. The encryption is twofold; first,
they use a SALSA20
key,
one of the fastest encryption on the market, and then use an RSA-1024
key. Then, they
withdraw
data servers and disable the termination of specific
processes.
Finally, every file extension changes to
.DarkSide
and any of them open an executable that redirects to .txt with the
following
text:

The gang lists all types of stolen data and
sends
a “personal website” URL to their victim. Data is already loaded and
expected to be published automatically if the company does not pay
before the deadline. If that is not enough, they also threaten to delete
that information from the victim’s network. In fact, in a press release
posted on a Tor website in August 2020, they announce
that.

What have we learned?

President Biden himself
said
he is now very interested in the cyberattack situation. In fact, on
Wednesday, May 12th, the White House released an Executive
Order
in which they declare that the Federal Government is going to: “improve
its efforts to identify, deter, protect against, detect, and respond to
these actions and actors.” The extensive document is clearly motivated
by the DarkSide attack, but also by recent ones (surely the hack to
Microsoft Exchange Server, the SolarWinds
security fiasco, or the Facebook Data
Leak).

This means US law enforcement “are likely to be putting significant
resources into uncovering” their
identity. So,
it should not be surprising that Congressman Jim Langevin (D-RI), chair
of the House Armed Services Subcommittee on Cybersecurity, Innovative
Technologies, and Information Systems has
said:
“Cybersecurity is the most urgent national security challenge facing our
nation, and I applaud President Biden for taking action early in his
term to address and eliminate glaring vulnerabilities.”

For all this, it seems that DarkSide regrets the social harm caused by
their criminal activity. We can assume that not only for their “ethical
code” but also because they are now in the limelight. In this respect,
what Nicole Perlroth, a New York Times cybercrime reporter, said last
Monday
turns very interesting:

We also learned that ransomware can jeopardize companies and the
infrastructure
of an entire country. This means, in turn, that companies and
governments must reinforce their cybersecurity systems. Because
they’re not paying enough attention to these
risks: “the ONG (Oil & Natural
Gas) industry is unaware of potentially useful technologies that have
been developed for ensuring cyber-security of other infrastructure
systems, such as the electric grid.”

Robert Smallwood was one of the
consultants
who delivered an 89-page report in January 2018 after conducting a
six-month audit. He said last Wednesday that the deficiencies and
vulnerabilities in the cybersecurity system were so high that “an
eighth-grader could have hacked into that
system.”
All of this resulted in a costly and embarrassing lesson: prevention in
terms of cybersecurity risks is very important. Never take it lightly.
Otherwise, there will be no guarantee that you will not be attacked by
the DarkSide.

For now, we’ll just recommend you what they say throughout the Galaxy:
may the force be with you.

If you want to know more about how to protect yourself from
cyberattacks, we invite you to review our page.

At Fluid Attacks we are specialized in cybersecurity through
Pentesting and Ethical
Hacking.
For more information, don’t hesitate to contact
us!

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Zárate. Read the original post at: https://fluidattacks.com/blog/pipeline-ransomware-darkside/