Colonial Pipeline Ransomware Attack
Published 12 May 2021
- US-based largest refined product pipeline system company Colonial Pipeline reported a Ransomware attack incident
- Followed by which the company had to shut down its operations
Share this Threat Intel:
|Advisory Type||Adversary Intelligence|
|Attack Type||Ransomware Attack|
On 07 May 2021, the United States based largest refined product pipeline system company Colonial Pipeline reported a Ransomware attack incident. The incident led to the shut down of its operations. After investigating the incident, the Federal Investigation Bureau (FBI) attributed the attack to Darkside ransomware group. In the mentioned event, around 100GB of data was allegedly stolen and the threat actors have threatened to release the data upon failure to deliver on ransom payment.
Darkside (ref Advisory on Darkside Ransomware) is a RaaS program where the developers of the ransomware advertise their ransomware and hire operators to spread the ransomware and infect their targets.
As per their campaign advertisements, the Darkside gang refrains from targeting the following industries, which circumstantially points to Eastern European for-profit only activities:
- Medicine (only hospitals, palliative care organizations, nursing homes, companies that develop and participate (largely at the supply chain level) in the distribution of the COVID-19 vaccine).
- Funeral services (Morgues, crematoria, funeral homes).
- Education (Universities, schools).
- Public sector (municipalities, state bodies).
- Non-profit organizations (charitable foundations, associations).
- CIS (including Georgia, Ukraine) region
Darkside handles on cyber crime forums have posted the following two threads in November 2020 and May 2021 respectively:
Nov 2020: The first post regarding the Darkside RaaS appeared on the forum in Nov 2020. The advertisement included the targeted Operating systems along with the encryption algorithms used for each one:
- OS: Windows | Encryption Algorithm: Salsa20 + RSA 1024
- OS: Linux | Encryption Algorithm: ChaCha20 + RSA 4096
Mar 2021: The second post on 10 Mar 2021, advertised an upgraded version of the payload with attributes and characteristics supporting multiple operating systems.
Darkside Leaks Website
On 10 May 2021 the Darkside leaks website carried a statement by the group stating indirectly that the motives behind their attacks are purely financial and not related to any political involvement. This was in the aftermath of Big Tech in the US appealing to the government to treat ransomware attacks as National security issues.
Ransomware operators tend to buy their access from IABs (Initial Access Brokers) for ease of exploitation (ref whitepaper “Rise of Initial Access brokers”). CloudSEK Threat Intelligence researchers have observed a rising trend in the number of accesses being sought, bought, and sold for specific regions and countries individually, or in bulk. These accesses are then used to engender large-scale ransomware attacks.
Observations on access being sold/bought for multiple regions over various cybercrime forums for Q1 2021 are as below.
|Region||Number of Access|
Colonial Pipeline has not released any official statement either on the breach or requested extortion amount. According to open sources, the US government is working with Colonial Pipeline to mitigate the impact of the ransomware attack. CloudSEK Threat Intelligence will continue tracking this incident as well as updates on Darkside’s activities on cyber crime forums.